diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.py b/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.py index f22ab1d9..b90ba4e5 100644 --- a/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.py +++ b/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.py @@ -55,7 +55,7 @@ class awslambda_function_no_secrets_in_code(Check): if secrets_findings: final_output_string = "; ".join(secrets_findings) report.status = "FAIL" - # report.status_extended = f"Potential {'secrets' if len(secrets_findings)>1 else 'secret'} found in Lambda function {function.name} code. {final_output_string}" + # report.status_extended = f"Potential {'secrets' if len(secrets_findings)>1 else 'secret'} found in Lambda function {function.name} code. {final_output_string}." if len(secrets_findings) > 1: report.status_extended = f"Potential secrets found in Lambda function {function.name} code -> {final_output_string}." else: diff --git a/prowler/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled.py b/prowler/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled.py index 1bfb83a5..84244f56 100644 --- a/prowler/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled.py +++ b/prowler/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled.py @@ -20,10 +20,10 @@ class cloudformation_stacks_termination_protection_enabled(Check): if stack.enable_termination_protection: report.status = "PASS" - report.status_extended = f"CloudFormation {stack.name} has termination protection enabled" + report.status_extended = f"CloudFormation {stack.name} has termination protection enabled." else: report.status = "FAIL" - report.status_extended = f"CloudFormation {stack.name} has termination protection disabled" + report.status_extended = f"CloudFormation {stack.name} has termination protection disabled." findings.append(report) return findings diff --git a/prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.py b/prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.py index 98e199a7..aa7f3d6b 100644 --- a/prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.py +++ b/prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.py @@ -28,10 +28,10 @@ class codeartifact_packages_external_public_publishing_disabled(Check): == RestrictionValues.ALLOW ): report.status = "FAIL" - report.status_extended = f"Internal package {package.name} is vulnerable to dependency confusion in repository {repository.arn}" + report.status_extended = f"Internal package {package.name} is vulnerable to dependency confusion in repository {repository.arn}." else: report.status = "PASS" - report.status_extended = f"Internal package {package.name} is not vulnerable to dependency confusion in repository {repository.arn}" + report.status_extended = f"Internal package {package.name} is not vulnerable to dependency confusion in repository {repository.arn}." findings.append(report) diff --git a/prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.py b/prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.py index f4762d98..988ee86e 100644 --- a/prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.py +++ b/prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.py @@ -13,17 +13,15 @@ class codebuild_project_older_90_days(Check): report.resource_id = project.name report.resource_arn = project.arn report.status = "PASS" - report.status_extended = ( - f"CodeBuild project {project.name} has been invoked in the last 90 days" - ) + report.status_extended = f"CodeBuild project {project.name} has been invoked in the last 90 days." if project.last_invoked_time: if (datetime.now(timezone.utc) - project.last_invoked_time).days > 90: report.status = "FAIL" - report.status_extended = f"CodeBuild project {project.name} has not been invoked in the last 90 days" + report.status_extended = f"CodeBuild project {project.name} has not been invoked in the last 90 days." else: report.status = "FAIL" report.status_extended = ( - f"CodeBuild project {project.name} has never been built" + f"CodeBuild project {project.name} has never been built." ) findings.append(report) diff --git a/prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.py b/prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.py index 4dd97a35..31a66622 100644 --- a/prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.py +++ b/prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.py @@ -13,13 +13,13 @@ class codebuild_project_user_controlled_buildspec(Check): report.resource_id = project.name report.resource_arn = project.arn report.status = "PASS" - report.status_extended = f"CodeBuild project {project.name} does not use an user controlled buildspec" + report.status_extended = f"CodeBuild project {project.name} does not use an user controlled buildspec." if project.buildspec: if search(r".*\.yaml$", project.buildspec) or search( r".*\.yml$", project.buildspec ): report.status = "FAIL" - report.status_extended = f"CodeBuild project {project.name} uses an user controlled buildspec" + report.status_extended = f"CodeBuild project {project.name} uses an user controlled buildspec." findings.append(report) diff --git a/prowler/providers/aws/services/directoryservice/directoryservice_directory_log_forwarding_enabled/directoryservice_directory_log_forwarding_enabled.py b/prowler/providers/aws/services/directoryservice/directoryservice_directory_log_forwarding_enabled/directoryservice_directory_log_forwarding_enabled.py index 4eba32c7..de01b5c1 100644 --- a/prowler/providers/aws/services/directoryservice/directoryservice_directory_log_forwarding_enabled/directoryservice_directory_log_forwarding_enabled.py +++ b/prowler/providers/aws/services/directoryservice/directoryservice_directory_log_forwarding_enabled/directoryservice_directory_log_forwarding_enabled.py @@ -11,13 +11,14 @@ class directoryservice_directory_log_forwarding_enabled(Check): report = Check_Report_AWS(self.metadata()) report.region = directory.region report.resource_id = directory.id + report.resource_arn = directory.arn report.resource_tags = directory.tags if directory.log_subscriptions: report.status = "PASS" - report.status_extended = f"Directory Service {directory.id} have log forwarding to CloudWatch enabled" + report.status_extended = f"Directory Service {directory.id} have log forwarding to CloudWatch enabled." else: report.status = "FAIL" - report.status_extended = f"Directory Service {directory.id} have log forwarding to CloudWatch disabled" + report.status_extended = f"Directory Service {directory.id} have log forwarding to CloudWatch disabled." findings.append(report) diff --git a/prowler/providers/aws/services/directoryservice/directoryservice_directory_monitor_notifications/directoryservice_directory_monitor_notifications.py b/prowler/providers/aws/services/directoryservice/directoryservice_directory_monitor_notifications/directoryservice_directory_monitor_notifications.py index 95abe999..704a55f5 100644 --- a/prowler/providers/aws/services/directoryservice/directoryservice_directory_monitor_notifications/directoryservice_directory_monitor_notifications.py +++ b/prowler/providers/aws/services/directoryservice/directoryservice_directory_monitor_notifications/directoryservice_directory_monitor_notifications.py @@ -11,16 +11,17 @@ class directoryservice_directory_monitor_notifications(Check): report = Check_Report_AWS(self.metadata()) report.region = directory.region report.resource_id = directory.id + report.resource_arn = directory.arn report.resource_tags = directory.tags if directory.event_topics: report.status = "PASS" report.status_extended = ( - f"Directory Service {directory.id} have SNS messaging enabled" + f"Directory Service {directory.id} have SNS messaging enabled." ) else: report.status = "FAIL" report.status_extended = ( - f"Directory Service {directory.id} have SNS messaging disabled" + f"Directory Service {directory.id} have SNS messaging disabled." ) findings.append(report) diff --git a/prowler/providers/aws/services/directoryservice/directoryservice_directory_snapshots_limit/directoryservice_directory_snapshots_limit.py b/prowler/providers/aws/services/directoryservice/directoryservice_directory_snapshots_limit/directoryservice_directory_snapshots_limit.py index de2d5503..ba579809 100644 --- a/prowler/providers/aws/services/directoryservice/directoryservice_directory_snapshots_limit/directoryservice_directory_snapshots_limit.py +++ b/prowler/providers/aws/services/directoryservice/directoryservice_directory_snapshots_limit/directoryservice_directory_snapshots_limit.py @@ -14,11 +14,12 @@ class directoryservice_directory_snapshots_limit(Check): report = Check_Report_AWS(self.metadata()) report.region = directory.region report.resource_id = directory.id + report.resource_arn = directory.arn report.resource_tags = directory.tags if directory.snapshots_limits: if directory.snapshots_limits.manual_snapshots_limit_reached: report.status = "FAIL" - report.status_extended = f"Directory Service {directory.id} reached {directory.snapshots_limits.manual_snapshots_limit} Snapshots limit" + report.status_extended = f"Directory Service {directory.id} reached {directory.snapshots_limits.manual_snapshots_limit} Snapshots limit." else: limit_remaining = ( directory.snapshots_limits.manual_snapshots_limit @@ -26,10 +27,10 @@ class directoryservice_directory_snapshots_limit(Check): ) if limit_remaining <= SNAPSHOT_LIMIT_THRESHOLD: report.status = "FAIL" - report.status_extended = f"Directory Service {directory.id} is about to reach {directory.snapshots_limits.manual_snapshots_limit} Snapshots which is the limit" + report.status_extended = f"Directory Service {directory.id} is about to reach {directory.snapshots_limits.manual_snapshots_limit} Snapshots which is the limit." else: report.status = "PASS" - report.status_extended = f"Directory Service {directory.id} is using {directory.snapshots_limits.manual_snapshots_current_count} out of {directory.snapshots_limits.manual_snapshots_limit} from the Snapshots Limit" + report.status_extended = f"Directory Service {directory.id} is using {directory.snapshots_limits.manual_snapshots_current_count} out of {directory.snapshots_limits.manual_snapshots_limit} from the Snapshots Limit." findings.append(report) return findings diff --git a/prowler/providers/aws/services/directoryservice/directoryservice_ldap_certificate_expiration/directoryservice_ldap_certificate_expiration.py b/prowler/providers/aws/services/directoryservice/directoryservice_ldap_certificate_expiration/directoryservice_ldap_certificate_expiration.py index 7ec163bf..3590afd4 100644 --- a/prowler/providers/aws/services/directoryservice/directoryservice_ldap_certificate_expiration/directoryservice_ldap_certificate_expiration.py +++ b/prowler/providers/aws/services/directoryservice/directoryservice_ldap_certificate_expiration/directoryservice_ldap_certificate_expiration.py @@ -17,6 +17,7 @@ class directoryservice_ldap_certificate_expiration(Check): report = Check_Report_AWS(self.metadata()) report.region = directory.region report.resource_id = certificate.id + report.resource_arn = directory.arn report.resource_tags = directory.tags remaining_days_to_expire = ( @@ -30,10 +31,10 @@ class directoryservice_ldap_certificate_expiration(Check): if remaining_days_to_expire <= DAYS_TO_EXPIRE_THRESHOLD: report.status = "FAIL" - report.status_extended = f"LDAP Certificate {certificate.id} configured at {directory.id} is about to expire in {remaining_days_to_expire} days" + report.status_extended = f"LDAP Certificate {certificate.id} configured at {directory.id} is about to expire in {remaining_days_to_expire} days." else: report.status = "PASS" - report.status_extended = f"LDAP Certificate {certificate.id} configured at {directory.id} expires in {remaining_days_to_expire} days" + report.status_extended = f"LDAP Certificate {certificate.id} configured at {directory.id} expires in {remaining_days_to_expire} days." findings.append(report) diff --git a/prowler/providers/aws/services/directoryservice/directoryservice_radius_server_security_protocol/directoryservice_radius_server_security_protocol.py b/prowler/providers/aws/services/directoryservice/directoryservice_radius_server_security_protocol/directoryservice_radius_server_security_protocol.py index afc5a3a4..caaa8ee0 100644 --- a/prowler/providers/aws/services/directoryservice/directoryservice_radius_server_security_protocol/directoryservice_radius_server_security_protocol.py +++ b/prowler/providers/aws/services/directoryservice/directoryservice_radius_server_security_protocol/directoryservice_radius_server_security_protocol.py @@ -15,16 +15,17 @@ class directoryservice_radius_server_security_protocol(Check): report = Check_Report_AWS(self.metadata()) report.region = directory.region report.resource_id = directory.id + report.resource_arn = directory.arn report.resource_tags = directory.tags if ( directory.radius_settings.authentication_protocol == AuthenticationProtocol.MS_CHAPv2 ): report.status = "PASS" - report.status_extended = f"Radius server of Directory {directory.id} have recommended security protocol for the Radius server" + report.status_extended = f"Radius server of Directory {directory.id} have recommended security protocol for the Radius server." else: report.status = "FAIL" - report.status_extended = f"Radius server of Directory {directory.id} does not have recommended security protocol for the Radius server" + report.status_extended = f"Radius server of Directory {directory.id} does not have recommended security protocol for the Radius server." findings.append(report) diff --git a/prowler/providers/aws/services/directoryservice/directoryservice_service.py b/prowler/providers/aws/services/directoryservice/directoryservice_service.py index 61b09d84..5b7b73b7 100644 --- a/prowler/providers/aws/services/directoryservice/directoryservice_service.py +++ b/prowler/providers/aws/services/directoryservice/directoryservice_service.py @@ -37,8 +37,9 @@ class DirectoryService(AWSService): ) ): directory_id = directory["DirectoryId"] + directory_arn = f"arn:{self.audited_partition}:ds:{regional_client.region}:{self.audited_account}:directory/{directory_id}" directory_name = directory["Name"] - directory_type = DirectoryType(directory["Type"]) + directory_type = directory["Type"] # Radius Configuration radius_authentication_protocol = ( AuthenticationProtocol( @@ -56,6 +57,7 @@ class DirectoryService(AWSService): self.directories[directory_id] = Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=directory_type, region=regional_client.region, radius_settings=RadiusSettings( @@ -297,6 +299,7 @@ class DirectoryType(Enum): class Directory(BaseModel): name: str id: str + arn: str type: DirectoryType log_subscriptions: list[LogSubscriptions] = [] event_topics: list[EventTopics] = [] diff --git a/prowler/providers/aws/services/directoryservice/directoryservice_supported_mfa_radius_enabled/directoryservice_supported_mfa_radius_enabled.py b/prowler/providers/aws/services/directoryservice/directoryservice_supported_mfa_radius_enabled/directoryservice_supported_mfa_radius_enabled.py index 291b3a80..e5fe559b 100644 --- a/prowler/providers/aws/services/directoryservice/directoryservice_supported_mfa_radius_enabled/directoryservice_supported_mfa_radius_enabled.py +++ b/prowler/providers/aws/services/directoryservice/directoryservice_supported_mfa_radius_enabled/directoryservice_supported_mfa_radius_enabled.py @@ -15,16 +15,17 @@ class directoryservice_supported_mfa_radius_enabled(Check): report = Check_Report_AWS(self.metadata()) report.region = directory.region report.resource_id = directory.id + report.resource_arn = directory.arn report.resource_tags = directory.tags if directory.radius_settings.status == RadiusStatus.Completed: report.status = "PASS" report.status_extended = ( - f"Directory {directory.id} have Radius MFA enabled" + f"Directory {directory.id} have Radius MFA enabled." ) else: report.status = "FAIL" report.status_extended = ( - f"Directory {directory.id} does not have Radius MFA enabled" + f"Directory {directory.id} does not have Radius MFA enabled." ) findings.append(report) diff --git a/prowler/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan.py b/prowler/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan.py index 94df9e5c..b211d3c4 100644 --- a/prowler/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan.py +++ b/prowler/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan.py @@ -20,7 +20,7 @@ class ec2_elastic_ip_shodan(Check): try: shodan_info = api.host(eip.public_ip) report.status = "FAIL" - report.status_extended = f"Elastic IP {eip.public_ip} listed in Shodan with open ports {str(shodan_info['ports'])} and ISP {shodan_info['isp']} in {shodan_info['country_name']}. More info https://www.shodan.io/host/{eip.public_ip}" + report.status_extended = f"Elastic IP {eip.public_ip} listed in Shodan with open ports {str(shodan_info['ports'])} and ISP {shodan_info['isp']} in {shodan_info['country_name']}. More info at https://www.shodan.io/host/{eip.public_ip}." report.resource_id = eip.public_ip findings.append(report) except shodan.APIError as error: diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules.py index 45881d64..f2fbca7c 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules.py @@ -18,7 +18,7 @@ class ec2_securitygroup_with_many_ingress_egress_rules(Check): report.resource_arn = security_group.arn report.resource_tags = security_group.tags report.status = "PASS" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has {len(security_group.ingress_rules)} inbound rules and {len(security_group.egress_rules)} outbound rules" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has {len(security_group.ingress_rules)} inbound rules and {len(security_group.egress_rules)} outbound rules." if ( len(security_group.ingress_rules) > max_security_group_rules or len(security_group.egress_rules) > max_security_group_rules diff --git a/prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.py b/prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.py index 5cc8127e..0a9654a7 100644 --- a/prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.py +++ b/prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.py @@ -14,17 +14,17 @@ class ecr_registry_scan_images_on_push_enabled(Check): # A registry cannot have tags report.resource_tags = [] report.status = "FAIL" - report.status_extended = f"ECR registry {registry.id} has {registry.scan_type} scanning without scan on push enabled" + report.status_extended = f"ECR registry {registry.id} has {registry.scan_type} scanning without scan on push enabled." if registry.rules: report.status = "PASS" - report.status_extended = f"ECR registry {registry.id} has {registry.scan_type} scan with scan on push enabled" + report.status_extended = f"ECR registry {registry.id} has {registry.scan_type} scan with scan on push enabled." filters = True for rule in registry.rules: if not rule.scan_filters or "'*'" in str(rule.scan_filters): filters = False if filters: report.status = "FAIL" - report.status_extended = f"ECR registry {registry.id} has {registry.scan_type} scanning with scan on push but with repository filters" + report.status_extended = f"ECR registry {registry.id} has {registry.scan_type} scanning with scan on push but with repository filters." findings.append(report) diff --git a/prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.py b/prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.py index 3db731ec..18f3fb94 100644 --- a/prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.py +++ b/prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.py @@ -14,7 +14,7 @@ class ecr_repositories_not_publicly_accessible(Check): report.resource_tags = repository.tags report.status = "PASS" report.status_extended = ( - f"Repository {repository.name} is not publicly accesible" + f"Repository {repository.name} is not publicly accesible." ) if repository.policy: for statement in repository.policy["Statement"]: @@ -24,7 +24,7 @@ class ecr_repositories_not_publicly_accessible(Check): and "*" in statement["Principal"]["AWS"] ): report.status = "FAIL" - report.status_extended = f"Repository {repository.name} policy may allow anonymous users to perform actions (Principal: '*')" + report.status_extended = f"Repository {repository.name} policy may allow anonymous users to perform actions (Principal: '*')." break findings.append(report) diff --git a/prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.py b/prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.py index c46e9912..4712f0b5 100644 --- a/prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.py +++ b/prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.py @@ -14,12 +14,12 @@ class ecr_repositories_scan_images_on_push_enabled(Check): report.resource_tags = repository.tags report.status = "PASS" report.status_extended = ( - f"ECR repository {repository.name} has scan on push enabled" + f"ECR repository {repository.name} has scan on push enabled." ) if not repository.scan_on_push: report.status = "FAIL" report.status_extended = ( - f"ECR repository {repository.name} has scan on push disabled" + f"ECR repository {repository.name} has scan on push disabled." ) findings.append(report) diff --git a/prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.py b/prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.py index 92b74f84..0e07adba 100644 --- a/prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.py +++ b/prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.py @@ -18,14 +18,14 @@ class ecr_repositories_scan_vulnerabilities_in_latest_image(Check): report.resource_arn = repository.arn report.resource_tags = repository.tags report.status = "PASS" - report.status_extended = f"ECR repository {repository.name} has imageTag {image.latest_tag} scanned without findings" + report.status_extended = f"ECR repository {repository.name} has imageTag {image.latest_tag} scanned without findings." if not image.scan_findings_status: report.status = "FAIL" - report.status_extended = f"ECR repository {repository.name} has imageTag {image.latest_tag} without a scan" + report.status_extended = f"ECR repository {repository.name} has imageTag {image.latest_tag} without a scan." elif image.scan_findings_status == "FAILED": report.status = "FAIL" report.status_extended = ( - f"ECR repository {repository.name} with scan status FAILED" + f"ECR repository {repository.name} with scan status FAILED." ) elif image.scan_findings_status != "FAILED": if image.scan_findings_severity_count and ( @@ -34,7 +34,7 @@ class ecr_repositories_scan_vulnerabilities_in_latest_image(Check): or image.scan_findings_severity_count.medium ): report.status = "FAIL" - report.status_extended = f"ECR repository {repository.name} has imageTag {image.latest_tag} scanned with findings: CRITICAL->{image.scan_findings_severity_count.critical}, HIGH->{image.scan_findings_severity_count.high}, MEDIUM->{image.scan_findings_severity_count.medium} " + report.status_extended = f"ECR repository {repository.name} has imageTag {image.latest_tag} scanned with findings: CRITICAL->{image.scan_findings_severity_count.critical}, HIGH->{image.scan_findings_severity_count.high}, MEDIUM->{image.scan_findings_severity_count.medium}." findings.append(report) diff --git a/prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.py b/prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.py index 4d55f612..608fac11 100644 --- a/prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.py +++ b/prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.py @@ -19,7 +19,7 @@ class ecs_task_definitions_no_environment_secrets(Check): report.resource_arn = task_definition.arn report.resource_tags = task_definition.tags report.status = "PASS" - report.status_extended = f"No secrets found in variables of ECS task definition {task_definition.name} with revision {task_definition.revision}" + report.status_extended = f"No secrets found in variables of ECS task definition {task_definition.name} with revision {task_definition.revision}." if task_definition.environment_variables: dump_env_vars = {} for env_var in task_definition.environment_variables: @@ -44,7 +44,7 @@ class ecs_task_definitions_no_environment_secrets(Check): ] ) report.status = "FAIL" - report.status_extended = f"Potential secret found in variables of ECS task definition {task_definition.name} with revision {task_definition.revision} -> {secrets_string}" + report.status_extended = f"Potential secret found in variables of ECS task definition {task_definition.name} with revision {task_definition.revision} -> {secrets_string}." os.remove(temp_env_data_file.name) diff --git a/prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.py b/prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.py index 2f187c2b..baedd5f6 100644 --- a/prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.py +++ b/prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.py @@ -13,11 +13,11 @@ class efs_encryption_at_rest_enabled(Check): report.resource_tags = fs.tags report.status = "FAIL" report.status_extended = ( - f"EFS {fs.id} does not have encryption at rest enabled" + f"EFS {fs.id} does not have encryption at rest enabled." ) if fs.encrypted: report.status = "PASS" - report.status_extended = f"EFS {fs.id} has encryption at rest enabled" + report.status_extended = f"EFS {fs.id} has encryption at rest enabled." findings.append(report) diff --git a/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py b/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py index 712de9c3..8cb33dfa 100644 --- a/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py +++ b/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py @@ -13,11 +13,11 @@ class efs_not_publicly_accessible(Check): report.resource_tags = fs.tags report.status = "PASS" report.status_extended = ( - f"EFS {fs.id} has a policy which does not allow access to everyone" + f"EFS {fs.id} has a policy which does not allow access to everyone." ) if not fs.policy: report.status = "FAIL" - report.status_extended = f"EFS {fs.id} doesn't have any policy which means it grants full access to any client" + report.status_extended = f"EFS {fs.id} doesn't have any policy which means it grants full access to any client." else: for statement in fs.policy["Statement"]: if statement["Effect"] == "Allow": @@ -34,7 +34,7 @@ class efs_not_publicly_accessible(Check): ) ): report.status = "FAIL" - report.status_extended = f"EFS {fs.id} has a policy which allows access to everyone" + report.status_extended = f"EFS {fs.id} has a policy which allows access to everyone." break findings.append(report) diff --git a/prowler/providers/aws/services/eks/eks_control_plane_endpoint_access_restricted/eks_control_plane_endpoint_access_restricted.py b/prowler/providers/aws/services/eks/eks_control_plane_endpoint_access_restricted/eks_control_plane_endpoint_access_restricted.py index 427d2989..d26456a7 100644 --- a/prowler/providers/aws/services/eks/eks_control_plane_endpoint_access_restricted/eks_control_plane_endpoint_access_restricted.py +++ b/prowler/providers/aws/services/eks/eks_control_plane_endpoint_access_restricted/eks_control_plane_endpoint_access_restricted.py @@ -13,14 +13,14 @@ class eks_control_plane_endpoint_access_restricted(Check): report.resource_tags = cluster.tags report.status = "PASS" report.status_extended = ( - f"Cluster endpoint access is private for EKS cluster {cluster.name}" + f"Cluster endpoint access is private for EKS cluster {cluster.name}." ) if cluster.endpoint_public_access and not cluster.endpoint_private_access: if "0.0.0.0/0" in cluster.public_access_cidrs: report.status = "FAIL" - report.status_extended = f"Cluster control plane access is not restricted for EKS cluster {cluster.name}" + report.status_extended = f"Cluster control plane access is not restricted for EKS cluster {cluster.name}." else: - report.status_extended = f"Cluster control plane access is restricted for EKS cluster {cluster.name}" + report.status_extended = f"Cluster control plane access is restricted for EKS cluster {cluster.name}." findings.append(report) return findings diff --git a/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py b/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py index 39718df0..78c741f4 100644 --- a/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py +++ b/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py @@ -13,7 +13,7 @@ class eks_control_plane_logging_all_types_enabled(Check): report.resource_tags = cluster.tags report.status = "FAIL" report.status_extended = ( - f"Control plane logging is not enabled for EKS cluster {cluster.name}" + f"Control plane logging is not enabled for EKS cluster {cluster.name}." ) if cluster.logging and cluster.logging.enabled: if all( @@ -27,9 +27,9 @@ class eks_control_plane_logging_all_types_enabled(Check): ] ): report.status = "PASS" - report.status_extended = f"Control plane logging enabled and correctly configured for EKS cluster {cluster.name}" + report.status_extended = f"Control plane logging enabled and correctly configured for EKS cluster {cluster.name}." else: - report.status_extended = f"Control plane logging enabled but not all log types collected for EKS cluster {cluster.name}" + report.status_extended = f"Control plane logging enabled but not all log types collected for EKS cluster {cluster.name}." findings.append(report) return findings diff --git a/prowler/providers/aws/services/eks/eks_endpoints_not_publicly_accessible/eks_endpoints_not_publicly_accessible.py b/prowler/providers/aws/services/eks/eks_endpoints_not_publicly_accessible/eks_endpoints_not_publicly_accessible.py index f3b6aeb8..22178448 100644 --- a/prowler/providers/aws/services/eks/eks_endpoints_not_publicly_accessible/eks_endpoints_not_publicly_accessible.py +++ b/prowler/providers/aws/services/eks/eks_endpoints_not_publicly_accessible/eks_endpoints_not_publicly_accessible.py @@ -13,12 +13,12 @@ class eks_endpoints_not_publicly_accessible(Check): report.resource_tags = cluster.tags report.status = "PASS" report.status_extended = ( - f"Cluster endpoint access is private for EKS cluster {cluster.name}" + f"Cluster endpoint access is private for EKS cluster {cluster.name}." ) if cluster.endpoint_public_access and not cluster.endpoint_private_access: report.status = "FAIL" report.status_extended = ( - f"Cluster endpoint access is public for EKS cluster {cluster.name}" + f"Cluster endpoint access is public for EKS cluster {cluster.name}." ) findings.append(report) diff --git a/prowler/providers/aws/services/elbv2/elbv2_desync_mitigation_mode/elbv2_desync_mitigation_mode.py b/prowler/providers/aws/services/elbv2/elbv2_desync_mitigation_mode/elbv2_desync_mitigation_mode.py index e52dc8d7..ad7a7a5e 100644 --- a/prowler/providers/aws/services/elbv2/elbv2_desync_mitigation_mode/elbv2_desync_mitigation_mode.py +++ b/prowler/providers/aws/services/elbv2/elbv2_desync_mitigation_mode/elbv2_desync_mitigation_mode.py @@ -17,9 +17,9 @@ class elbv2_desync_mitigation_mode(Check): if lb.desync_mitigation_mode == "monitor": if lb.drop_invalid_header_fields == "false": report.status = "FAIL" - report.status_extended = f"ELBv2 ALB {lb.name} does not have desync mitigation mode set as defensive or strictest and is not dropping invalid header fields" + report.status_extended = f"ELBv2 ALB {lb.name} does not have desync mitigation mode set as defensive or strictest and is not dropping invalid header fields." elif lb.drop_invalid_header_fields == "true": - report.status_extended = f"ELBv2 ALB {lb.name} does not have desync mitigation mode set as defensive or strictest but is dropping invalid header fields" + report.status_extended = f"ELBv2 ALB {lb.name} does not have desync mitigation mode set as defensive or strictest but is dropping invalid header fields." findings.append(report) return findings diff --git a/prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.py b/prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.py index f84e0033..339d2657 100644 --- a/prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.py +++ b/prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.py @@ -14,10 +14,10 @@ class emr_cluster_account_public_block_enabled(Check): region ].block_public_security_group_rules: report.status = "PASS" - report.status_extended = "EMR Account has Block Public Access enabled" + report.status_extended = "EMR Account has Block Public Access enabled." else: report.status = "FAIL" - report.status_extended = "EMR Account has Block Public Access disabled" + report.status_extended = "EMR Account has Block Public Access disabled." findings.append(report) diff --git a/prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.py b/prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.py index aa6510b5..18d6330c 100644 --- a/prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.py +++ b/prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.py @@ -22,7 +22,7 @@ class emr_cluster_publicly_accesible(Check): report.resource_tags = cluster.tags report.status = "PASS" report.status_extended = ( - f"EMR Cluster {cluster.id} is not publicly accessible" + f"EMR Cluster {cluster.id} is not publicly accessible." ) # If EMR cluster is Public, it is required to check # their Security Groups for the Master, diff --git a/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py b/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py index d351d941..dcb0b4e5 100644 --- a/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py +++ b/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py @@ -11,13 +11,13 @@ class fms_policy_compliant(Check): report.resource_id = fms_client.audited_account report.region = fms_client.region report.status = "PASS" - report.status_extended = "FMS enabled with all compliant accounts" + report.status_extended = "FMS enabled with all compliant accounts." non_compliant_policy = False for policy in fms_client.fms_policies: for policy_to_account in policy.compliance_status: if policy_to_account.status == "NON_COMPLIANT": report.status = "FAIL" - report.status_extended = f"FMS with non-compliant policy {policy.name} for account {policy_to_account.account_id}" + report.status_extended = f"FMS with non-compliant policy {policy.name} for account {policy_to_account.account_id}." report.resource_id = policy.id report.resource_arn = policy.arn non_compliant_policy = True diff --git a/prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.py b/prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.py index 321b2c7c..6d2fb891 100644 --- a/prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.py +++ b/prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.py @@ -12,9 +12,7 @@ class glacier_vaults_policy_public_access(Check): report.resource_arn = vault.arn report.resource_tags = vault.tags report.status = "PASS" - report.status_extended = ( - f"Vault {vault.name} has policy which does not allow access to everyone" - ) + report.status_extended = f"Vault {vault.name} has policy which does not allow access to everyone." public_access = False if vault.access_policy: @@ -35,11 +33,11 @@ class glacier_vaults_policy_public_access(Check): public_access = True break else: - report.status_extended = f"Vault {vault.name} does not have a policy" + report.status_extended = f"Vault {vault.name} does not have a policy." if public_access: report.status = "FAIL" report.status_extended = ( - f"Vault {vault.name} has policy which allows access to everyone" + f"Vault {vault.name} has policy which allows access to everyone." ) findings.append(report) diff --git a/prowler/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed.py b/prowler/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed.py index ed7156f5..eb9666fd 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed.py +++ b/prowler/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed.py @@ -14,14 +14,14 @@ class guardduty_centrally_managed(Check): report.resource_tags = detector.tags report.status = "FAIL" report.status_extended = ( - f"GuardDuty detector {detector.id} is not centrally managed" + f"GuardDuty detector {detector.id} is not centrally managed." ) if detector.administrator_account: report.status = "PASS" - report.status_extended = f"GuardDuty detector {detector.id} is centrally managed by account {detector.administrator_account}" + report.status_extended = f"GuardDuty detector {detector.id} is centrally managed by account {detector.administrator_account}." elif detector.member_accounts: report.status = "PASS" - report.status_extended = f"GuardDuty detector {detector.id} is administrator account with {len(detector.member_accounts)} member accounts" + report.status_extended = f"GuardDuty detector {detector.id} is administrator account with {len(detector.member_accounts)} member accounts." findings.append(report) diff --git a/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py b/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py index c57bcb0a..da859ec6 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py +++ b/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py @@ -12,19 +12,19 @@ class guardduty_is_enabled(Check): report.resource_arn = detector.arn report.resource_tags = detector.tags report.status = "PASS" - report.status_extended = f"GuardDuty detector {detector.id} enabled" + report.status_extended = f"GuardDuty detector {detector.id} enabled." if not detector.id: report.status = "FAIL" - report.status_extended = "GuardDuty is not enabled" + report.status_extended = "GuardDuty is not enabled." elif detector.status is None: report.status = "FAIL" report.status_extended = ( - f"GuardDuty detector {detector.id} not configured" + f"GuardDuty detector {detector.id} not configured." ) elif not detector.status: report.status = "FAIL" report.status_extended = ( - f"GuardDuty detector {detector.id} configured but suspended" + f"GuardDuty detector {detector.id} configured but suspended." ) findings.append(report) diff --git a/prowler/providers/aws/services/guardduty/guardduty_no_high_severity_findings/guardduty_no_high_severity_findings.py b/prowler/providers/aws/services/guardduty/guardduty_no_high_severity_findings/guardduty_no_high_severity_findings.py index 7b50db59..d4ae7242 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_no_high_severity_findings/guardduty_no_high_severity_findings.py +++ b/prowler/providers/aws/services/guardduty/guardduty_no_high_severity_findings/guardduty_no_high_severity_findings.py @@ -16,7 +16,7 @@ class guardduty_no_high_severity_findings(Check): report.status_extended = f"GuardDuty detector {detector.id} does not have high severity findings." if len(detector.findings) > 0: report.status = "FAIL" - report.status_extended = f"GuardDuty detector {detector.id} has {str(len(detector.findings))} high severity findings" + report.status_extended = f"GuardDuty detector {detector.id} has {str(len(detector.findings))} high severity findings." findings.append(report) diff --git a/prowler/providers/aws/services/iam/iam_aws_attached_policy_no_administrative_privileges/iam_aws_attached_policy_no_administrative_privileges.py b/prowler/providers/aws/services/iam/iam_aws_attached_policy_no_administrative_privileges/iam_aws_attached_policy_no_administrative_privileges.py index bfec0374..2d14c0d6 100644 --- a/prowler/providers/aws/services/iam/iam_aws_attached_policy_no_administrative_privileges/iam_aws_attached_policy_no_administrative_privileges.py +++ b/prowler/providers/aws/services/iam/iam_aws_attached_policy_no_administrative_privileges/iam_aws_attached_policy_no_administrative_privileges.py @@ -14,7 +14,7 @@ class iam_aws_attached_policy_no_administrative_privileges(Check): report.resource_id = policy.name report.resource_tags = policy.tags report.status = "PASS" - report.status_extended = f"{policy.type} policy {policy.name} is attached but does not allow '*:*' administrative privileges" + report.status_extended = f"{policy.type} policy {policy.name} is attached but does not allow '*:*' administrative privileges." if policy.document: # Check the statements, if one includes *:* stop iterating over the rest if not isinstance(policy.document["Statement"], list): @@ -36,7 +36,7 @@ class iam_aws_attached_policy_no_administrative_privileges(Check): ) ): report.status = "FAIL" - report.status_extended = f"{policy.type} policy {policy.name} is attached and allows '*:*' administrative privileges" + report.status_extended = f"{policy.type} policy {policy.name} is attached and allows '*:*' administrative privileges." break findings.append(report) return findings diff --git a/prowler/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts.py b/prowler/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts.py index 28fe4754..d096ed3e 100644 --- a/prowler/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts.py +++ b/prowler/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts.py @@ -13,7 +13,9 @@ class iam_check_saml_providers_sts(Check): report.resource_arn = provider["Arn"] report.region = iam_client.region report.status = "PASS" - report.status_extended = f"SAML Provider {provider_name} has been found" + report.status_extended = ( + f"SAML Provider {provider_name} has been found." + ) findings.append(report) return findings diff --git a/prowler/providers/aws/services/iam/iam_customer_attached_policy_no_administrative_privileges/iam_customer_attached_policy_no_administrative_privileges.py b/prowler/providers/aws/services/iam/iam_customer_attached_policy_no_administrative_privileges/iam_customer_attached_policy_no_administrative_privileges.py index 2b6cb3e0..dc6a1285 100644 --- a/prowler/providers/aws/services/iam/iam_customer_attached_policy_no_administrative_privileges/iam_customer_attached_policy_no_administrative_privileges.py +++ b/prowler/providers/aws/services/iam/iam_customer_attached_policy_no_administrative_privileges/iam_customer_attached_policy_no_administrative_privileges.py @@ -14,7 +14,7 @@ class iam_customer_attached_policy_no_administrative_privileges(Check): report.resource_id = policy.name report.resource_tags = policy.tags report.status = "PASS" - report.status_extended = f"{policy.type} policy {policy.name} is attached but does not allow '*:*' administrative privileges" + report.status_extended = f"{policy.type} policy {policy.name} is attached but does not allow '*:*' administrative privileges." if policy.document: # Check the statements, if one includes *:* stop iterating over the rest if not isinstance(policy.document["Statement"], list): @@ -36,7 +36,7 @@ class iam_customer_attached_policy_no_administrative_privileges(Check): ) ): report.status = "FAIL" - report.status_extended = f"{policy.type} policy {policy.name} is attached and allows '*:*' administrative privileges" + report.status_extended = f"{policy.type} policy {policy.name} is attached and allows '*:*' administrative privileges." break findings.append(report) return findings diff --git a/prowler/providers/aws/services/iam/iam_customer_unattached_policy_no_administrative_privileges/iam_customer_unattached_policy_no_administrative_privileges.py b/prowler/providers/aws/services/iam/iam_customer_unattached_policy_no_administrative_privileges/iam_customer_unattached_policy_no_administrative_privileges.py index bab71c5d..f37c7538 100644 --- a/prowler/providers/aws/services/iam/iam_customer_unattached_policy_no_administrative_privileges/iam_customer_unattached_policy_no_administrative_privileges.py +++ b/prowler/providers/aws/services/iam/iam_customer_unattached_policy_no_administrative_privileges/iam_customer_unattached_policy_no_administrative_privileges.py @@ -14,7 +14,7 @@ class iam_customer_unattached_policy_no_administrative_privileges(Check): report.resource_id = policy.name report.resource_tags = policy.tags report.status = "PASS" - report.status_extended = f"{policy.type} policy {policy.name} is unattached and does not allow '*:*' administrative privileges" + report.status_extended = f"{policy.type} policy {policy.name} is unattached and does not allow '*:*' administrative privileges." if policy.document: # Check the statements, if one includes *:* stop iterating over the rest if not isinstance(policy.document["Statement"], list): @@ -36,7 +36,7 @@ class iam_customer_unattached_policy_no_administrative_privileges(Check): ) ): report.status = "FAIL" - report.status_extended = f"{policy.type} policy {policy.name} is unattached and allows '*:*' administrative privileges" + report.status_extended = f"{policy.type} policy {policy.name} is unattached and allows '*:*' administrative privileges." break findings.append(report) return findings diff --git a/prowler/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption.py b/prowler/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption.py index ff3ac0fd..5da2e672 100644 --- a/prowler/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption.py +++ b/prowler/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption.py @@ -14,7 +14,7 @@ class iam_no_custom_policy_permissive_role_assumption(Check): report.resource_id = policy.name report.resource_tags = policy.tags report.status = "PASS" - report.status_extended = f"Custom Policy {policy.name} does not allow permissive STS Role assumption" + report.status_extended = f"Custom Policy {policy.name} does not allow permissive STS Role assumption." if policy.document: if not isinstance(policy.document["Statement"], list): policy_statements = [policy.document["Statement"]] @@ -35,7 +35,7 @@ class iam_no_custom_policy_permissive_role_assumption(Check): or action == "*" ): report.status = "FAIL" - report.status_extended = f"Custom Policy {policy.name} allows permissive STS Role assumption" + report.status_extended = f"Custom Policy {policy.name} allows permissive STS Role assumption." break else: if ( @@ -44,7 +44,7 @@ class iam_no_custom_policy_permissive_role_assumption(Check): or statement["Action"] == "*" ): report.status = "FAIL" - report.status_extended = f"Custom Policy {policy.name} allows permissive STS Role assumption" + report.status_extended = f"Custom Policy {policy.name} allows permissive STS Role assumption." break findings.append(report) diff --git a/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase.py b/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase.py index 154e9447..69b5d999 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase.py @@ -22,6 +22,6 @@ class iam_password_policy_lowercase(Check): report.status_extended = "IAM password policy does not require at least one lowercase letter." else: report.status = "FAIL" - report.status_extended = "Password policy cannot be found" + report.status_extended = "Password policy cannot be found." findings.append(report) return findings diff --git a/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14.py b/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14.py index 81c84731..5364c68a 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14.py @@ -25,6 +25,6 @@ class iam_password_policy_minimum_length_14(Check): report.status_extended = "IAM password policy does not require minimum length of 14 characters." else: report.status = "FAIL" - report.status_extended = "Password policy cannot be found" + report.status_extended = "Password policy cannot be found." findings.append(report) return findings diff --git a/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number.py b/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number.py index 097a7ddf..899f677c 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number.py @@ -24,6 +24,6 @@ class iam_password_policy_number(Check): ) else: report.status = "FAIL" - report.status_extended = "There is no password policy." + report.status_extended = "Password policy cannot be found." findings.append(report) return findings diff --git a/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24.py b/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24.py index ac4ac283..2fb37fbb 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24.py @@ -27,6 +27,6 @@ class iam_password_policy_reuse_24(Check): ) else: report.status = "FAIL" - report.status_extended = "Password policy cannot be found" + report.status_extended = "Password policy cannot be found." findings.append(report) return findings diff --git a/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol.py b/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol.py index 7be39b2c..b49cc786 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol.py @@ -24,6 +24,6 @@ class iam_password_policy_symbol(Check): ) else: report.status = "FAIL" - report.status_extended = "There is no password policy." + report.status_extended = "Password policy cannot be found." findings.append(report) return findings diff --git a/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase.py b/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase.py index 304b529f..2dee186a 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase.py @@ -22,6 +22,6 @@ class iam_password_policy_uppercase(Check): report.status_extended = "IAM password policy does not require at least one uppercase letter." else: report.status = "FAIL" - report.status_extended = "There is no password policy." + report.status_extended = "Password policy cannot be found." findings.append(report) return findings diff --git a/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.py b/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.py index 15695f9b..3b2d21c6 100644 --- a/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.py +++ b/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.py @@ -100,7 +100,7 @@ class iam_policy_allows_privilege_escalation(Check): report.region = iam_client.region report.resource_tags = policy.tags report.status = "PASS" - report.status_extended = f"Custom Policy {report.resource_arn} does not allow privilege escalation" + report.status_extended = f"Custom Policy {report.resource_arn} does not allow privilege escalation." # List of policy actions allowed_actions = set() @@ -186,6 +186,9 @@ class iam_policy_allows_privilege_escalation(Check): + " " ) - report.status_extended = f"Custom Policy {report.resource_arn} allows privilege escalation using the following actions: {policies_affected}".rstrip() + report.status_extended = ( + f"Custom Policy {report.resource_arn} allows privilege escalation using the following actions: {policies_affected}".rstrip() + + "." + ) findings.append(report) return findings diff --git a/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_cloudtrail/iam_policy_no_full_access_to_cloudtrail.py b/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_cloudtrail/iam_policy_no_full_access_to_cloudtrail.py index 3bc39b40..5a7b2097 100644 --- a/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_cloudtrail/iam_policy_no_full_access_to_cloudtrail.py +++ b/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_cloudtrail/iam_policy_no_full_access_to_cloudtrail.py @@ -16,7 +16,7 @@ class iam_policy_no_full_access_to_cloudtrail(Check): report.resource_id = policy.name report.resource_tags = policy.tags report.status = "PASS" - report.status_extended = f"Custom Policy {policy.name} does not allow '{critical_service}:*' privileges" + report.status_extended = f"Custom Policy {policy.name} does not allow '{critical_service}:*' privileges." if policy.document: if not isinstance(policy.document["Statement"], list): policy_statements = [policy.document["Statement"]] @@ -34,7 +34,7 @@ class iam_policy_no_full_access_to_cloudtrail(Check): ) ): report.status = "FAIL" - report.status_extended = f"Custom Policy {policy.name} allows '{critical_service}:*' privileges" + report.status_extended = f"Custom Policy {policy.name} allows '{critical_service}:*' privileges." break findings.append(report) return findings diff --git a/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_kms/iam_policy_no_full_access_to_kms.py b/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_kms/iam_policy_no_full_access_to_kms.py index 286e8c1f..7ec9d5e9 100644 --- a/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_kms/iam_policy_no_full_access_to_kms.py +++ b/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_kms/iam_policy_no_full_access_to_kms.py @@ -16,7 +16,7 @@ class iam_policy_no_full_access_to_kms(Check): report.resource_id = policy.name report.resource_tags = policy.tags report.status = "PASS" - report.status_extended = f"Custom Policy {policy.name} does not allow '{critical_service}:*' privileges" + report.status_extended = f"Custom Policy {policy.name} does not allow '{critical_service}:*' privileges." if policy.document: if not isinstance(policy.document["Statement"], list): policy_statements = [policy.document["Statement"]] @@ -34,7 +34,7 @@ class iam_policy_no_full_access_to_kms(Check): ) ): report.status = "FAIL" - report.status_extended = f"Custom Policy {policy.name} allows '{critical_service}:*' privileges" + report.status_extended = f"Custom Policy {policy.name} allows '{critical_service}:*' privileges." break findings.append(report) diff --git a/prowler/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention.py b/prowler/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention.py index 9b6f2d51..c2fa7b91 100644 --- a/prowler/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention.py +++ b/prowler/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention.py @@ -17,7 +17,7 @@ class iam_role_cross_service_confused_deputy_prevention(Check): report.resource_id = role.name report.resource_tags = role.tags report.status = "FAIL" - report.status_extended = f"IAM Service Role {role.name} does not prevent against a cross-service confused deputy attack" + report.status_extended = f"IAM Service Role {role.name} does not prevent against a cross-service confused deputy attack." for statement in role.assume_role_policy["Statement"]: if ( statement["Effect"] == "Allow" @@ -35,7 +35,7 @@ class iam_role_cross_service_confused_deputy_prevention(Check): ) ): report.status = "PASS" - report.status_extended = f"IAM Service Role {role.name} prevents against a cross-service confused deputy attack" + report.status_extended = f"IAM Service Role {role.name} prevents against a cross-service confused deputy attack." break findings.append(report) diff --git a/prowler/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created.py b/prowler/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created.py index 1bc337d3..16394a30 100644 --- a/prowler/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created.py +++ b/prowler/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created.py @@ -11,9 +11,9 @@ class iam_securityaudit_role_created(Check): report.resource_arn = "arn:aws:iam::aws:policy/SecurityAudit" if iam_client.entities_role_attached_to_securityaudit_policy: report.status = "PASS" - report.status_extended = f"SecurityAudit policy attached to role {iam_client.entities_role_attached_to_securityaudit_policy[0]['RoleName']}" + report.status_extended = f"SecurityAudit policy attached to role {iam_client.entities_role_attached_to_securityaudit_policy[0]['RoleName']}." else: report.status = "FAIL" - report.status_extended = "SecurityAudit policy is not attached to any role" + report.status_extended = "SecurityAudit policy is not attached to any role." findings.append(report) return findings diff --git a/prowler/providers/aws/services/iam/iam_support_role_created/iam_support_role_created.py b/prowler/providers/aws/services/iam/iam_support_role_created/iam_support_role_created.py index ec69b65a..eba577f0 100644 --- a/prowler/providers/aws/services/iam/iam_support_role_created/iam_support_role_created.py +++ b/prowler/providers/aws/services/iam/iam_support_role_created/iam_support_role_created.py @@ -13,9 +13,9 @@ class iam_support_role_created(Check): ) if iam_client.entities_role_attached_to_support_policy: report.status = "PASS" - report.status_extended = f"Support policy attached to role {iam_client.entities_role_attached_to_support_policy[0]['RoleName']}" + report.status_extended = f"Support policy attached to role {iam_client.entities_role_attached_to_support_policy[0]['RoleName']}." else: report.status = "FAIL" - report.status_extended = "Support policy is not attached to any role" + report.status_extended = "Support policy is not attached to any role." findings.append(report) return findings diff --git a/prowler/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key.py b/prowler/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key.py index 9380b9f4..522199bf 100644 --- a/prowler/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key.py +++ b/prowler/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key.py @@ -26,7 +26,7 @@ class iam_user_no_setup_initial_access_key(Check): report.resource_arn = user_record["arn"] report.status = "FAIL" report.status_extended = ( - f"User {user_record['user']} has never used access key 1" + f"User {user_record['user']} has never used access key 1." ) findings.append(report) if ( @@ -40,7 +40,7 @@ class iam_user_no_setup_initial_access_key(Check): report.resource_arn = user_record["arn"] report.status = "FAIL" report.status_extended = ( - f"User {user_record['user']} has never used access key 2" + f"User {user_record['user']} has never used access key 2." ) findings.append(report) else: @@ -49,7 +49,7 @@ class iam_user_no_setup_initial_access_key(Check): report.resource_id = user_record["user"] report.resource_arn = user_record["arn"] report.status = "PASS" - report.status_extended = f"User {user_record['user']} does not have access keys or uses the access keys configured" + report.status_extended = f"User {user_record['user']} does not have access keys or uses the access keys configured." findings.append(report) return findings diff --git a/prowler/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist.py b/prowler/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist.py index f92f507a..d1788c8f 100644 --- a/prowler/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist.py +++ b/prowler/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist.py @@ -17,13 +17,13 @@ class inspector2_findings_exist(Check): if inspector.status == "ENABLED": active_findings = 0 report.status = "PASS" - report.status_extended = "Inspector2 is enabled with no findings" + report.status_extended = "Inspector2 is enabled with no findings." for finding in inspector.findings: if finding.status == "ACTIVE": active_findings += 1 if len(inspector.findings) > 0: report.status_extended = ( - "Inspector2 is enabled with no active findings" + "Inspector2 is enabled with no active findings." ) if active_findings > 0: report.status = "FAIL" diff --git a/prowler/providers/aws/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible.py b/prowler/providers/aws/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible.py index be040b48..62ed3fac 100644 --- a/prowler/providers/aws/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible.py +++ b/prowler/providers/aws/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible.py @@ -26,7 +26,7 @@ class kms_key_not_publicly_accessible(Check): ): report.status = "FAIL" report.status_extended = ( - f"KMS key {key.id} may be publicly accessible!" + f"KMS key {key.id} may be publicly accessible." ) elif ( "Principal" in statement and "AWS" in statement["Principal"] @@ -42,7 +42,7 @@ class kms_key_not_publicly_accessible(Check): ): report.status = "FAIL" report.status_extended = ( - f"KMS key {key.id} may be publicly accessible!" + f"KMS key {key.id} may be publicly accessible." ) findings.append(report) return findings diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_audit_logging_enabled/opensearch_service_domains_audit_logging_enabled.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_audit_logging_enabled/opensearch_service_domains_audit_logging_enabled.py index 32fec778..3770633d 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_audit_logging_enabled/opensearch_service_domains_audit_logging_enabled.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_audit_logging_enabled/opensearch_service_domains_audit_logging_enabled.py @@ -15,13 +15,13 @@ class opensearch_service_domains_audit_logging_enabled(Check): report.resource_tags = domain.tags report.status = "FAIL" report.status_extended = ( - f"Opensearch domain {domain.name} AUDIT_LOGS disabled" + f"Opensearch domain {domain.name} AUDIT_LOGS disabled." ) for logging_item in domain.logging: if logging_item.name == "AUDIT_LOGS" and logging_item.enabled: report.status = "PASS" report.status_extended = ( - f"Opensearch domain {domain.name} AUDIT_LOGS enabled" + f"Opensearch domain {domain.name} AUDIT_LOGS enabled." ) findings.append(report) diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_cloudwatch_logging_enabled/opensearch_service_domains_cloudwatch_logging_enabled.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_cloudwatch_logging_enabled/opensearch_service_domains_cloudwatch_logging_enabled.py index 0c954b1a..1eac7c2c 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_cloudwatch_logging_enabled/opensearch_service_domains_cloudwatch_logging_enabled.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_cloudwatch_logging_enabled/opensearch_service_domains_cloudwatch_logging_enabled.py @@ -14,7 +14,7 @@ class opensearch_service_domains_cloudwatch_logging_enabled(Check): report.resource_arn = domain.arn report.resource_tags = domain.tags report.status = "FAIL" - report.status_extended = f"Opensearch domain {domain.name} SEARCH_SLOW_LOGS and INDEX_SLOW_LOGS disabled" + report.status_extended = f"Opensearch domain {domain.name} SEARCH_SLOW_LOGS and INDEX_SLOW_LOGS disabled." has_SEARCH_SLOW_LOGS = False has_INDEX_SLOW_LOGS = False for logging_item in domain.logging: @@ -25,13 +25,13 @@ class opensearch_service_domains_cloudwatch_logging_enabled(Check): if has_SEARCH_SLOW_LOGS and has_INDEX_SLOW_LOGS: report.status = "PASS" - report.status_extended = f"Opensearch domain {domain.name} SEARCH_SLOW_LOGS and INDEX_SLOW_LOGS enabled" + report.status_extended = f"Opensearch domain {domain.name} SEARCH_SLOW_LOGS and INDEX_SLOW_LOGS enabled." elif not has_SEARCH_SLOW_LOGS and has_INDEX_SLOW_LOGS: report.status = "FAIL" - report.status_extended = f"Opensearch domain {domain.name} INDEX_SLOW_LOGS enabled but SEARCH_SLOW_LOGS disabled" + report.status_extended = f"Opensearch domain {domain.name} INDEX_SLOW_LOGS enabled but SEARCH_SLOW_LOGS disabled." elif not has_INDEX_SLOW_LOGS and has_SEARCH_SLOW_LOGS: report.status = "FAIL" - report.status_extended = f"Opensearch domain {domain.name} SEARCH_SLOW_LOGS enabled but INDEX_SLOW_LOGS disabled" + report.status_extended = f"Opensearch domain {domain.name} SEARCH_SLOW_LOGS enabled but INDEX_SLOW_LOGS disabled." findings.append(report) diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_encryption_at_rest_enabled/opensearch_service_domains_encryption_at_rest_enabled.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_encryption_at_rest_enabled/opensearch_service_domains_encryption_at_rest_enabled.py index a4ef1e61..96c40e5f 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_encryption_at_rest_enabled/opensearch_service_domains_encryption_at_rest_enabled.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_encryption_at_rest_enabled/opensearch_service_domains_encryption_at_rest_enabled.py @@ -15,11 +15,11 @@ class opensearch_service_domains_encryption_at_rest_enabled(Check): report.resource_tags = domain.tags report.status = "PASS" report.status_extended = ( - f"Opensearch domain {domain.name} has encryption at-rest enabled" + f"Opensearch domain {domain.name} has encryption at-rest enabled." ) if not domain.encryption_at_rest: report.status = "FAIL" - report.status_extended = f"Opensearch domain {domain.name} does not have encryption at-rest enabled" + report.status_extended = f"Opensearch domain {domain.name} does not have encryption at-rest enabled." findings.append(report) diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_https_communications_enforced/opensearch_service_domains_https_communications_enforced.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_https_communications_enforced/opensearch_service_domains_https_communications_enforced.py index 32b15cf1..315f27e6 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_https_communications_enforced/opensearch_service_domains_https_communications_enforced.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_https_communications_enforced/opensearch_service_domains_https_communications_enforced.py @@ -15,11 +15,11 @@ class opensearch_service_domains_https_communications_enforced(Check): report.resource_tags = domain.tags report.status = "PASS" report.status_extended = ( - f"Opensearch domain {domain.name} has enforce HTTPS enabled" + f"Opensearch domain {domain.name} has enforce HTTPS enabled." ) if not domain.enforce_https: report.status = "FAIL" - report.status_extended = f"Opensearch domain {domain.name} does not have enforce HTTPS enabled" + report.status_extended = f"Opensearch domain {domain.name} does not have enforce HTTPS enabled." findings.append(report) diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_internal_user_database_enabled/opensearch_service_domains_internal_user_database_enabled.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_internal_user_database_enabled/opensearch_service_domains_internal_user_database_enabled.py index a571b423..becb2f3c 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_internal_user_database_enabled/opensearch_service_domains_internal_user_database_enabled.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_internal_user_database_enabled/opensearch_service_domains_internal_user_database_enabled.py @@ -14,10 +14,10 @@ class opensearch_service_domains_internal_user_database_enabled(Check): report.resource_arn = domain.arn report.resource_tags = domain.tags report.status = "PASS" - report.status_extended = f"Opensearch domain {domain.name} does not have internal user database enabled" + report.status_extended = f"Opensearch domain {domain.name} does not have internal user database enabled." if domain.internal_user_database: report.status = "FAIL" - report.status_extended = f"Opensearch domain {domain.name} has internal user database enabled" + report.status_extended = f"Opensearch domain {domain.name} has internal user database enabled." findings.append(report) diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_node_to_node_encryption_enabled/opensearch_service_domains_node_to_node_encryption_enabled.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_node_to_node_encryption_enabled/opensearch_service_domains_node_to_node_encryption_enabled.py index 875604b1..4e43f992 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_node_to_node_encryption_enabled/opensearch_service_domains_node_to_node_encryption_enabled.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_node_to_node_encryption_enabled/opensearch_service_domains_node_to_node_encryption_enabled.py @@ -15,11 +15,11 @@ class opensearch_service_domains_node_to_node_encryption_enabled(Check): report.resource_tags = domain.tags report.status = "PASS" report.status_extended = ( - f"Opensearch domain {domain.name} has node-to-node encryption enabled" + f"Opensearch domain {domain.name} has node-to-node encryption enabled." ) if not domain.node_to_node_encryption: report.status = "FAIL" - report.status_extended = f"Opensearch domain {domain.name} does not have node-to-node encryption enabled" + report.status_extended = f"Opensearch domain {domain.name} does not have node-to-node encryption enabled." findings.append(report) diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible.py index 858a9168..3812a5bf 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible.py @@ -15,7 +15,7 @@ class opensearch_service_domains_not_publicly_accessible(Check): report.resource_tags = domain.tags report.status = "PASS" report.status_extended = ( - f"Opensearch domain {domain.name} does not allow anonymous access" + f"Opensearch domain {domain.name} does not allow anonymous access." ) if domain.access_policy: for statement in domain.access_policy["Statement"]: @@ -30,7 +30,7 @@ class opensearch_service_domains_not_publicly_accessible(Check): ): if "Condition" not in statement: report.status = "FAIL" - report.status_extended = f"Opensearch domain {domain.name} policy allows access (Principal: '*')" + report.status_extended = f"Opensearch domain {domain.name} policy allows access (Principal: '*')." break else: if ( @@ -43,11 +43,11 @@ class opensearch_service_domains_not_publicly_accessible(Check): ]: if ip == "*": report.status = "FAIL" - report.status_extended = f"Opensearch domain {domain.name} policy allows access (Principal: '*') and network *" + report.status_extended = f"Opensearch domain {domain.name} policy allows access (Principal: '*') and network *." break elif ip == "0.0.0.0/0": report.status = "FAIL" - report.status_extended = f"Opensearch domain {domain.name} policy allows access (Principal: '*') and network 0.0.0.0/0" + report.status_extended = f"Opensearch domain {domain.name} policy allows access (Principal: '*') and network 0.0.0.0/0." break findings.append(report) diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_updated_to_the_latest_service_software_version/opensearch_service_domains_updated_to_the_latest_service_software_version.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_updated_to_the_latest_service_software_version/opensearch_service_domains_updated_to_the_latest_service_software_version.py index bc1b4aee..6943d29f 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_updated_to_the_latest_service_software_version/opensearch_service_domains_updated_to_the_latest_service_software_version.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_updated_to_the_latest_service_software_version/opensearch_service_domains_updated_to_the_latest_service_software_version.py @@ -14,10 +14,10 @@ class opensearch_service_domains_updated_to_the_latest_service_software_version( report.resource_arn = domain.arn report.resource_tags = domain.tags report.status = "PASS" - report.status_extended = f"Opensearch domain {domain.name} with version {domain.version} does not have internal updates available" + report.status_extended = f"Opensearch domain {domain.name} with version {domain.version} does not have internal updates available." if domain.update_available: report.status = "FAIL" - report.status_extended = f"Opensearch domain {domain.name} with version {domain.version} has internal updates available" + report.status_extended = f"Opensearch domain {domain.name} with version {domain.version} has internal updates available." findings.append(report) diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_use_cognito_authentication_for_kibana/opensearch_service_domains_use_cognito_authentication_for_kibana.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_use_cognito_authentication_for_kibana/opensearch_service_domains_use_cognito_authentication_for_kibana.py index 48b7ae73..9d9e858c 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_use_cognito_authentication_for_kibana/opensearch_service_domains_use_cognito_authentication_for_kibana.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_use_cognito_authentication_for_kibana/opensearch_service_domains_use_cognito_authentication_for_kibana.py @@ -14,10 +14,10 @@ class opensearch_service_domains_use_cognito_authentication_for_kibana(Check): report.resource_arn = domain.arn report.resource_tags = domain.tags report.status = "PASS" - report.status_extended = f"Opensearch domain {domain.name} has Amazon Cognito authentication for Kibana enabled" + report.status_extended = f"Opensearch domain {domain.name} has Amazon Cognito authentication for Kibana enabled." if not domain.cognito_options: report.status = "FAIL" - report.status_extended = f"Opensearch domain {domain.name} does not have Amazon Cognito authentication for Kibana enabled" + report.status_extended = f"Opensearch domain {domain.name} does not have Amazon Cognito authentication for Kibana enabled." findings.append(report) diff --git a/prowler/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations.py b/prowler/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations.py index 9c584b60..307f61a4 100644 --- a/prowler/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations.py +++ b/prowler/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations.py @@ -12,12 +12,12 @@ class organizations_account_part_of_organizations(Check): if org.status == "ACTIVE": report.status = "PASS" report.status_extended = ( - f"Account is part of AWS Organization: {org.id}" + f"Account is part of AWS Organization: {org.id}." ) else: report.status = "FAIL" report.status_extended = ( - "AWS Organizations is not in-use for this AWS Account" + "AWS Organizations is not in-use for this AWS Account." ) report.region = organizations_client.region report.resource_id = org.id diff --git a/prowler/providers/aws/services/organizations/organizations_delegated_administrators/organizations_delegated_administrators.py b/prowler/providers/aws/services/organizations/organizations_delegated_administrators/organizations_delegated_administrators.py index d0e00bad..0bddb368 100644 --- a/prowler/providers/aws/services/organizations/organizations_delegated_administrators/organizations_delegated_administrators.py +++ b/prowler/providers/aws/services/organizations/organizations_delegated_administrators/organizations_delegated_administrators.py @@ -30,13 +30,13 @@ class organizations_delegated_administrators(Check): not in organizations_trusted_delegated_administrators ): report.status = "FAIL" - report.status_extended = f"Untrusted Delegated Administrators: {delegated_administrator.id}" + report.status_extended = f"Untrusted Delegated Administrators: {delegated_administrator.id}." else: report.status = "PASS" - report.status_extended = f"Trusted Delegated Administrator: {delegated_administrator.id}" + report.status_extended = f"Trusted Delegated Administrator: {delegated_administrator.id}." else: report.status = "PASS" - report.status_extended = f"No Delegated Administrators: {org.id}" + report.status_extended = f"No Delegated Administrators: {org.id}." findings.append(report) diff --git a/prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.py b/prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.py index f27073f7..4062c42b 100644 --- a/prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.py +++ b/prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.py @@ -23,7 +23,7 @@ class organizations_scp_check_deny_regions(Check): if not org.policies: report.status = "FAIL" report.status_extended = ( - f"No SCP policies exist at the organization {org.id} level" + f"No SCP policies exist at the organization {org.id} level." ) else: # We use this flag if we find a statement that is restricting regions but not all the configured ones: @@ -56,14 +56,14 @@ class organizations_scp_check_deny_regions(Check): ): # All defined regions are restricted, we exit here, no need to continue. report.status = "PASS" - report.status_extended = f"SCP policy {policy.id} restricting all configured regions found" + report.status_extended = f"SCP policy {policy.id} restricting all configured regions found." findings.append(report) return findings else: # Regions are restricted, but not the ones defined, we keep this finding, but we continue analyzing: is_region_restricted_statement = True report.status = "FAIL" - report.status_extended = f"SCP policies exist {policy.id} restricting some AWS Regions, but not all the configured ones, please check config..." + report.status_extended = f"SCP policies exist {policy.id} restricting some AWS Regions, but not all the configured ones, please check config." # Allow if Condition = {"StringEquals": {"aws:RequestedRegion": [region1, region2]}} if ( @@ -81,23 +81,23 @@ class organizations_scp_check_deny_regions(Check): ): # All defined regions are restricted, we exit here, no need to continue. report.status = "PASS" - report.status_extended = f"SCP policy {policy.id} restricting all configured regions found" + report.status_extended = f"SCP policy {policy.id} restricting all configured regions found." findings.append(report) return findings else: # Regions are restricted, but not the ones defined, we keep this finding, but we continue analyzing: is_region_restricted_statement = True report.status = "FAIL" - report.status_extended = f"SCP policies exist {policy.id} restricting some AWS Regions, but not all the configured ones, please check config..." + report.status_extended = f"SCP policies exist {policy.id} restricting some AWS Regions, but not all the configured ones, please check config." if not is_region_restricted_statement: report.status = "FAIL" - report.status_extended = f"SCP policies exist at the organization {org.id} level but don't restrict AWS Regions" + report.status_extended = f"SCP policies exist at the organization {org.id} level but don't restrict AWS Regions." else: report.status = "FAIL" report.status_extended = ( - "AWS Organizations is not in-use for this AWS Account" + "AWS Organizations is not in-use for this AWS Account." ) findings.append(report) diff --git a/prowler/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached.py b/prowler/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached.py index f3dd44c9..7dcc4d3e 100644 --- a/prowler/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached.py +++ b/prowler/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached.py @@ -15,7 +15,7 @@ class organizations_tags_policies_enabled_and_attached(Check): report.region = organizations_client.region report.status = "FAIL" report.status_extended = ( - "AWS Organizations is not in-use for this AWS Account" + "AWS Organizations is not in-use for this AWS Account." ) if org.status == "ACTIVE": if org.policies is None: @@ -26,11 +26,11 @@ class organizations_tags_policies_enabled_and_attached(Check): if policy.type != "TAG_POLICY": continue - report.status_extended = f"AWS Organization {org.id} has tag policies enabled but not attached" + report.status_extended = f"AWS Organization {org.id} has tag policies enabled but not attached." if policy.targets: report.status = "PASS" - report.status_extended = f"AWS Organization {org.id} has tag policies enabled and attached to an AWS account" + report.status_extended = f"AWS Organization {org.id} has tag policies enabled and attached to an AWS account." findings.append(report) diff --git a/prowler/providers/aws/services/redshift/redshift_cluster_audit_logging/redshift_cluster_audit_logging.py b/prowler/providers/aws/services/redshift/redshift_cluster_audit_logging/redshift_cluster_audit_logging.py index d2683ace..f72f77c4 100644 --- a/prowler/providers/aws/services/redshift/redshift_cluster_audit_logging/redshift_cluster_audit_logging.py +++ b/prowler/providers/aws/services/redshift/redshift_cluster_audit_logging/redshift_cluster_audit_logging.py @@ -13,12 +13,12 @@ class redshift_cluster_audit_logging(Check): report.resource_tags = cluster.tags report.status = "PASS" report.status_extended = ( - f"Redshift Cluster {cluster.arn} has audit logging enabled" + f"Redshift Cluster {cluster.arn} has audit logging enabled." ) if not cluster.logging_enabled: report.status = "FAIL" report.status_extended = ( - f"Redshift Cluster {cluster.arn} has audit logging disabled" + f"Redshift Cluster {cluster.arn} has audit logging disabled." ) findings.append(report) diff --git a/prowler/providers/aws/services/redshift/redshift_cluster_automated_snapshot/redshift_cluster_automated_snapshot.py b/prowler/providers/aws/services/redshift/redshift_cluster_automated_snapshot/redshift_cluster_automated_snapshot.py index b3298c37..ae0d9d5f 100644 --- a/prowler/providers/aws/services/redshift/redshift_cluster_automated_snapshot/redshift_cluster_automated_snapshot.py +++ b/prowler/providers/aws/services/redshift/redshift_cluster_automated_snapshot/redshift_cluster_automated_snapshot.py @@ -13,12 +13,12 @@ class redshift_cluster_automated_snapshot(Check): report.resource_tags = cluster.tags report.status = "PASS" report.status_extended = ( - f"Redshift Cluster {cluster.arn} has automated snapshots" + f"Redshift Cluster {cluster.arn} has automated snapshots." ) if not cluster.cluster_snapshots: report.status = "FAIL" report.status_extended = ( - f"Redshift Cluster {cluster.arn} has automated snapshots disabled" + f"Redshift Cluster {cluster.arn} has automated snapshots disabled." ) findings.append(report) diff --git a/prowler/providers/aws/services/redshift/redshift_cluster_automatic_upgrades/redshift_cluster_automatic_upgrades.py b/prowler/providers/aws/services/redshift/redshift_cluster_automatic_upgrades/redshift_cluster_automatic_upgrades.py index 6423ccf8..39100698 100644 --- a/prowler/providers/aws/services/redshift/redshift_cluster_automatic_upgrades/redshift_cluster_automatic_upgrades.py +++ b/prowler/providers/aws/services/redshift/redshift_cluster_automatic_upgrades/redshift_cluster_automatic_upgrades.py @@ -13,12 +13,12 @@ class redshift_cluster_automatic_upgrades(Check): report.resource_tags = cluster.tags report.status = "PASS" report.status_extended = ( - f"Redshift Cluster {cluster.arn} has AllowVersionUpgrade enabled" + f"Redshift Cluster {cluster.arn} has AllowVersionUpgrade enabled." ) if not cluster.allow_version_upgrade: report.status = "FAIL" report.status_extended = ( - f"Redshift Cluster {cluster.arn} has AllowVersionUpgrade disabled" + f"Redshift Cluster {cluster.arn} has AllowVersionUpgrade disabled." ) findings.append(report) diff --git a/prowler/providers/aws/services/redshift/redshift_cluster_public_access/redshift_cluster_public_access.py b/prowler/providers/aws/services/redshift/redshift_cluster_public_access/redshift_cluster_public_access.py index e2d810ab..d72d4081 100644 --- a/prowler/providers/aws/services/redshift/redshift_cluster_public_access/redshift_cluster_public_access.py +++ b/prowler/providers/aws/services/redshift/redshift_cluster_public_access/redshift_cluster_public_access.py @@ -13,11 +13,11 @@ class redshift_cluster_public_access(Check): report.resource_tags = cluster.tags report.status = "PASS" report.status_extended = ( - f"Redshift Cluster {cluster.arn} is not publicly accessible" + f"Redshift Cluster {cluster.arn} is not publicly accessible." ) if cluster.endpoint_address and cluster.public_access: report.status = "FAIL" - report.status_extended = f"Redshift Cluster {cluster.arn} is publicly accessible at endpoint {cluster.endpoint_address}" + report.status_extended = f"Redshift Cluster {cluster.arn} is publicly accessible at endpoint {cluster.endpoint_address}." findings.append(report) diff --git a/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py b/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py index 00da9d79..fde1b4ca 100644 --- a/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py +++ b/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py @@ -9,7 +9,7 @@ class resourceexplorer2_indexes_found(Check): findings = [] report = Check_Report_AWS(self.metadata()) report.status = "FAIL" - report.status_extended = "No Resource Explorer Indexes found" + report.status_extended = "No Resource Explorer Indexes found." report.region = resource_explorer_2_client.region report.resource_arn = "NoResourceExplorer" report.resource_id = resource_explorer_2_client.audited_account @@ -18,7 +18,7 @@ class resourceexplorer2_indexes_found(Check): report.region = resource_explorer_2_client.indexes[0].region report.resource_arn = resource_explorer_2_client.indexes[0].arn report.status = "PASS" - report.status_extended = f"Resource Explorer Indexes found: {len(resource_explorer_2_client.indexes)}" + report.status_extended = f"Resource Explorer Indexes found: {len(resource_explorer_2_client.indexes)}." findings.append(report) return findings diff --git a/prowler/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover.py b/prowler/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover.py index 509cf14a..1ef5b62f 100644 --- a/prowler/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover.py +++ b/prowler/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover.py @@ -45,8 +45,7 @@ class route53_dangling_ip_subdomain_takeover(Check): aws_ip_ranges = awsipranges.get_ranges() if aws_ip_ranges.get(record): report.status = "FAIL" - report.status_extended = f"Route53 record {record} in Hosted Zone {route53_client.hosted_zones[record_set.hosted_zone_id].name} is a dangling IP which can lead to a subdomain takeover attack!" - + report.status_extended = f"Route53 record {record} in Hosted Zone {route53_client.hosted_zones[record_set.hosted_zone_id].name} is a dangling IP which can lead to a subdomain takeover attack." findings.append(report) return findings diff --git a/prowler/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled.py b/prowler/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled.py index 575ec004..09bb6214 100644 --- a/prowler/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled.py +++ b/prowler/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled.py @@ -16,12 +16,12 @@ class route53_domains_privacy_protection_enabled(Check): if domain.admin_privacy: report.status = "PASS" report.status_extended = ( - f"Contact information is private for the {domain.name} domain" + f"Contact information is private for the {domain.name} domain." ) else: report.status = "FAIL" report.status_extended = ( - f"Contact information is public for the {domain.name} domain" + f"Contact information is public for the {domain.name} domain." ) findings.append(report) diff --git a/prowler/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled.py b/prowler/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled.py index 4eefc518..16e13a98 100644 --- a/prowler/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled.py +++ b/prowler/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled.py @@ -16,12 +16,12 @@ class route53_domains_transferlock_enabled(Check): if domain.status_list and "clientTransferProhibited" in domain.status_list: report.status = "PASS" report.status_extended = ( - f"Transfer Lock is enabled for the {domain.name} domain" + f"Transfer Lock is enabled for the {domain.name} domain." ) else: report.status = "FAIL" report.status_extended = ( - f"Transfer Lock is disabled for the {domain.name} domain" + f"Transfer Lock is disabled for the {domain.name} domain." ) findings.append(report) diff --git a/prowler/providers/aws/services/route53/route53_public_hosted_zones_cloudwatch_logging_enabled/route53_public_hosted_zones_cloudwatch_logging_enabled.py b/prowler/providers/aws/services/route53/route53_public_hosted_zones_cloudwatch_logging_enabled/route53_public_hosted_zones_cloudwatch_logging_enabled.py index 55b2bea5..98c96b89 100644 --- a/prowler/providers/aws/services/route53/route53_public_hosted_zones_cloudwatch_logging_enabled/route53_public_hosted_zones_cloudwatch_logging_enabled.py +++ b/prowler/providers/aws/services/route53/route53_public_hosted_zones_cloudwatch_logging_enabled/route53_public_hosted_zones_cloudwatch_logging_enabled.py @@ -18,11 +18,11 @@ class route53_public_hosted_zones_cloudwatch_logging_enabled(Check): and hosted_zone.logging_config.cloudwatch_log_group_arn ): report.status = "PASS" - report.status_extended = f"Route53 Public Hosted Zone {hosted_zone.id} has query logging enabled in Log Group {hosted_zone.logging_config.cloudwatch_log_group_arn}" + report.status_extended = f"Route53 Public Hosted Zone {hosted_zone.id} has query logging enabled in Log Group {hosted_zone.logging_config.cloudwatch_log_group_arn}." else: report.status = "FAIL" - report.status_extended = f"Route53 Public Hosted Zone {hosted_zone.id} has query logging disabled" + report.status_extended = f"Route53 Public Hosted Zone {hosted_zone.id} has query logging disabled." findings.append(report) diff --git a/prowler/providers/aws/services/s3/s3_bucket_policy_public_write_access/s3_bucket_policy_public_write_access.py b/prowler/providers/aws/services/s3/s3_bucket_policy_public_write_access/s3_bucket_policy_public_write_access.py index 5f768c96..550ac141 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_policy_public_write_access/s3_bucket_policy_public_write_access.py +++ b/prowler/providers/aws/services/s3/s3_bucket_policy_public_write_access/s3_bucket_policy_public_write_access.py @@ -32,7 +32,7 @@ class s3_bucket_policy_public_write_access(Check): ) ): report.status = "FAIL" - report.status_extended = f"S3 Bucket {bucket.name} allows public write access in the bucket policy.." + report.status_extended = f"S3 Bucket {bucket.name} allows public write access in the bucket policy." findings.append(report) return findings diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_models_network_isolation_enabled/sagemaker_models_network_isolation_enabled.py b/prowler/providers/aws/services/sagemaker/sagemaker_models_network_isolation_enabled/sagemaker_models_network_isolation_enabled.py index c109515a..0a25fb86 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_models_network_isolation_enabled/sagemaker_models_network_isolation_enabled.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_models_network_isolation_enabled/sagemaker_models_network_isolation_enabled.py @@ -12,10 +12,10 @@ class sagemaker_models_network_isolation_enabled(Check): report.resource_arn = model.arn report.resource_tags = model.tags report.status = "PASS" - report.status_extended = f"Sagemaker notebook instance {model.name} has network isolation enabled" + report.status_extended = f"Sagemaker notebook instance {model.name} has network isolation enabled." if not model.network_isolation: report.status = "FAIL" - report.status_extended = f"Sagemaker notebook instance {model.name} has network isolation disabled" + report.status_extended = f"Sagemaker notebook instance {model.name} has network isolation disabled." findings.append(report) diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_models_vpc_settings_configured/sagemaker_models_vpc_settings_configured.py b/prowler/providers/aws/services/sagemaker/sagemaker_models_vpc_settings_configured/sagemaker_models_vpc_settings_configured.py index d8e95ef1..afe6e656 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_models_vpc_settings_configured/sagemaker_models_vpc_settings_configured.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_models_vpc_settings_configured/sagemaker_models_vpc_settings_configured.py @@ -13,11 +13,11 @@ class sagemaker_models_vpc_settings_configured(Check): report.resource_tags = model.tags report.status = "PASS" report.status_extended = ( - f"Sagemaker notebook instance {model.name} has VPC settings enabled" + f"Sagemaker notebook instance {model.name} has VPC settings enabled." ) if not model.vpc_config_subnets: report.status = "FAIL" - report.status_extended = f"Sagemaker notebook instance {model.name} has VPC settings disabled" + report.status_extended = f"Sagemaker notebook instance {model.name} has VPC settings disabled." findings.append(report) diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_encryption_enabled/sagemaker_notebook_instance_encryption_enabled.py b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_encryption_enabled/sagemaker_notebook_instance_encryption_enabled.py index 9a48160f..cf6d1480 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_encryption_enabled/sagemaker_notebook_instance_encryption_enabled.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_encryption_enabled/sagemaker_notebook_instance_encryption_enabled.py @@ -12,10 +12,10 @@ class sagemaker_notebook_instance_encryption_enabled(Check): report.resource_arn = notebook_instance.arn report.resource_tags = notebook_instance.tags report.status = "PASS" - report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has data encryption enabled" + report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has data encryption enabled." if not notebook_instance.kms_key_id: report.status = "FAIL" - report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has data encryption disabled" + report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has data encryption disabled." findings.append(report) diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_root_access_disabled/sagemaker_notebook_instance_root_access_disabled.py b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_root_access_disabled/sagemaker_notebook_instance_root_access_disabled.py index b4295e62..b5dfca63 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_root_access_disabled/sagemaker_notebook_instance_root_access_disabled.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_root_access_disabled/sagemaker_notebook_instance_root_access_disabled.py @@ -12,10 +12,10 @@ class sagemaker_notebook_instance_root_access_disabled(Check): report.resource_arn = notebook_instance.arn report.resource_tags = notebook_instance.tags report.status = "PASS" - report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has root access disabled" + report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has root access disabled." if notebook_instance.root_access: report.status = "FAIL" - report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has root access enabled" + report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has root access enabled." findings.append(report) diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_vpc_settings_configured/sagemaker_notebook_instance_vpc_settings_configured.py b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_vpc_settings_configured/sagemaker_notebook_instance_vpc_settings_configured.py index d92d075b..7a4cf63b 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_vpc_settings_configured/sagemaker_notebook_instance_vpc_settings_configured.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_vpc_settings_configured/sagemaker_notebook_instance_vpc_settings_configured.py @@ -13,11 +13,11 @@ class sagemaker_notebook_instance_vpc_settings_configured(Check): report.resource_tags = notebook_instance.tags report.status = "PASS" report.status_extended = ( - f"Sagemaker notebook instance {notebook_instance.name} is in a VPC" + f"Sagemaker notebook instance {notebook_instance.name} is in a VPC." ) if not notebook_instance.subnet_id: report.status = "FAIL" - report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has VPC settings disabled" + report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has VPC settings disabled." findings.append(report) diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_without_direct_internet_access_configured/sagemaker_notebook_instance_without_direct_internet_access_configured.py b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_without_direct_internet_access_configured/sagemaker_notebook_instance_without_direct_internet_access_configured.py index 08648d74..40f55f32 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_without_direct_internet_access_configured/sagemaker_notebook_instance_without_direct_internet_access_configured.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_without_direct_internet_access_configured/sagemaker_notebook_instance_without_direct_internet_access_configured.py @@ -12,10 +12,10 @@ class sagemaker_notebook_instance_without_direct_internet_access_configured(Chec report.resource_arn = notebook_instance.arn report.resource_tags = notebook_instance.tags report.status = "PASS" - report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has direct internet access disabled" + report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has direct internet access disabled." if notebook_instance.direct_internet_access: report.status = "FAIL" - report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has direct internet access enabled" + report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has direct internet access enabled." findings.append(report) diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_intercontainer_encryption_enabled/sagemaker_training_jobs_intercontainer_encryption_enabled.py b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_intercontainer_encryption_enabled/sagemaker_training_jobs_intercontainer_encryption_enabled.py index d187d9f4..926eae3f 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_intercontainer_encryption_enabled/sagemaker_training_jobs_intercontainer_encryption_enabled.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_intercontainer_encryption_enabled/sagemaker_training_jobs_intercontainer_encryption_enabled.py @@ -12,10 +12,10 @@ class sagemaker_training_jobs_intercontainer_encryption_enabled(Check): report.resource_arn = training_job.arn report.resource_tags = training_job.tags report.status = "PASS" - report.status_extended = f"Sagemaker training job {training_job.name} has intercontainer encryption enabled" + report.status_extended = f"Sagemaker training job {training_job.name} has intercontainer encryption enabled." if not training_job.container_traffic_encryption: report.status = "FAIL" - report.status_extended = f"Sagemaker training job {training_job.name} has intercontainer encryption disabled" + report.status_extended = f"Sagemaker training job {training_job.name} has intercontainer encryption disabled." findings.append(report) diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_network_isolation_enabled/sagemaker_training_jobs_network_isolation_enabled.py b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_network_isolation_enabled/sagemaker_training_jobs_network_isolation_enabled.py index 7d398114..50bcfcc7 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_network_isolation_enabled/sagemaker_training_jobs_network_isolation_enabled.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_network_isolation_enabled/sagemaker_training_jobs_network_isolation_enabled.py @@ -12,10 +12,10 @@ class sagemaker_training_jobs_network_isolation_enabled(Check): report.resource_arn = training_job.arn report.resource_tags = training_job.tags report.status = "PASS" - report.status_extended = f"Sagemaker training job {training_job.name} has network isolation enabled" + report.status_extended = f"Sagemaker training job {training_job.name} has network isolation enabled." if not training_job.network_isolation: report.status = "FAIL" - report.status_extended = f"Sagemaker training job {training_job.name} has network isolation disabled" + report.status_extended = f"Sagemaker training job {training_job.name} has network isolation disabled." findings.append(report) diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_volume_and_output_encryption_enabled/sagemaker_training_jobs_volume_and_output_encryption_enabled.py b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_volume_and_output_encryption_enabled/sagemaker_training_jobs_volume_and_output_encryption_enabled.py index fce83188..f84c5d0b 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_volume_and_output_encryption_enabled/sagemaker_training_jobs_volume_and_output_encryption_enabled.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_volume_and_output_encryption_enabled/sagemaker_training_jobs_volume_and_output_encryption_enabled.py @@ -12,12 +12,10 @@ class sagemaker_training_jobs_volume_and_output_encryption_enabled(Check): report.resource_arn = training_job.arn report.resource_tags = training_job.tags report.status = "PASS" - report.status_extended = ( - f"Sagemaker training job {training_job.name} has KMS encryption enabled" - ) + report.status_extended = f"Sagemaker training job {training_job.name} has KMS encryption enabled." if not training_job.volume_kms_key_id: report.status = "FAIL" - report.status_extended = f"Sagemaker training job {training_job.name} has KMS encryption disabled" + report.status_extended = f"Sagemaker training job {training_job.name} has KMS encryption disabled." findings.append(report) diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_vpc_settings_configured/sagemaker_training_jobs_vpc_settings_configured.py b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_vpc_settings_configured/sagemaker_training_jobs_vpc_settings_configured.py index e7eaa460..0e3cb49a 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_vpc_settings_configured/sagemaker_training_jobs_vpc_settings_configured.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_vpc_settings_configured/sagemaker_training_jobs_vpc_settings_configured.py @@ -12,10 +12,10 @@ class sagemaker_training_jobs_vpc_settings_configured(Check): report.resource_arn = training_job.arn report.resource_tags = training_job.tags report.status = "PASS" - report.status_extended = f"Sagemaker training job {training_job.name} has VPC settings for the training job volume and output enabled" + report.status_extended = f"Sagemaker training job {training_job.name} has VPC settings for the training job volume and output enabled." if not training_job.vpc_config_subnets: report.status = "FAIL" - report.status_extended = f"Sagemaker training job {training_job.name} has VPC settings for the training job volume and output disabled" + report.status_extended = f"Sagemaker training job {training_job.name} has VPC settings for the training job volume and output disabled." findings.append(report) diff --git a/prowler/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips.py b/prowler/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips.py index f4fc6db2..56e8fbed 100644 --- a/prowler/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips.py +++ b/prowler/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips.py @@ -14,12 +14,12 @@ class shield_advanced_protection_in_associated_elastic_ips(Check): report.resource_arn = elastic_ip.arn report.resource_tags = elastic_ip.tags report.status = "FAIL" - report.status_extended = f"Elastic IP {elastic_ip.allocation_id} is not protected by AWS Shield Advanced" + report.status_extended = f"Elastic IP {elastic_ip.allocation_id} is not protected by AWS Shield Advanced." for protection in shield_client.protections.values(): if elastic_ip.arn == protection.resource_arn: report.status = "PASS" - report.status_extended = f"Elastic IP {elastic_ip.allocation_id} is protected by AWS Shield Advanced" + report.status_extended = f"Elastic IP {elastic_ip.allocation_id} is protected by AWS Shield Advanced." break findings.append(report) diff --git a/prowler/providers/aws/services/shield/shield_advanced_protection_in_classic_load_balancers/shield_advanced_protection_in_classic_load_balancers.py b/prowler/providers/aws/services/shield/shield_advanced_protection_in_classic_load_balancers/shield_advanced_protection_in_classic_load_balancers.py index fc45f25b..5773cdd2 100644 --- a/prowler/providers/aws/services/shield/shield_advanced_protection_in_classic_load_balancers/shield_advanced_protection_in_classic_load_balancers.py +++ b/prowler/providers/aws/services/shield/shield_advanced_protection_in_classic_load_balancers/shield_advanced_protection_in_classic_load_balancers.py @@ -15,14 +15,14 @@ class shield_advanced_protection_in_classic_load_balancers(Check): report.resource_tags = elb.tags report.status = "FAIL" report.status_extended = ( - f"ELB {elb.name} is not protected by AWS Shield Advanced" + f"ELB {elb.name} is not protected by AWS Shield Advanced." ) for protection in shield_client.protections.values(): if elb.arn == protection.resource_arn: report.status = "PASS" report.status_extended = ( - f"ELB {elb.name} is protected by AWS Shield Advanced" + f"ELB {elb.name} is protected by AWS Shield Advanced." ) break diff --git a/prowler/providers/aws/services/shield/shield_advanced_protection_in_cloudfront_distributions/shield_advanced_protection_in_cloudfront_distributions.py b/prowler/providers/aws/services/shield/shield_advanced_protection_in_cloudfront_distributions/shield_advanced_protection_in_cloudfront_distributions.py index 40644bc2..3049c653 100644 --- a/prowler/providers/aws/services/shield/shield_advanced_protection_in_cloudfront_distributions/shield_advanced_protection_in_cloudfront_distributions.py +++ b/prowler/providers/aws/services/shield/shield_advanced_protection_in_cloudfront_distributions/shield_advanced_protection_in_cloudfront_distributions.py @@ -16,12 +16,12 @@ class shield_advanced_protection_in_cloudfront_distributions(Check): report.resource_arn = distribution.arn report.resource_tags = distribution.tags report.status = "FAIL" - report.status_extended = f"CloudFront distribution {distribution.id} is not protected by AWS Shield Advanced" + report.status_extended = f"CloudFront distribution {distribution.id} is not protected by AWS Shield Advanced." for protection in shield_client.protections.values(): if distribution.arn == protection.resource_arn: report.status = "PASS" - report.status_extended = f"CloudFront distribution {distribution.id} is protected by AWS Shield Advanced" + report.status_extended = f"CloudFront distribution {distribution.id} is protected by AWS Shield Advanced." break findings.append(report) diff --git a/prowler/providers/aws/services/shield/shield_advanced_protection_in_global_accelerators/shield_advanced_protection_in_global_accelerators.py b/prowler/providers/aws/services/shield/shield_advanced_protection_in_global_accelerators/shield_advanced_protection_in_global_accelerators.py index f30c3073..2c1b8869 100644 --- a/prowler/providers/aws/services/shield/shield_advanced_protection_in_global_accelerators/shield_advanced_protection_in_global_accelerators.py +++ b/prowler/providers/aws/services/shield/shield_advanced_protection_in_global_accelerators/shield_advanced_protection_in_global_accelerators.py @@ -15,12 +15,12 @@ class shield_advanced_protection_in_global_accelerators(Check): report.resource_id = accelerator.name report.resource_arn = accelerator.arn report.status = "FAIL" - report.status_extended = f"Global Accelerator {accelerator.name} is not protected by AWS Shield Advanced" + report.status_extended = f"Global Accelerator {accelerator.name} is not protected by AWS Shield Advanced." for protection in shield_client.protections.values(): if accelerator.arn == protection.resource_arn: report.status = "PASS" - report.status_extended = f"Global Accelerator {accelerator.name} is protected by AWS Shield Advanced" + report.status_extended = f"Global Accelerator {accelerator.name} is protected by AWS Shield Advanced." break findings.append(report) diff --git a/prowler/providers/aws/services/shield/shield_advanced_protection_in_internet_facing_load_balancers/shield_advanced_protection_in_internet_facing_load_balancers.py b/prowler/providers/aws/services/shield/shield_advanced_protection_in_internet_facing_load_balancers/shield_advanced_protection_in_internet_facing_load_balancers.py index bcec6423..8129d164 100644 --- a/prowler/providers/aws/services/shield/shield_advanced_protection_in_internet_facing_load_balancers/shield_advanced_protection_in_internet_facing_load_balancers.py +++ b/prowler/providers/aws/services/shield/shield_advanced_protection_in_internet_facing_load_balancers/shield_advanced_protection_in_internet_facing_load_balancers.py @@ -15,12 +15,12 @@ class shield_advanced_protection_in_internet_facing_load_balancers(Check): report.resource_arn = elbv2.arn report.resource_tags = elbv2.tags report.status = "FAIL" - report.status_extended = f"ELBv2 ALB {elbv2.name} is not protected by AWS Shield Advanced" + report.status_extended = f"ELBv2 ALB {elbv2.name} is not protected by AWS Shield Advanced." for protection in shield_client.protections.values(): if elbv2.arn == protection.resource_arn: report.status = "PASS" - report.status_extended = f"ELBv2 ALB {elbv2.name} is protected by AWS Shield Advanced" + report.status_extended = f"ELBv2 ALB {elbv2.name} is protected by AWS Shield Advanced." break findings.append(report) diff --git a/prowler/providers/aws/services/shield/shield_advanced_protection_in_route53_hosted_zones/shield_advanced_protection_in_route53_hosted_zones.py b/prowler/providers/aws/services/shield/shield_advanced_protection_in_route53_hosted_zones/shield_advanced_protection_in_route53_hosted_zones.py index 98b59cf8..243774cc 100644 --- a/prowler/providers/aws/services/shield/shield_advanced_protection_in_route53_hosted_zones/shield_advanced_protection_in_route53_hosted_zones.py +++ b/prowler/providers/aws/services/shield/shield_advanced_protection_in_route53_hosted_zones/shield_advanced_protection_in_route53_hosted_zones.py @@ -14,12 +14,12 @@ class shield_advanced_protection_in_route53_hosted_zones(Check): report.resource_arn = hosted_zone.arn report.resource_tags = hosted_zone.tags report.status = "FAIL" - report.status_extended = f"Route53 Hosted Zone {hosted_zone.id} is not protected by AWS Shield Advanced" + report.status_extended = f"Route53 Hosted Zone {hosted_zone.id} is not protected by AWS Shield Advanced." for protection in shield_client.protections.values(): if hosted_zone.arn == protection.resource_arn: report.status = "PASS" - report.status_extended = f"Route53 Hosted Zone {hosted_zone.id} is protected by AWS Shield Advanced" + report.status_extended = f"Route53 Hosted Zone {hosted_zone.id} is protected by AWS Shield Advanced." break findings.append(report) diff --git a/prowler/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible.py b/prowler/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible.py index 951644be..bec81d1b 100644 --- a/prowler/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible.py +++ b/prowler/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible.py @@ -15,7 +15,9 @@ class sns_topics_not_publicly_accessible(Check): report.resource_arn = topic.arn report.resource_tags = topic.tags report.status = "PASS" - report.status_extended = f"SNS topic {topic.name} is not publicly accesible" + report.status_extended = ( + f"SNS topic {topic.name} is not publicly accesible." + ) if topic.policy: for statement in topic.policy["Statement"]: # Only check allow statements @@ -37,10 +39,10 @@ class sns_topics_not_publicly_accessible(Check): statement["Condition"], sns_client.audited_account ) ): - report.status_extended = f"SNS topic {topic.name} is not public because its policy only allows access from the same account" + report.status_extended = f"SNS topic {topic.name} is not public because its policy only allows access from the same account." else: report.status = "FAIL" - report.status_extended = f"SNS topic {topic.name} is public because its policy allows public access" + report.status_extended = f"SNS topic {topic.name} is public because its policy allows public access." findings.append(report) diff --git a/prowler/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible.py b/prowler/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible.py index 38a4e185..64fca7d8 100644 --- a/prowler/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible.py +++ b/prowler/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible.py @@ -15,7 +15,7 @@ class sqs_queues_not_publicly_accessible(Check): report.resource_arn = queue.arn report.resource_tags = queue.tags report.status = "PASS" - report.status_extended = f"SQS queue {queue.id} is not public" + report.status_extended = f"SQS queue {queue.id} is not public." if queue.policy: for statement in queue.policy["Statement"]: # Only check allow statements @@ -37,10 +37,10 @@ class sqs_queues_not_publicly_accessible(Check): statement["Condition"], sqs_client.audited_account ) ): - report.status_extended = f"SQS queue {queue.id} is not public because its policy only allows access from the same account" + report.status_extended = f"SQS queue {queue.id} is not public because its policy only allows access from the same account." else: report.status = "FAIL" - report.status_extended = f"SQS queue {queue.id} is public because its policy allows public access" + report.status_extended = f"SQS queue {queue.id} is public because its policy allows public access." findings.append(report) return findings diff --git a/prowler/providers/aws/services/sqs/sqs_queues_server_side_encryption_enabled/sqs_queues_server_side_encryption_enabled.py b/prowler/providers/aws/services/sqs/sqs_queues_server_side_encryption_enabled/sqs_queues_server_side_encryption_enabled.py index a551e18e..33c18281 100644 --- a/prowler/providers/aws/services/sqs/sqs_queues_server_side_encryption_enabled/sqs_queues_server_side_encryption_enabled.py +++ b/prowler/providers/aws/services/sqs/sqs_queues_server_side_encryption_enabled/sqs_queues_server_side_encryption_enabled.py @@ -13,12 +13,12 @@ class sqs_queues_server_side_encryption_enabled(Check): report.resource_tags = queue.tags report.status = "PASS" report.status_extended = ( - f"SQS queue {queue.id} is using Server Side Encryption" + f"SQS queue {queue.id} is using Server Side Encryption." ) if not queue.kms_key_id: report.status = "FAIL" report.status_extended = ( - f"SQS queue {queue.id} is not using Server Side Encryption" + f"SQS queue {queue.id} is not using Server Side Encryption." ) findings.append(report) diff --git a/prowler/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.py b/prowler/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.py index 04a4e0ee..08772b2a 100644 --- a/prowler/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.py +++ b/prowler/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.py @@ -19,7 +19,9 @@ class ssm_document_secrets(Check): report.resource_id = document.name report.resource_tags = document.tags report.status = "PASS" - report.status_extended = f"No secrets found in SSM Document {document.name}" + report.status_extended = ( + f"No secrets found in SSM Document {document.name}." + ) if document.content: temp_env_data_file = tempfile.NamedTemporaryFile(delete=False) @@ -43,7 +45,7 @@ class ssm_document_secrets(Check): ] ) report.status = "FAIL" - report.status_extended = f"Potential secret found in SSM Document {document.name} -> {secrets_string}" + report.status_extended = f"Potential secret found in SSM Document {document.name} -> {secrets_string}." os.remove(temp_env_data_file.name) diff --git a/prowler/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public.py b/prowler/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public.py index f551f2bb..f13d4937 100644 --- a/prowler/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public.py +++ b/prowler/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public.py @@ -13,10 +13,10 @@ class ssm_documents_set_as_public(Check): report.resource_tags = document.tags if document.account_owners: report.status = "FAIL" - report.status_extended = f"SSM Document {document.name} is public" + report.status_extended = f"SSM Document {document.name} is public." else: report.status = "PASS" - report.status_extended = f"SSM Document {document.name} is not public" + report.status_extended = f"SSM Document {document.name} is not public." findings.append(report) diff --git a/prowler/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions.py b/prowler/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions.py index 1e89438a..59c25dbf 100644 --- a/prowler/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions.py +++ b/prowler/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions.py @@ -16,7 +16,7 @@ class vpc_different_regions(Check): report.resource_id = vpc_client.audited_account report.resource_arn = vpc_client.audited_account_arn report.status = "FAIL" - report.status_extended = "VPCs found only in one region" + report.status_extended = "VPCs found only in one region." if len(vpc_regions) > 1: report.status = "PASS" report.status_extended = "VPCs found in more than one region." diff --git a/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py b/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py index 0f61e4f1..425cf0b7 100644 --- a/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py +++ b/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py @@ -15,12 +15,12 @@ class vpc_subnet_no_public_ip_by_default(Check): if subnet.mapPublicIpOnLaunch: report.status = "FAIL" report.status_extended = ( - f"VPC subnet {subnet.id} assigns public IP by default" + f"VPC subnet {subnet.id} assigns public IP by default." ) else: report.status = "PASS" report.status_extended = ( - f"VPC subnet {subnet.id} does NOT assign public IP by default" + f"VPC subnet {subnet.id} does NOT assign public IP by default." ) findings.append(report) diff --git a/prowler/providers/aws/services/wellarchitected/wellarchitected_workload_no_high_or_medium_risks/wellarchitected_workload_no_high_or_medium_risks.py b/prowler/providers/aws/services/wellarchitected/wellarchitected_workload_no_high_or_medium_risks/wellarchitected_workload_no_high_or_medium_risks.py index fb18ed9e..a0ebf431 100644 --- a/prowler/providers/aws/services/wellarchitected/wellarchitected_workload_no_high_or_medium_risks/wellarchitected_workload_no_high_or_medium_risks.py +++ b/prowler/providers/aws/services/wellarchitected/wellarchitected_workload_no_high_or_medium_risks/wellarchitected_workload_no_high_or_medium_risks.py @@ -14,10 +14,10 @@ class wellarchitected_workload_no_high_or_medium_risks(Check): report.resource_arn = workload.arn report.resource_tags = workload.tags report.status = "PASS" - report.status_extended = f"Well Architected workload {workload.name} does not contain high or medium risks" + report.status_extended = f"Well Architected workload {workload.name} does not contain high or medium risks." if "HIGH" in workload.risks or "MEDIUM" in workload.risks: report.status = "FAIL" - report.status_extended = f"Well Architected workload {workload.name} contains {workload.risks.get('HIGH',0)} high and {workload.risks.get('MEDIUM',0)} medium risks" + report.status_extended = f"Well Architected workload {workload.name} contains {workload.risks.get('HIGH',0)} high and {workload.risks.get('MEDIUM',0)} medium risks." findings.append(report) return findings diff --git a/prowler/providers/aws/services/workspaces/workspaces_volume_encryption_enabled/workspaces_volume_encryption_enabled.py b/prowler/providers/aws/services/workspaces/workspaces_volume_encryption_enabled/workspaces_volume_encryption_enabled.py index 712be0f5..4a9527b8 100644 --- a/prowler/providers/aws/services/workspaces/workspaces_volume_encryption_enabled/workspaces_volume_encryption_enabled.py +++ b/prowler/providers/aws/services/workspaces/workspaces_volume_encryption_enabled/workspaces_volume_encryption_enabled.py @@ -14,23 +14,19 @@ class workspaces_volume_encryption_enabled(Check): report.resource_arn = workspace.arn report.resource_tags = workspace.tags report.status = "PASS" - report.status_extended = f"WorkSpaces workspace {workspace.id} without root or user unencrypted volumes" + report.status_extended = f"WorkSpaces workspace {workspace.id} without root or user unencrypted volumes." if not workspace.user_volume_encryption_enabled: report.status = "FAIL" - report.status_extended = ( - f"WorkSpaces workspace {workspace.id} with user unencrypted volumes" - ) + report.status_extended = f"WorkSpaces workspace {workspace.id} with user unencrypted volumes." if not workspace.root_volume_encryption_enabled: report.status = "FAIL" - report.status_extended = ( - f"WorkSpaces workspace {workspace.id} with root unencrypted volumes" - ) + report.status_extended = f"WorkSpaces workspace {workspace.id} with root unencrypted volumes." if ( not workspace.root_volume_encryption_enabled and not workspace.user_volume_encryption_enabled ): report.status = "FAIL" - report.status_extended = f"WorkSpaces workspace {workspace.id} with root and user unencrypted volumes" + report.status_extended = f"WorkSpaces workspace {workspace.id} with root and user unencrypted volumes." findings.append(report) return findings diff --git a/tests/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled_test.py b/tests/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled_test.py index 07bb2984..9bde9f51 100644 --- a/tests/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled_test.py +++ b/tests/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled_test.py @@ -52,7 +52,7 @@ class Test_cloudformation_stacks_termination_protection_enabled: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"CloudFormation {stack_name} has termination protection enabled" + == f"CloudFormation {stack_name} has termination protection enabled." ) assert result[0].resource_id == "Test-Stack" assert ( @@ -90,7 +90,7 @@ class Test_cloudformation_stacks_termination_protection_enabled: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"CloudFormation {stack_name} has termination protection disabled" + == f"CloudFormation {stack_name} has termination protection disabled." ) assert result[0].resource_id == "Test-Stack" assert ( diff --git a/tests/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled_test.py b/tests/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled_test.py index 77caf0a5..bcbe13e7 100644 --- a/tests/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled_test.py +++ b/tests/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled_test.py @@ -110,10 +110,12 @@ class Test_codeartifact_packages_external_public_publishing_disabled: assert len(result) == 1 assert result[0].region == AWS_REGION assert result[0].resource_id == "test-package" + assert result[0].resource_arn == repository_arn + assert result[0].resource_tags == [] assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Internal package {package_name} is vulnerable to dependency confusion in repository {repository_arn}" + == f"Internal package {package_name} is vulnerable to dependency confusion in repository {repository_arn}." ) def test_repository_package_private_publishing_origin_internal(self): @@ -165,8 +167,10 @@ class Test_codeartifact_packages_external_public_publishing_disabled: assert len(result) == 1 assert result[0].region == AWS_REGION assert result[0].resource_id == "test-package" + assert result[0].resource_arn == repository_arn + assert result[0].resource_tags == [] assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Internal package {package_name} is not vulnerable to dependency confusion in repository {repository_arn}" + == f"Internal package {package_name} is not vulnerable to dependency confusion in repository {repository_arn}." ) diff --git a/tests/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days_test.py b/tests/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days_test.py index d5f5f114..fd13f0ea 100644 --- a/tests/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days_test.py +++ b/tests/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days_test.py @@ -40,6 +40,8 @@ class Test_codebuild_project_older_90_days: ) assert result[0].resource_id == project_name assert result[0].resource_arn == project_arn + assert result[0].resource_tags == [] + assert result[0].region == AWS_REGION def test_project_not_built(self): codebuild_client = mock.MagicMock @@ -70,6 +72,8 @@ class Test_codebuild_project_older_90_days: assert search("has never been built", result[0].status_extended) assert result[0].resource_id == project_name assert result[0].resource_arn == project_arn + assert result[0].resource_tags == [] + assert result[0].region == AWS_REGION def test_project_built_in_last_90_days(self): codebuild_client = mock.MagicMock @@ -102,3 +106,5 @@ class Test_codebuild_project_older_90_days: ) assert result[0].resource_id == project_name assert result[0].resource_arn == project_arn + assert result[0].resource_tags == [] + assert result[0].region == AWS_REGION diff --git a/tests/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec_test.py b/tests/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec_test.py index 5a809e87..d9a30a7e 100644 --- a/tests/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec_test.py +++ b/tests/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec_test.py @@ -40,6 +40,8 @@ class Test_codebuild_project_user_controlled_buildspec: ) assert result[0].resource_id == project_name assert result[0].resource_arn == project_arn + assert result[0].resource_tags == [] + assert result[0].region == AWS_REGION def test_project_buildspec_not_yaml(self): codebuild_client = mock.MagicMock @@ -73,6 +75,8 @@ class Test_codebuild_project_user_controlled_buildspec: ) assert result[0].resource_id == project_name assert result[0].resource_arn == project_arn + assert result[0].resource_tags == [] + assert result[0].region == AWS_REGION def test_project_valid_buildspec(self): codebuild_client = mock.MagicMock @@ -105,6 +109,8 @@ class Test_codebuild_project_user_controlled_buildspec: ) assert result[0].resource_id == project_name assert result[0].resource_arn == project_arn + assert result[0].resource_tags == [] + assert result[0].region == AWS_REGION def test_project_invalid_buildspec_without_extension(self): codebuild_client = mock.MagicMock @@ -138,3 +144,5 @@ class Test_codebuild_project_user_controlled_buildspec: ) assert result[0].resource_id == project_name assert result[0].resource_arn == project_arn + assert result[0].resource_tags == [] + assert result[0].region == AWS_REGION diff --git a/tests/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled_test.py b/tests/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled_test.py index 7d28d161..21ddd969 100644 --- a/tests/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled_test.py +++ b/tests/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled_test.py @@ -8,6 +8,7 @@ from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" +AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" class Test_config_recorder_all_regions_enabled: @@ -20,7 +21,7 @@ class Test_config_recorder_all_regions_enabled: botocore_session=None, ), audited_account=AWS_ACCOUNT_NUMBER, - audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root", + audited_account_arn=AWS_ACCOUNT_ARN, audited_user_id=None, audited_partition="aws", audited_identity_arn=None, @@ -67,6 +68,12 @@ class Test_config_recorder_all_regions_enabled: len(result) == 2 ) # One fail result per region, since there are no recorders assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"AWS Config recorder {AWS_ACCOUNT_NUMBER} is disabled." + ) + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].resource_id == AWS_ACCOUNT_NUMBER @mock_config def test_config_one_recoder_disabled(self): @@ -105,6 +112,8 @@ class Test_config_recorder_all_regions_enabled: == "AWS Config recorder default is disabled." ) assert recorder.resource_id == "default" + assert recorder.resource_arn == AWS_ACCOUNT_ARN + assert recorder.region == AWS_REGION @mock_config def test_config_one_recoder_enabled(self): @@ -148,3 +157,5 @@ class Test_config_recorder_all_regions_enabled: == "AWS Config recorder default is enabled." ) assert recorder.resource_id == "default" + assert recorder.resource_arn == AWS_ACCOUNT_ARN + assert recorder.region == AWS_REGION diff --git a/tests/providers/aws/services/directoryservice/directoryservice_directory_log_forwarding_enabled/directoryservice_directory_log_forwarding_enabled_test.py b/tests/providers/aws/services/directoryservice/directoryservice_directory_log_forwarding_enabled/directoryservice_directory_log_forwarding_enabled_test.py index c92db982..ddbd26a1 100644 --- a/tests/providers/aws/services/directoryservice/directoryservice_directory_log_forwarding_enabled/directoryservice_directory_log_forwarding_enabled_test.py +++ b/tests/providers/aws/services/directoryservice/directoryservice_directory_log_forwarding_enabled/directoryservice_directory_log_forwarding_enabled_test.py @@ -8,6 +8,7 @@ from prowler.providers.aws.services.directoryservice.directoryservice_service im ) AWS_REGION = "eu-west-1" +AWS_ACCOUNT_NUMBER = "123456789012" class Test_directoryservice_directory_log_forwarding_enabled: @@ -32,9 +33,13 @@ class Test_directoryservice_directory_log_forwarding_enabled: directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) directoryservice_client.directories = { directory_name: Directory( name=directory_name, + arn=directory_arn, id=directory_id, type=DirectoryType.MicrosoftAD, region=AWS_REGION, @@ -55,20 +60,26 @@ class Test_directoryservice_directory_log_forwarding_enabled: assert len(result) == 1 assert result[0].resource_id == directory_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Directory Service {directory_id} have log forwarding to CloudWatch disabled" + == f"Directory Service {directory_id} have log forwarding to CloudWatch disabled." ) def test_one_directory_logging_enabled(self): directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) directoryservice_client.directories = { directory_name: Directory( name=directory_name, + arn=directory_arn, id=directory_id, type=DirectoryType.MicrosoftAD, region=AWS_REGION, @@ -95,9 +106,11 @@ class Test_directoryservice_directory_log_forwarding_enabled: assert len(result) == 1 assert result[0].resource_id == directory_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Directory Service {directory_id} have log forwarding to CloudWatch enabled" + == f"Directory Service {directory_id} have log forwarding to CloudWatch enabled." ) diff --git a/tests/providers/aws/services/directoryservice/directoryservice_directory_monitor_notifications/directoryservice_directory_monitor_notifications_test.py b/tests/providers/aws/services/directoryservice/directoryservice_directory_monitor_notifications/directoryservice_directory_monitor_notifications_test.py index 44679816..d4d132e9 100644 --- a/tests/providers/aws/services/directoryservice/directoryservice_directory_monitor_notifications/directoryservice_directory_monitor_notifications_test.py +++ b/tests/providers/aws/services/directoryservice/directoryservice_directory_monitor_notifications/directoryservice_directory_monitor_notifications_test.py @@ -11,6 +11,7 @@ from prowler.providers.aws.services.directoryservice.directoryservice_service im ) AWS_REGION = "eu-west-1" +AWS_ACCOUNT_NUMBER = "123456789012" class Test_directoryservice_directory_monitor_notifications: @@ -35,9 +36,13 @@ class Test_directoryservice_directory_monitor_notifications: directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) directoryservice_client.directories = { directory_name: Directory( id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, name=directory_name, region=AWS_REGION, @@ -58,21 +63,27 @@ class Test_directoryservice_directory_monitor_notifications: assert len(result) == 1 assert result[0].resource_id == directory_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Directory Service {directory_id} have SNS messaging disabled" + == f"Directory Service {directory_id} have SNS messaging disabled." ) def test_one_directory_logging_enabled(self): directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) directoryservice_client.directories = { directory_name: Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, region=AWS_REGION, event_topics=[ @@ -99,9 +110,11 @@ class Test_directoryservice_directory_monitor_notifications: assert len(result) == 1 assert result[0].resource_id == directory_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Directory Service {directory_id} have SNS messaging enabled" + == f"Directory Service {directory_id} have SNS messaging enabled." ) diff --git a/tests/providers/aws/services/directoryservice/directoryservice_directory_snapshots_limit/directoryservice_directory_snapshots_limit_test.py b/tests/providers/aws/services/directoryservice/directoryservice_directory_snapshots_limit/directoryservice_directory_snapshots_limit_test.py index 8efae8c5..59f79450 100644 --- a/tests/providers/aws/services/directoryservice/directoryservice_directory_snapshots_limit/directoryservice_directory_snapshots_limit_test.py +++ b/tests/providers/aws/services/directoryservice/directoryservice_directory_snapshots_limit/directoryservice_directory_snapshots_limit_test.py @@ -7,6 +7,7 @@ from prowler.providers.aws.services.directoryservice.directoryservice_service im ) AWS_REGION = "eu-west-1" +AWS_ACCOUNT_NUMBER = "123456789012" class Test_directoryservice_directory_snapshots_limit: @@ -31,6 +32,9 @@ class Test_directoryservice_directory_snapshots_limit: directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) manual_snapshots_current_count = 5 manual_snapshots_limit = 5 manual_snapshots_limit_reached = True @@ -38,6 +42,7 @@ class Test_directoryservice_directory_snapshots_limit: directory_name: Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, region=AWS_REGION, snapshots_limits=SnapshotLimit( @@ -61,17 +66,22 @@ class Test_directoryservice_directory_snapshots_limit: assert len(result) == 1 assert result[0].resource_id == directory_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Directory Service {directory_id} reached {manual_snapshots_limit} Snapshots limit" + == f"Directory Service {directory_id} reached {manual_snapshots_limit} Snapshots limit." ) def test_one_directory_snapshots_limit_over_threshold(self): directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) manual_snapshots_current_count = 4 manual_snapshots_limit = 5 manual_snapshots_limit_reached = False @@ -79,6 +89,7 @@ class Test_directoryservice_directory_snapshots_limit: directory_name: Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, region=AWS_REGION, snapshots_limits=SnapshotLimit( @@ -102,17 +113,22 @@ class Test_directoryservice_directory_snapshots_limit: assert len(result) == 1 assert result[0].resource_id == directory_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Directory Service {directory_id} is about to reach {manual_snapshots_limit} Snapshots which is the limit" + == f"Directory Service {directory_id} is about to reach {manual_snapshots_limit} Snapshots which is the limit." ) def test_one_directory_snapshots_limit_equal_threshold(self): directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) manual_snapshots_current_count = 3 manual_snapshots_limit = 5 manual_snapshots_limit_reached = False @@ -120,6 +136,7 @@ class Test_directoryservice_directory_snapshots_limit: directory_name: Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, region=AWS_REGION, snapshots_limits=SnapshotLimit( @@ -143,17 +160,22 @@ class Test_directoryservice_directory_snapshots_limit: assert len(result) == 1 assert result[0].resource_id == directory_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Directory Service {directory_id} is about to reach {manual_snapshots_limit} Snapshots which is the limit" + == f"Directory Service {directory_id} is about to reach {manual_snapshots_limit} Snapshots which is the limit." ) def test_one_directory_snapshots_limit_more_threshold(self): directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) manual_snapshots_current_count = 1 manual_snapshots_limit = 5 manual_snapshots_limit_reached = False @@ -161,6 +183,7 @@ class Test_directoryservice_directory_snapshots_limit: directory_name: Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, region=AWS_REGION, snapshots_limits=SnapshotLimit( @@ -184,9 +207,11 @@ class Test_directoryservice_directory_snapshots_limit: assert len(result) == 1 assert result[0].resource_id == directory_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Directory Service {directory_id} is using {manual_snapshots_current_count} out of {manual_snapshots_limit} from the Snapshots Limit" + == f"Directory Service {directory_id} is using {manual_snapshots_current_count} out of {manual_snapshots_limit} from the Snapshots Limit." ) diff --git a/tests/providers/aws/services/directoryservice/directoryservice_ldap_certificate_expiration/directoryservice_ldap_certificate_expiration_test.py b/tests/providers/aws/services/directoryservice/directoryservice_ldap_certificate_expiration/directoryservice_ldap_certificate_expiration_test.py index 05dd2be0..d1e1ebf0 100644 --- a/tests/providers/aws/services/directoryservice/directoryservice_ldap_certificate_expiration/directoryservice_ldap_certificate_expiration_test.py +++ b/tests/providers/aws/services/directoryservice/directoryservice_ldap_certificate_expiration/directoryservice_ldap_certificate_expiration_test.py @@ -12,6 +12,7 @@ from prowler.providers.aws.services.directoryservice.directoryservice_service im ) AWS_REGION = "eu-west-1" +AWS_ACCOUNT_NUMBER = "123456789012" # Always use a mocked date to test the certificates expiration @@ -38,9 +39,13 @@ class Test_directoryservice_ldap_certificate_expiration: directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) directoryservice_client.directories = { directory_name: Directory( id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, name=directory_name, region=AWS_REGION, @@ -68,10 +73,14 @@ class Test_directoryservice_ldap_certificate_expiration: directory_name = "test-directory" certificate_id = "test-certificate" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) directoryservice_client.directories = { directory_name: Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, region=AWS_REGION, certificates=[ @@ -100,11 +109,13 @@ class Test_directoryservice_ldap_certificate_expiration: assert len(result) == 1 assert result[0].resource_id == certificate_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "PASS" assert ( result[0].status_extended - == f"LDAP Certificate {certificate_id} configured at {directory_id} expires in {remaining_days_to_expire} days" + == f"LDAP Certificate {certificate_id} configured at {directory_id} expires in {remaining_days_to_expire} days." ) def test_directory_certificate_expires_in_90_days(self): @@ -114,10 +125,14 @@ class Test_directoryservice_ldap_certificate_expiration: directory_name = "test-directory" certificate_id = "test-certificate" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) directoryservice_client.directories = { directory_name: Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, region=AWS_REGION, certificates=[ @@ -146,11 +161,13 @@ class Test_directoryservice_ldap_certificate_expiration: assert len(result) == 1 assert result[0].resource_id == certificate_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"LDAP Certificate {certificate_id} configured at {directory_id} is about to expire in {remaining_days_to_expire} days" + == f"LDAP Certificate {certificate_id} configured at {directory_id} is about to expire in {remaining_days_to_expire} days." ) def test_directory_certificate_expires_in_31_days(self): @@ -160,10 +177,14 @@ class Test_directoryservice_ldap_certificate_expiration: directory_name = "test-directory" certificate_id = "test-certificate" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) directoryservice_client.directories = { directory_name: Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, region=AWS_REGION, certificates=[ @@ -192,9 +213,11 @@ class Test_directoryservice_ldap_certificate_expiration: assert len(result) == 1 assert result[0].resource_id == certificate_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"LDAP Certificate {certificate_id} configured at {directory_id} is about to expire in {remaining_days_to_expire} days" + == f"LDAP Certificate {certificate_id} configured at {directory_id} is about to expire in {remaining_days_to_expire} days." ) diff --git a/tests/providers/aws/services/directoryservice/directoryservice_radius_server_security_protocol/directoryservice_radius_server_security_protocol_test.py b/tests/providers/aws/services/directoryservice/directoryservice_radius_server_security_protocol/directoryservice_radius_server_security_protocol_test.py index 3846829b..11b7c375 100644 --- a/tests/providers/aws/services/directoryservice/directoryservice_radius_server_security_protocol/directoryservice_radius_server_security_protocol_test.py +++ b/tests/providers/aws/services/directoryservice/directoryservice_radius_server_security_protocol/directoryservice_radius_server_security_protocol_test.py @@ -9,6 +9,7 @@ from prowler.providers.aws.services.directoryservice.directoryservice_service im ) AWS_REGION = "eu-west-1" +AWS_ACCOUNT_NUMBER = "123456789012" class Test_directoryservice_radius_server_security_protocol: @@ -33,10 +34,14 @@ class Test_directoryservice_radius_server_security_protocol: directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) directoryservice_client.directories = { directory_name: Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, region=AWS_REGION, radius_settings=None, @@ -60,10 +65,14 @@ class Test_directoryservice_radius_server_security_protocol: directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) directoryservice_client.directories = { directory_name: Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, region=AWS_REGION, radius_settings=RadiusSettings( @@ -86,21 +95,27 @@ class Test_directoryservice_radius_server_security_protocol: assert len(result) == 1 assert result[0].resource_id == directory_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Radius server of Directory {directory_id} does not have recommended security protocol for the Radius server" + == f"Radius server of Directory {directory_id} does not have recommended security protocol for the Radius server." ) def test_directory_radius_server_secure_auth_protocol(self): directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) directoryservice_client.directories = { directory_name: Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, region=AWS_REGION, radius_settings=RadiusSettings( @@ -123,9 +138,11 @@ class Test_directoryservice_radius_server_security_protocol: assert len(result) == 1 assert result[0].resource_id == directory_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Radius server of Directory {directory_id} have recommended security protocol for the Radius server" + == f"Radius server of Directory {directory_id} have recommended security protocol for the Radius server." ) diff --git a/tests/providers/aws/services/directoryservice/directoryservice_service_test.py b/tests/providers/aws/services/directoryservice/directoryservice_service_test.py index 86104fe9..8bae198a 100644 --- a/tests/providers/aws/services/directoryservice/directoryservice_service_test.py +++ b/tests/providers/aws/services/directoryservice/directoryservice_service_test.py @@ -178,6 +178,10 @@ class Test_DirectoryService_Service: # __describe_directories__ assert directoryservice.directories["d-12345a1b2"].id == "d-12345a1b2" + assert ( + directoryservice.directories["d-12345a1b2"].arn + == f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) assert ( directoryservice.directories["d-12345a1b2"].type == DirectoryType.MicrosoftAD diff --git a/tests/providers/aws/services/directoryservice/directoryservice_supported_mfa_radius_enabled/directoryservice_supported_mfa_radius_enabled_test.py b/tests/providers/aws/services/directoryservice/directoryservice_supported_mfa_radius_enabled/directoryservice_supported_mfa_radius_enabled_test.py index 4d593284..a323d843 100644 --- a/tests/providers/aws/services/directoryservice/directoryservice_supported_mfa_radius_enabled/directoryservice_supported_mfa_radius_enabled_test.py +++ b/tests/providers/aws/services/directoryservice/directoryservice_supported_mfa_radius_enabled/directoryservice_supported_mfa_radius_enabled_test.py @@ -9,6 +9,7 @@ from prowler.providers.aws.services.directoryservice.directoryservice_service im ) AWS_REGION = "eu-west-1" +AWS_ACCOUNT_NUMBER = "123456789012" class Test_directoryservice_supported_mfa_radius_enabled: @@ -33,10 +34,14 @@ class Test_directoryservice_supported_mfa_radius_enabled: directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) directoryservice_client.directories = { directory_name: Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, region=AWS_REGION, radius_settings=None, @@ -60,10 +65,14 @@ class Test_directoryservice_supported_mfa_radius_enabled: directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) directoryservice_client.directories = { directory_name: Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, region=AWS_REGION, radius_settings=RadiusSettings( @@ -86,21 +95,27 @@ class Test_directoryservice_supported_mfa_radius_enabled: assert len(result) == 1 assert result[0].resource_id == directory_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Directory {directory_id} does not have Radius MFA enabled" + == f"Directory {directory_id} does not have Radius MFA enabled." ) def test_directory_radius_server_status_creating(self): directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) directoryservice_client.directories = { directory_name: Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, region=AWS_REGION, radius_settings=RadiusSettings( @@ -123,21 +138,27 @@ class Test_directoryservice_supported_mfa_radius_enabled: assert len(result) == 1 assert result[0].resource_id == directory_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Directory {directory_id} does not have Radius MFA enabled" + == f"Directory {directory_id} does not have Radius MFA enabled." ) def test_directory_radius_server_status_completed(self): directoryservice_client = mock.MagicMock directory_name = "test-directory" directory_id = "d-12345a1b2" + directory_arn = ( + f"arn:aws:ds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:directory/d-12345a1b2" + ) directoryservice_client.directories = { directory_name: Directory( name=directory_name, id=directory_id, + arn=directory_arn, type=DirectoryType.MicrosoftAD, region=AWS_REGION, radius_settings=RadiusSettings( @@ -160,9 +181,11 @@ class Test_directoryservice_supported_mfa_radius_enabled: assert len(result) == 1 assert result[0].resource_id == directory_id + assert result[0].resource_arn == directory_arn + assert result[0].resource_tags == [] assert result[0].region == AWS_REGION assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Directory {directory_id} have Radius MFA enabled" + == f"Directory {directory_id} have Radius MFA enabled." ) diff --git a/tests/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled_test.py b/tests/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled_test.py index 624ef662..b0e2e4cd 100644 --- a/tests/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled_test.py +++ b/tests/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled_test.py @@ -103,6 +103,8 @@ class Test_dynamodb_accelerator_cluster_encryption_enabled: ) assert result[0].resource_id == cluster["ClusterName"] assert result[0].resource_arn == cluster["ClusterArn"] + assert result[0].region == AWS_REGION + assert result[0].resource_tags == [] @mock_dax def test_dax_cluster_with_encryption(self): @@ -139,3 +141,5 @@ class Test_dynamodb_accelerator_cluster_encryption_enabled: assert search("has encryption at rest enabled", result[0].status_extended) assert result[0].resource_id == cluster["ClusterName"] assert result[0].resource_arn == cluster["ClusterArn"] + assert result[0].region == AWS_REGION + assert result[0].resource_tags == [] diff --git a/tests/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled_test.py b/tests/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled_test.py index f0cfae8a..b8561dff 100644 --- a/tests/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled_test.py +++ b/tests/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled_test.py @@ -106,6 +106,8 @@ class Test_dynamodb_tables_kms_cmk_encryption_enabled: assert search("KMS encryption enabled", result[0].status_extended) assert result[0].resource_id == table["TableName"] assert result[0].resource_arn == table["TableArn"] + assert result[0].region == AWS_REGION + assert result[0].resource_tags == [] @mock_dynamodb def test_dynamodb_table_default_encryption(self): @@ -146,3 +148,5 @@ class Test_dynamodb_tables_kms_cmk_encryption_enabled: assert search("DEFAULT encryption enabled", result[0].status_extended) assert result[0].resource_id == table["TableName"] assert result[0].resource_arn == table["TableArn"] + assert result[0].region == AWS_REGION + assert result[0].resource_tags == [] diff --git a/tests/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled_test.py b/tests/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled_test.py index 6bb32b52..1c89eab1 100644 --- a/tests/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled_test.py +++ b/tests/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled_test.py @@ -108,6 +108,8 @@ class Test_dynamodb_tables_pitr_enabled: ) assert result[0].resource_id == table["TableName"] assert result[0].resource_arn == table["TableArn"] + assert result[0].region == AWS_REGION + assert result[0].resource_tags == [] @mock_dynamodb def test_dynamodb_table_with_pitr(self): @@ -154,3 +156,5 @@ class Test_dynamodb_tables_pitr_enabled: ) assert result[0].resource_id == table["TableName"] assert result[0].resource_arn == table["TableArn"] + assert result[0].region == AWS_REGION + assert result[0].resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan_test.py b/tests/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan_test.py index 143a75a3..5ef1d4ae 100644 --- a/tests/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan_test.py +++ b/tests/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan_test.py @@ -190,5 +190,5 @@ class Test_ec2_elastic_ip_shodan: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Elastic IP {public_ip} listed in Shodan with open ports {str(ports)} and ISP {isp} in {country}. More info https://www.shodan.io/host/{public_ip}" + == f"Elastic IP {public_ip} listed in Shodan with open ports {str(ports)} and ISP {isp} in {country}. More info at https://www.shodan.io/host/{public_ip}." ) diff --git a/tests/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible_test.py b/tests/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible_test.py index 86eebc4c..4377f2cf 100644 --- a/tests/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible_test.py +++ b/tests/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible_test.py @@ -109,7 +109,7 @@ class Test_ecr_repositories_not_publicly_accessible: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Repository {repository_name} is not publicly accesible" + == f"Repository {repository_name} is not publicly accesible." ) assert result[0].resource_id == repository_name assert result[0].resource_arn == repository_arn @@ -149,7 +149,7 @@ class Test_ecr_repositories_not_publicly_accessible: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Repository {repository_name} policy may allow anonymous users to perform actions (Principal: '*')" + == f"Repository {repository_name} policy may allow anonymous users to perform actions (Principal: '*')." ) assert result[0].resource_id == repository_name assert result[0].resource_arn == repository_arn diff --git a/tests/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled_test.py b/tests/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled_test.py index 16055c66..7bf073c6 100644 --- a/tests/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled_test.py +++ b/tests/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled_test.py @@ -97,7 +97,7 @@ class Test_ecr_repositories_scan_images_on_push_enabled: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"ECR repository {repository_name} has scan on push enabled" + == f"ECR repository {repository_name} has scan on push enabled." ) assert result[0].resource_id == repository_name assert result[0].resource_arn == repository_arn @@ -137,7 +137,7 @@ class Test_ecr_repositories_scan_images_on_push_enabled: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"ECR repository {repository_name} has scan on push disabled" + == f"ECR repository {repository_name} has scan on push disabled." ) assert result[0].resource_id == repository_name assert result[0].resource_arn == repository_arn diff --git a/tests/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets_test.py b/tests/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets_test.py index 40e03067..94904924 100644 --- a/tests/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets_test.py +++ b/tests/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets_test.py @@ -63,7 +63,7 @@ class Test_ecs_task_definitions_no_environment_secrets: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"No secrets found in variables of ECS task definition {task_name} with revision {task_revision}" + == f"No secrets found in variables of ECS task definition {task_name} with revision {task_revision}." ) assert result[0].resource_id == f"{task_name}:1" assert ( @@ -102,7 +102,7 @@ class Test_ecs_task_definitions_no_environment_secrets: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Potential secret found in variables of ECS task definition {task_name} with revision {task_revision} -> Secret Keyword on line 2" + == f"Potential secret found in variables of ECS task definition {task_name} with revision {task_revision} -> Secret Keyword on line 2." ) assert result[0].resource_id == f"{task_name}:1" assert ( diff --git a/tests/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled_test.py b/tests/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled_test.py index 90eeb2be..3ec7a404 100644 --- a/tests/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled_test.py +++ b/tests/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled_test.py @@ -36,7 +36,7 @@ class Test_emr_cluster_account_public_block_enabled: assert result[0].status == "PASS" assert ( result[0].status_extended - == "EMR Account has Block Public Access enabled" + == "EMR Account has Block Public Access enabled." ) def test_account_public_block_disabled(self): @@ -65,5 +65,5 @@ class Test_emr_cluster_account_public_block_enabled: assert result[0].status == "FAIL" assert ( result[0].status_extended - == "EMR Account has Block Public Access disabled" + == "EMR Account has Block Public Access disabled." ) diff --git a/tests/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible_test.py b/tests/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible_test.py index c52f06a4..01498aa4 100644 --- a/tests/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible_test.py +++ b/tests/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible_test.py @@ -199,7 +199,7 @@ class Test_emr_cluster_publicly_accesible: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"EMR Cluster {cluster_id} is not publicly accessible" + == f"EMR Cluster {cluster_id} is not publicly accessible." ) @mock_ec2 diff --git a/tests/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant_test.py b/tests/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant_test.py index 9466ab5e..b3a77bd3 100644 --- a/tests/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant_test.py +++ b/tests/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant_test.py @@ -68,7 +68,7 @@ class Test_fms_policy_compliant: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"FMS with non-compliant policy {fms_client.fms_policies[0].name} for account {fms_client.fms_policies[0].compliance_status[0].account_id}" + == f"FMS with non-compliant policy {fms_client.fms_policies[0].name} for account {fms_client.fms_policies[0].compliance_status[0].account_id}." ) assert result[0].resource_id == "12345678901" assert result[0].resource_arn == "arn:aws:fms:us-east-1:12345678901" @@ -113,7 +113,7 @@ class Test_fms_policy_compliant: assert len(result) == 1 assert result[0].status == "PASS" assert ( - result[0].status_extended == "FMS enabled with all compliant accounts" + result[0].status_extended == "FMS enabled with all compliant accounts." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" @@ -164,7 +164,7 @@ class Test_fms_policy_compliant: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"FMS with non-compliant policy {fms_client.fms_policies[0].name} for account {fms_client.fms_policies[0].compliance_status[0].account_id}" + == f"FMS with non-compliant policy {fms_client.fms_policies[0].name} for account {fms_client.fms_policies[0].compliance_status[0].account_id}." ) assert result[0].resource_id == "12345678901" assert result[0].resource_arn == "arn:aws:fms:us-east-1:12345678901" diff --git a/tests/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access_test.py b/tests/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access_test.py index a586e425..e5145fae 100644 --- a/tests/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access_test.py +++ b/tests/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access_test.py @@ -58,7 +58,7 @@ class Test_glacier_vaults_policy_public_access: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Vault {vault_name} does not have a policy" + == f"Vault {vault_name} does not have a policy." ) def test_vault_policy_pricipal_aws_list_asterisk(self): @@ -112,7 +112,7 @@ class Test_glacier_vaults_policy_public_access: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Vault {vault_name} has policy which allows access to everyone" + == f"Vault {vault_name} has policy which allows access to everyone." ) def test_vault_policy_pricipal_asterisk(self): @@ -166,7 +166,7 @@ class Test_glacier_vaults_policy_public_access: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Vault {vault_name} has policy which allows access to everyone" + == f"Vault {vault_name} has policy which allows access to everyone." ) def test_vault_policy_pricipal_canonical_user_asterisk(self): @@ -220,7 +220,7 @@ class Test_glacier_vaults_policy_public_access: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Vault {vault_name} has policy which allows access to everyone" + == f"Vault {vault_name} has policy which allows access to everyone." ) def test_vault_policy_private(self): @@ -278,5 +278,5 @@ class Test_glacier_vaults_policy_public_access: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Vault {vault_name} has policy which does not allow access to everyone" + == f"Vault {vault_name} has policy which does not allow access to everyone." ) diff --git a/tests/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed_test.py b/tests/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed_test.py index 631b4eb9..3f3afa6e 100644 --- a/tests/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed_test.py +++ b/tests/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed_test.py @@ -56,7 +56,7 @@ class Test_guardduty_centrally_managed: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"GuardDuty detector {DETECTOR_ID} is not centrally managed" + == f"GuardDuty detector {DETECTOR_ID} is not centrally managed." ) assert result[0].resource_id == DETECTOR_ID assert result[0].region == AWS_REGION @@ -91,7 +91,7 @@ class Test_guardduty_centrally_managed: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"GuardDuty detector {DETECTOR_ID} is centrally managed by account {AWS_ACCOUNT_NUMBER_ADMIN}" + == f"GuardDuty detector {DETECTOR_ID} is centrally managed by account {AWS_ACCOUNT_NUMBER_ADMIN}." ) assert result[0].resource_id == DETECTOR_ID assert result[0].region == AWS_REGION @@ -126,7 +126,7 @@ class Test_guardduty_centrally_managed: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"GuardDuty detector {DETECTOR_ID} is administrator account with 1 member accounts" + == f"GuardDuty detector {DETECTOR_ID} is administrator account with 1 member accounts." ) assert result[0].resource_id == DETECTOR_ID assert result[0].region == AWS_REGION diff --git a/tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py b/tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py index 0e86f7c8..cd0cc930 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py @@ -9,6 +9,7 @@ from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_NUMBER = "123456789012" AWS_REGION = "us-east-1" +AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" class Test_iam_password_policy_expires_passwords_within_90_days_or_less: @@ -23,7 +24,7 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less: region_name=AWS_REGION, ), audited_account=AWS_ACCOUNT_NUMBER, - audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root", + audited_account_arn=AWS_ACCOUNT_ARN, audited_user_id=None, audited_partition="aws", audited_identity_arn=None, @@ -76,8 +77,11 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less: ) check = iam_password_policy_expires_passwords_within_90_days_or_less() result = check.execute() + assert len(result) == 1 assert result[0].status == "PASS" assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION assert search( "Password expiration is set lower than 90 days", result[0].status_extended, @@ -115,8 +119,11 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less: ) check = iam_password_policy_expires_passwords_within_90_days_or_less() result = check.execute() + assert len(result) == 1 assert result[0].status == "FAIL" assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION assert search( "Password expiration is set greater than 90 days", result[0].status_extended, @@ -154,8 +161,11 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less: ) check = iam_password_policy_expires_passwords_within_90_days_or_less() result = check.execute() + assert len(result) == 1 assert result[0].status == "PASS" assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION assert search( "Password expiration is set lower than 90 days", result[0].status_extended, diff --git a/tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py b/tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py index 75346eef..547f82da 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py @@ -8,6 +8,8 @@ from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" +AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" class Test_iam_password_policy_lowercase: @@ -66,12 +68,15 @@ class Test_iam_password_policy_lowercase: check = iam_password_policy_lowercase() result = check.execute() + assert len(result) == 1 assert result[0].status == "FAIL" assert search( "IAM password policy does not require at least one lowercase letter.", result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION @mock_iam def test_iam_password_policy_lowercase_flag(self): @@ -97,9 +102,12 @@ class Test_iam_password_policy_lowercase: check = iam_password_policy_lowercase() result = check.execute() + assert len(result) == 1 assert result[0].status == "PASS" assert search( "IAM password policy requires at least one lowercase letter.", result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION diff --git a/tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py b/tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py index 3caa3364..6f6a4727 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py @@ -8,6 +8,8 @@ from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" +AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" class Test_iam_password_policy_minimum_length_14: @@ -66,12 +68,15 @@ class Test_iam_password_policy_minimum_length_14: check = iam_password_policy_minimum_length_14() result = check.execute() + assert len(result) == 1 assert result[0].status == "PASS" assert search( "IAM password policy requires minimum length of 14 characters.", result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION @mock_iam def test_iam_password_policy_minimum_length_greater_14(self): @@ -97,12 +102,15 @@ class Test_iam_password_policy_minimum_length_14: check = iam_password_policy_minimum_length_14() result = check.execute() + assert len(result) == 1 assert result[0].status == "PASS" assert search( "IAM password policy requires minimum length of 14 characters.", result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION @mock_iam def test_iam_password_policy_minimum_length_less_14(self): @@ -128,9 +136,12 @@ class Test_iam_password_policy_minimum_length_14: check = iam_password_policy_minimum_length_14() result = check.execute() + assert len(result) == 1 assert result[0].status == "FAIL" assert search( "IAM password policy does not require minimum length of 14 characters.", result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION diff --git a/tests/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_test.py b/tests/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_test.py index 0b728cf0..2b3b1770 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_test.py @@ -8,6 +8,8 @@ from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" +AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" class Test_iam_password_policy_number: @@ -66,12 +68,15 @@ class Test_iam_password_policy_number: check = iam_password_policy_number() result = check.execute() + assert len(result) == 1 assert result[0].status == "FAIL" assert search( "IAM password policy does not require at least one number.", result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION @mock_iam def test_iam_password_policy_number_flag(self): @@ -97,9 +102,12 @@ class Test_iam_password_policy_number: check = iam_password_policy_number() result = check.execute() + assert len(result) == 1 assert result[0].status == "PASS" assert search( "IAM password policy requires at least one number.", result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION diff --git a/tests/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_test.py b/tests/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_test.py index 6e49e3ac..33bc631a 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_test.py @@ -7,6 +7,8 @@ from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" +AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" class Test_iam_password_policy_reuse_24: @@ -64,7 +66,15 @@ class Test_iam_password_policy_reuse_24: check = iam_password_policy_reuse_24() result = check.execute() + assert len(result) == 1 assert result[0].status == "PASS" + assert ( + result[0].status_extended + == "IAM password policy reuse prevention is equal to 24." + ) + assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION @mock_iam def test_iam_password_policy_reuse_prevention_less_24(self): @@ -89,4 +99,12 @@ class Test_iam_password_policy_reuse_24: check = iam_password_policy_reuse_24() result = check.execute() + assert len(result) == 1 assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == "IAM password policy reuse prevention is less than 24 or not set." + ) + assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION diff --git a/tests/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_test.py b/tests/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_test.py index 87a68c8d..b652ab6f 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_test.py @@ -8,6 +8,8 @@ from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" +AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" class Test_iam_password_policy_symbol: @@ -66,12 +68,15 @@ class Test_iam_password_policy_symbol: check = iam_password_policy_symbol() result = check.execute() + assert len(result) == 1 assert result[0].status == "FAIL" assert search( "IAM password policy does not require at least one symbol.", result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION @mock_iam def test_iam_password_policy_symbol_flag(self): @@ -97,9 +102,12 @@ class Test_iam_password_policy_symbol: check = iam_password_policy_symbol() result = check.execute() + assert len(result) == 1 assert result[0].status == "PASS" assert search( "IAM password policy requires at least one symbol.", result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION diff --git a/tests/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_test.py b/tests/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_test.py index 9e49d20c..767c46e4 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_test.py @@ -7,6 +7,8 @@ from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_NUMBER = "123456789012" +AWS_REGION = "us-east-1" +AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" class Test_iam_password_policy_uppercase: @@ -64,7 +66,15 @@ class Test_iam_password_policy_uppercase: check = iam_password_policy_uppercase() result = check.execute() + assert len(result) == 1 assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == "IAM password policy does not require at least one uppercase letter." + ) + assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION @mock_iam def test_iam_password_policy_uppercase_flag(self): @@ -89,4 +99,12 @@ class Test_iam_password_policy_uppercase: check = iam_password_policy_uppercase() result = check.execute() + assert len(result) == 1 assert result[0].status == "PASS" + assert ( + result[0].status_extended + == "IAM password policy requires at least one uppercase letter." + ) + assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert result[0].region == AWS_REGION diff --git a/tests/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation_test.py b/tests/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation_test.py index 89b34f43..08f7ebba 100644 --- a/tests/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation_test.py +++ b/tests/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation_test.py @@ -190,7 +190,7 @@ class Test_iam_policy_allows_privilege_escalation: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Custom Policy {policy_arn} does not allow privilege escalation" + == f"Custom Policy {policy_arn} does not allow privilege escalation." ) assert result[0].resource_id == policy_name assert result[0].resource_arn == policy_arn @@ -236,7 +236,7 @@ class Test_iam_policy_allows_privilege_escalation: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Custom Policy {policy_arn} does not allow privilege escalation" + == f"Custom Policy {policy_arn} does not allow privilege escalation." ) assert result[0].resource_id == policy_name assert result[0].resource_arn == policy_arn @@ -293,7 +293,7 @@ class Test_iam_policy_allows_privilege_escalation: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Custom Policy {policy_arn} does not allow privilege escalation" + == f"Custom Policy {policy_arn} does not allow privilege escalation." ) assert result[0].resource_id == policy_name assert result[0].resource_arn == policy_arn @@ -655,7 +655,7 @@ class Test_iam_policy_allows_privilege_escalation: assert finding.resource_arn == policy_arn_1 assert ( finding.status_extended - == f"Custom Policy {policy_arn_1} does not allow privilege escalation" + == f"Custom Policy {policy_arn_1} does not allow privilege escalation." ) if finding.resource_id == policy_name_2: @@ -768,3 +768,66 @@ class Test_iam_policy_allows_privilege_escalation: assert search("iam:PassRole", finding.status_extended) assert search("lambda:InvokeFunction", finding.status_extended) assert search("lambda:CreateFunction", finding.status_extended) + + @mock_iam + def test_iam_policy_allows_privilege_escalation_over_permissive_policy( + self, + ): + current_audit_info = self.set_mocked_audit_info() + iam_client = client("iam", region_name=AWS_REGION) + policy_name_1 = "privileged_policy_1" + policy_document_1 = { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Statement01", + "Effect": "Allow", + "Action": [ + "s3:*", + "ec2:*", + "ecr:*", + "iam:*", + "rds:*", + "dynamodb:*", + "route53:*", + "sns:*", + "sqs:*", + ], + "Resource": "*", + } + ], + } + + policy_arn_1 = iam_client.create_policy( + PolicyName=policy_name_1, PolicyDocument=dumps(policy_document_1) + )["Policy"]["Arn"] + + from prowler.providers.aws.services.iam.iam_service import IAM + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( + "prowler.providers.aws.services.iam.iam_policy_allows_privilege_escalation.iam_policy_allows_privilege_escalation.iam_client", + new=IAM(current_audit_info), + ): + # Test Check + from prowler.providers.aws.services.iam.iam_policy_allows_privilege_escalation.iam_policy_allows_privilege_escalation import ( + iam_policy_allows_privilege_escalation, + ) + + check = iam_policy_allows_privilege_escalation() + result = check.execute() + assert len(result) == 1 + for finding in result: + if finding.resource_id == policy_name_1: + assert finding.status == "FAIL" + assert finding.resource_arn == policy_arn_1 + + assert search( + f"Custom Policy {policy_arn_1} allows privilege escalation using the following actions: ", + finding.status_extended, + ) + + assert search("iam:PassRole", finding.status_extended) + assert search("ec2:RunInstances", finding.status_extended) diff --git a/tests/providers/aws/services/iam/iam_policy_no_full_access_to_cloudtrail/iam_policy_no_full_access_to_cloudtrail_test.py b/tests/providers/aws/services/iam/iam_policy_no_full_access_to_cloudtrail/iam_policy_no_full_access_to_cloudtrail_test.py index 9f076e3b..8d7515c1 100644 --- a/tests/providers/aws/services/iam/iam_policy_no_full_access_to_cloudtrail/iam_policy_no_full_access_to_cloudtrail_test.py +++ b/tests/providers/aws/services/iam/iam_policy_no_full_access_to_cloudtrail/iam_policy_no_full_access_to_cloudtrail_test.py @@ -74,7 +74,7 @@ class Test_iam_policy_no_full_access_to_cloudtrail: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Custom Policy {policy_name} allows 'cloudtrail:*' privileges" + == f"Custom Policy {policy_name} allows 'cloudtrail:*' privileges." ) assert result[0].resource_id == "policy_cloudtrail_full" assert result[0].resource_arn == arn @@ -113,7 +113,7 @@ class Test_iam_policy_no_full_access_to_cloudtrail: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Custom Policy {policy_name} does not allow 'cloudtrail:*' privileges" + == f"Custom Policy {policy_name} does not allow 'cloudtrail:*' privileges." ) assert result[0].resource_id == "policy_no_cloudtrail_full" assert result[0].resource_arn == arn @@ -156,7 +156,7 @@ class Test_iam_policy_no_full_access_to_cloudtrail: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Custom Policy {policy_name} allows 'cloudtrail:*' privileges" + == f"Custom Policy {policy_name} allows 'cloudtrail:*' privileges." ) assert result[0].resource_id == "policy_mixed" assert result[0].resource_arn == arn diff --git a/tests/providers/aws/services/iam/iam_policy_no_full_access_to_kms/iam_policy_no_full_access_to_kms_test.py b/tests/providers/aws/services/iam/iam_policy_no_full_access_to_kms/iam_policy_no_full_access_to_kms_test.py index 60c337a6..80fdb406 100644 --- a/tests/providers/aws/services/iam/iam_policy_no_full_access_to_kms/iam_policy_no_full_access_to_kms_test.py +++ b/tests/providers/aws/services/iam/iam_policy_no_full_access_to_kms/iam_policy_no_full_access_to_kms_test.py @@ -74,7 +74,7 @@ class Test_iam_policy_no_full_access_to_kms: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Custom Policy {policy_name} allows 'kms:*' privileges" + == f"Custom Policy {policy_name} allows 'kms:*' privileges." ) assert result[0].resource_id == "policy_kms_full" assert result[0].resource_arn == arn @@ -113,7 +113,7 @@ class Test_iam_policy_no_full_access_to_kms: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Custom Policy {policy_name} does not allow 'kms:*' privileges" + == f"Custom Policy {policy_name} does not allow 'kms:*' privileges." ) assert result[0].resource_id == "policy_no_kms_full" assert result[0].resource_arn == arn @@ -152,7 +152,7 @@ class Test_iam_policy_no_full_access_to_kms: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Custom Policy {policy_name} allows 'kms:*' privileges" + == f"Custom Policy {policy_name} allows 'kms:*' privileges." ) assert result[0].resource_id == "policy_mixed" assert result[0].resource_arn == arn diff --git a/tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py b/tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py index eb8f8ddb..bc707dc0 100644 --- a/tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py +++ b/tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py @@ -147,7 +147,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention: assert result[0].status == "FAIL" assert ( result[0].status_extended - == "IAM Service Role test does not prevent against a cross-service confused deputy attack" + == "IAM Service Role test does not prevent against a cross-service confused deputy attack." ) assert result[0].resource_id == "test" assert result[0].resource_arn == response["Role"]["Arn"] @@ -195,7 +195,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention: assert result[0].status == "PASS" assert ( result[0].status_extended - == "IAM Service Role test prevents against a cross-service confused deputy attack" + == "IAM Service Role test prevents against a cross-service confused deputy attack." ) assert result[0].resource_id == "test" assert result[0].resource_arn == response["Role"]["Arn"] @@ -245,7 +245,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention: assert result[0].status == "PASS" assert ( result[0].status_extended - == "IAM Service Role test prevents against a cross-service confused deputy attack" + == "IAM Service Role test prevents against a cross-service confused deputy attack." ) assert result[0].resource_id == "test" assert result[0].resource_arn == response["Role"]["Arn"] @@ -295,7 +295,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention: assert result[0].status == "PASS" assert ( result[0].status_extended - == "IAM Service Role test prevents against a cross-service confused deputy attack" + == "IAM Service Role test prevents against a cross-service confused deputy attack." ) assert result[0].resource_id == "test" assert result[0].resource_arn == response["Role"]["Arn"] @@ -345,7 +345,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention: assert result[0].status == "PASS" assert ( result[0].status_extended - == "IAM Service Role test prevents against a cross-service confused deputy attack" + == "IAM Service Role test prevents against a cross-service confused deputy attack." ) assert result[0].resource_id == "test" assert result[0].resource_arn == response["Role"]["Arn"] diff --git a/tests/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created_test.py b/tests/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created_test.py index dd4948d3..76df621b 100644 --- a/tests/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created_test.py +++ b/tests/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created_test.py @@ -84,7 +84,7 @@ class Test_iam_securityaudit_role_created: result = check.execute() assert result[0].status == "PASS" assert search( - f"SecurityAudit policy attached to role {role_name}", + f"SecurityAudit policy attached to role {role_name}.", result[0].status_extended, ) assert result[0].resource_id == "SecurityAudit" @@ -113,7 +113,7 @@ class Test_iam_securityaudit_role_created: assert result[0].status == "FAIL" assert ( result[0].status_extended - == "SecurityAudit policy is not attached to any role" + == "SecurityAudit policy is not attached to any role." ) assert result[0].resource_id == "SecurityAudit" assert result[0].resource_arn == "arn:aws:iam::aws:policy/SecurityAudit" diff --git a/tests/providers/aws/services/iam/iam_support_role_created/iam_support_role_created_test.py b/tests/providers/aws/services/iam/iam_support_role_created/iam_support_role_created_test.py index d2546a2c..c8244f48 100644 --- a/tests/providers/aws/services/iam/iam_support_role_created/iam_support_role_created_test.py +++ b/tests/providers/aws/services/iam/iam_support_role_created/iam_support_role_created_test.py @@ -83,7 +83,7 @@ class Test_iam_support_role_created: result = check.execute() assert result[0].status == "PASS" assert search( - f"Support policy attached to role {role_name}", + f"Support policy attached to role {role_name}.", result[0].status_extended, ) assert result[0].resource_id == "AWSSupportServiceRolePolicy" @@ -113,7 +113,7 @@ class Test_iam_support_role_created: assert result[0].status == "FAIL" assert ( result[0].status_extended - == "Support policy is not attached to any role" + == "Support policy is not attached to any role." ) assert result[0].resource_id == "AWSSupportServiceRolePolicy" assert ( diff --git a/tests/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist_test.py b/tests/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist_test.py index cb87aa75..099fe29d 100644 --- a/tests/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist_test.py +++ b/tests/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist_test.py @@ -68,7 +68,9 @@ class Test_inspector2_findings_exist: assert len(result) == 1 assert result[0].status == "PASS" - assert result[0].status_extended == "Inspector2 is enabled with no findings" + assert ( + result[0].status_extended == "Inspector2 is enabled with no findings." + ) assert result[0].resource_id == AWS_ACCOUNT_ID assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_ID}:root" assert result[0].region == AWS_REGION @@ -112,7 +114,7 @@ class Test_inspector2_findings_exist: assert result[0].status == "PASS" assert ( result[0].status_extended - == "Inspector2 is enabled with no active findings" + == "Inspector2 is enabled with no active findings." ) assert result[0].resource_id == AWS_ACCOUNT_ID assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_ID}:root" diff --git a/tests/providers/aws/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible_test.py b/tests/providers/aws/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible_test.py index 50fbd7d4..5d4f3f5d 100644 --- a/tests/providers/aws/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible_test.py +++ b/tests/providers/aws/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible_test.py @@ -147,7 +147,7 @@ class Test_kms_key_not_publicly_accessible: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"KMS key {key['KeyId']} may be publicly accessible!" + == f"KMS key {key['KeyId']} may be publicly accessible." ) assert result[0].resource_id == key["KeyId"] assert result[0].resource_arn == key["Arn"] diff --git a/tests/providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible_test.py b/tests/providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible_test.py index 8238d6a7..3d673925 100644 --- a/tests/providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible_test.py +++ b/tests/providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible_test.py @@ -116,7 +116,7 @@ class Test_opensearch_service_domains_not_publicly_accessible: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Opensearch domain {domain_name} does not allow anonymous access" + == f"Opensearch domain {domain_name} does not allow anonymous access." ) assert result[0].resource_id == domain_name assert result[0].resource_arn == domain_arn @@ -148,7 +148,7 @@ class Test_opensearch_service_domains_not_publicly_accessible: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Opensearch domain {domain_name} policy allows access (Principal: '*')" + == f"Opensearch domain {domain_name} policy allows access (Principal: '*')." ) assert result[0].resource_id == domain_name assert result[0].resource_arn == domain_arn @@ -180,7 +180,7 @@ class Test_opensearch_service_domains_not_publicly_accessible: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Opensearch domain {domain_name} policy allows access (Principal: '*')" + == f"Opensearch domain {domain_name} policy allows access (Principal: '*')." ) assert result[0].resource_id == domain_name assert result[0].resource_arn == domain_arn @@ -212,7 +212,7 @@ class Test_opensearch_service_domains_not_publicly_accessible: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Opensearch domain {domain_name} policy allows access (Principal: '*') and network *" + == f"Opensearch domain {domain_name} policy allows access (Principal: '*') and network *." ) assert result[0].resource_id == domain_name assert result[0].resource_arn == domain_arn @@ -244,7 +244,7 @@ class Test_opensearch_service_domains_not_publicly_accessible: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Opensearch domain {domain_name} policy allows access (Principal: '*') and network 0.0.0.0/0" + == f"Opensearch domain {domain_name} policy allows access (Principal: '*') and network 0.0.0.0/0." ) assert result[0].resource_id == domain_name assert result[0].resource_arn == domain_arn diff --git a/tests/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions_test.py b/tests/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions_test.py index bd826135..145687e8 100644 --- a/tests/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions_test.py +++ b/tests/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions_test.py @@ -197,7 +197,7 @@ class Test_organizations_scp_check_deny_regions: assert result[0].resource_id == response["Organization"]["Id"] assert result[0].resource_arn == response["Organization"]["Arn"] assert search( - "restricting some AWS Regions, but not all the configured ones, please check config...", + "restricting some AWS Regions, but not all the configured ones, please check config.", result[0].status_extended, ) assert result[0].region == AWS_REGION diff --git a/tests/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached_test.py b/tests/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached_test.py index 504a155a..a451960d 100644 --- a/tests/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached_test.py +++ b/tests/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached_test.py @@ -82,7 +82,7 @@ class Test_organizations_tags_policies_enabled_and_attached: assert result[0].status == "FAIL" assert ( result[0].status_extended - == "AWS Organizations is not in-use for this AWS Account" + == "AWS Organizations is not in-use for this AWS Account." ) assert result[0].resource_id == "AWS Organization" assert result[0].resource_arn == "" @@ -133,7 +133,7 @@ class Test_organizations_tags_policies_enabled_and_attached: assert result[0].status == "FAIL" assert ( result[0].status_extended - == "AWS Organization o-1234567890 has tag policies enabled but not attached" + == "AWS Organization o-1234567890 has tag policies enabled but not attached." ) assert result[0].resource_id == "o-1234567890" assert ( @@ -187,7 +187,7 @@ class Test_organizations_tags_policies_enabled_and_attached: assert result[0].status == "PASS" assert ( result[0].status_extended - == "AWS Organization o-1234567890 has tag policies enabled and attached to an AWS account" + == "AWS Organization o-1234567890 has tag policies enabled and attached to an AWS account." ) assert result[0].resource_id == "o-1234567890" assert ( diff --git a/tests/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found_test.py b/tests/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found_test.py index 03ca9927..10e15e52 100644 --- a/tests/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found_test.py +++ b/tests/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found_test.py @@ -68,7 +68,7 @@ class Test_resourceexplorer2_indexes_found: # Assertions assert len(result) == 1 assert result[0].status == "FAIL" - assert result[0].status_extended == "No Resource Explorer Indexes found" + assert result[0].status_extended == "No Resource Explorer Indexes found." assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" assert result[0].region == AWS_REGION @@ -98,7 +98,7 @@ class Test_resourceexplorer2_indexes_found: # Assertions assert len(result) == 1 assert result[0].status == "PASS" - assert result[0].status_extended == "Resource Explorer Indexes found: 1" + assert result[0].status_extended == "Resource Explorer Indexes found: 1." assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_arn == INDEX_ARN assert result[0].region == AWS_REGION diff --git a/tests/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled_test.py b/tests/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled_test.py index f7620712..4466a0c6 100644 --- a/tests/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled_test.py +++ b/tests/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled_test.py @@ -51,7 +51,7 @@ class Test_route53_domains_privacy_protection_enabled: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Contact information is public for the {domain_name} domain" + == f"Contact information is public for the {domain_name} domain." ) def test_domain_privacy_protection_enabled(self): @@ -79,5 +79,5 @@ class Test_route53_domains_privacy_protection_enabled: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Contact information is private for the {domain_name} domain" + == f"Contact information is private for the {domain_name} domain." ) diff --git a/tests/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled_test.py b/tests/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled_test.py index 7ca8c934..01122a00 100644 --- a/tests/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled_test.py +++ b/tests/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled_test.py @@ -54,7 +54,7 @@ class Test_route53_domains_transferlock_enabled: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Transfer Lock is disabled for the {domain_name} domain" + == f"Transfer Lock is disabled for the {domain_name} domain." ) def test_domain_transfer_lock_enabled(self): @@ -87,5 +87,5 @@ class Test_route53_domains_transferlock_enabled: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Transfer Lock is enabled for the {domain_name} domain" + == f"Transfer Lock is enabled for the {domain_name} domain." ) diff --git a/tests/providers/aws/services/route53/route53_public_hosted_zones_cloudwatch_logging_enabled/route53_public_hosted_zones_cloudwatch_logging_enabled_test.py b/tests/providers/aws/services/route53/route53_public_hosted_zones_cloudwatch_logging_enabled/route53_public_hosted_zones_cloudwatch_logging_enabled_test.py index db5a1c32..20202170 100644 --- a/tests/providers/aws/services/route53/route53_public_hosted_zones_cloudwatch_logging_enabled/route53_public_hosted_zones_cloudwatch_logging_enabled_test.py +++ b/tests/providers/aws/services/route53/route53_public_hosted_zones_cloudwatch_logging_enabled/route53_public_hosted_zones_cloudwatch_logging_enabled_test.py @@ -72,7 +72,7 @@ class Test_route53_public_hosted_zones_cloudwatch_logging_enabled: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Route53 Public Hosted Zone {hosted_zone_id} has query logging enabled in Log Group {log_group_arn}" + == f"Route53 Public Hosted Zone {hosted_zone_id} has query logging enabled in Log Group {log_group_arn}." ) def test_hosted_zone__public_logging_disabled(self): @@ -110,7 +110,7 @@ class Test_route53_public_hosted_zones_cloudwatch_logging_enabled: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Route53 Public Hosted Zone {hosted_zone_id} has query logging disabled" + == f"Route53 Public Hosted Zone {hosted_zone_id} has query logging disabled." ) def test_hosted_zone__private(self): diff --git a/tests/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips_test.py b/tests/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips_test.py index 59bbff96..17cb870b 100644 --- a/tests/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips_test.py +++ b/tests/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips_test.py @@ -134,7 +134,7 @@ class Test_shield_advanced_protection_in_associated_elastic_ips: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Elastic IP {allocation_id} is protected by AWS Shield Advanced" + == f"Elastic IP {allocation_id} is protected by AWS Shield Advanced." ) @mock_ec2 @@ -178,7 +178,7 @@ class Test_shield_advanced_protection_in_associated_elastic_ips: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Elastic IP {allocation_id} is not protected by AWS Shield Advanced" + == f"Elastic IP {allocation_id} is not protected by AWS Shield Advanced." ) @mock_ec2 diff --git a/tests/providers/aws/services/shield/shield_advanced_protection_in_classic_load_balancers/shield_advanced_protection_in_classic_load_balancers_test.py b/tests/providers/aws/services/shield/shield_advanced_protection_in_classic_load_balancers/shield_advanced_protection_in_classic_load_balancers_test.py index af830707..68cc6637 100644 --- a/tests/providers/aws/services/shield/shield_advanced_protection_in_classic_load_balancers/shield_advanced_protection_in_classic_load_balancers_test.py +++ b/tests/providers/aws/services/shield/shield_advanced_protection_in_classic_load_balancers/shield_advanced_protection_in_classic_load_balancers_test.py @@ -137,7 +137,7 @@ class Test_shield_advanced_protection_in_classic_load_balancers: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"ELB {elb_name} is protected by AWS Shield Advanced" + == f"ELB {elb_name} is protected by AWS Shield Advanced." ) @mock_elb @@ -196,7 +196,7 @@ class Test_shield_advanced_protection_in_classic_load_balancers: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"ELB {elb_name} is not protected by AWS Shield Advanced" + == f"ELB {elb_name} is not protected by AWS Shield Advanced." ) @mock_elb diff --git a/tests/providers/aws/services/shield/shield_advanced_protection_in_cloudfront_distributions/shield_advanced_protection_in_cloudfront_distributions_test.py b/tests/providers/aws/services/shield/shield_advanced_protection_in_cloudfront_distributions/shield_advanced_protection_in_cloudfront_distributions_test.py index 24f7ae71..0f3bbda9 100644 --- a/tests/providers/aws/services/shield/shield_advanced_protection_in_cloudfront_distributions/shield_advanced_protection_in_cloudfront_distributions_test.py +++ b/tests/providers/aws/services/shield/shield_advanced_protection_in_cloudfront_distributions/shield_advanced_protection_in_cloudfront_distributions_test.py @@ -82,7 +82,7 @@ class Test_shield_advanced_protection_in_cloudfront_distributions: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"CloudFront distribution {distribution_id} is protected by AWS Shield Advanced" + == f"CloudFront distribution {distribution_id} is protected by AWS Shield Advanced." ) def test_shield_enabled_cloudfront_not_protected(self): @@ -126,7 +126,7 @@ class Test_shield_advanced_protection_in_cloudfront_distributions: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"CloudFront distribution {distribution_id} is not protected by AWS Shield Advanced" + == f"CloudFront distribution {distribution_id} is not protected by AWS Shield Advanced." ) def test_shield_disabled_cloudfront_not_protected(self): diff --git a/tests/providers/aws/services/shield/shield_advanced_protection_in_global_accelerators/shield_advanced_protection_in_global_accelerators_test.py b/tests/providers/aws/services/shield/shield_advanced_protection_in_global_accelerators/shield_advanced_protection_in_global_accelerators_test.py index 45436e6b..77f8ecda 100644 --- a/tests/providers/aws/services/shield/shield_advanced_protection_in_global_accelerators/shield_advanced_protection_in_global_accelerators_test.py +++ b/tests/providers/aws/services/shield/shield_advanced_protection_in_global_accelerators/shield_advanced_protection_in_global_accelerators_test.py @@ -86,7 +86,7 @@ class Test_shield_advanced_protection_in_global_accelerators: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Global Accelerator {accelerator_id} is protected by AWS Shield Advanced" + == f"Global Accelerator {accelerator_id} is protected by AWS Shield Advanced." ) def test_shield_enabled_globalaccelerator_not_protected(self): @@ -132,7 +132,7 @@ class Test_shield_advanced_protection_in_global_accelerators: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Global Accelerator {accelerator_id} is not protected by AWS Shield Advanced" + == f"Global Accelerator {accelerator_id} is not protected by AWS Shield Advanced." ) def test_shield_disabled_globalaccelerator_not_protected(self): diff --git a/tests/providers/aws/services/shield/shield_advanced_protection_in_internet_facing_load_balancers/shield_advanced_protection_in_internet_facing_load_balancers_test.py b/tests/providers/aws/services/shield/shield_advanced_protection_in_internet_facing_load_balancers/shield_advanced_protection_in_internet_facing_load_balancers_test.py index 77cc72c5..44d756cb 100644 --- a/tests/providers/aws/services/shield/shield_advanced_protection_in_internet_facing_load_balancers/shield_advanced_protection_in_internet_facing_load_balancers_test.py +++ b/tests/providers/aws/services/shield/shield_advanced_protection_in_internet_facing_load_balancers/shield_advanced_protection_in_internet_facing_load_balancers_test.py @@ -158,7 +158,7 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"ELBv2 ALB {lb_name} is protected by AWS Shield Advanced" + == f"ELBv2 ALB {lb_name} is protected by AWS Shield Advanced." ) @mock_ec2 @@ -289,7 +289,7 @@ class Test_shield_advanced_protection_in_internet_facing_load_balancers: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"ELBv2 ALB {lb_name} is not protected by AWS Shield Advanced" + == f"ELBv2 ALB {lb_name} is not protected by AWS Shield Advanced." ) @mock_ec2 diff --git a/tests/providers/aws/services/shield/shield_advanced_protection_in_route53_hosted_zones/shield_advanced_protection_in_route53_hosted_zones_test.py b/tests/providers/aws/services/shield/shield_advanced_protection_in_route53_hosted_zones/shield_advanced_protection_in_route53_hosted_zones_test.py index 41bd7104..e0c28602 100644 --- a/tests/providers/aws/services/shield/shield_advanced_protection_in_route53_hosted_zones/shield_advanced_protection_in_route53_hosted_zones_test.py +++ b/tests/providers/aws/services/shield/shield_advanced_protection_in_route53_hosted_zones/shield_advanced_protection_in_route53_hosted_zones_test.py @@ -91,7 +91,7 @@ class Test_shield_advanced_protection_in_route53_hosted_zones: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Route53 Hosted Zone {hosted_zone_id} is protected by AWS Shield Advanced" + == f"Route53 Hosted Zone {hosted_zone_id} is protected by AWS Shield Advanced." ) def test_shield_enabled_route53_hosted_zone_not_protected(self): @@ -143,7 +143,7 @@ class Test_shield_advanced_protection_in_route53_hosted_zones: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Route53 Hosted Zone {hosted_zone_id} is not protected by AWS Shield Advanced" + == f"Route53 Hosted Zone {hosted_zone_id} is not protected by AWS Shield Advanced." ) def test_shield_disabled_route53_hosted_zone_not_protected(self): diff --git a/tests/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible_test.py b/tests/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible_test.py index 2501db7f..0f45f52f 100644 --- a/tests/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible_test.py +++ b/tests/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible_test.py @@ -97,7 +97,7 @@ class Test_sns_topics_not_publicly_accessible: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"SNS topic {topic_name} is not publicly accesible" + == f"SNS topic {topic_name} is not publicly accesible." ) assert result[0].resource_id == topic_name assert result[0].resource_arn == topic_arn @@ -124,7 +124,7 @@ class Test_sns_topics_not_publicly_accessible: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"SNS topic {topic_name} is not publicly accesible" + == f"SNS topic {topic_name} is not publicly accesible." ) assert result[0].resource_id == topic_name assert result[0].resource_arn == topic_arn @@ -157,7 +157,7 @@ class Test_sns_topics_not_publicly_accessible: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"SNS topic {topic_name} is not public because its policy only allows access from the same account" + == f"SNS topic {topic_name} is not public because its policy only allows access from the same account." ) assert result[0].resource_id == topic_name assert result[0].resource_arn == topic_arn @@ -190,7 +190,7 @@ class Test_sns_topics_not_publicly_accessible: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"SNS topic {topic_name} is not public because its policy only allows access from the same account" + == f"SNS topic {topic_name} is not public because its policy only allows access from the same account." ) assert result[0].resource_id == topic_name assert result[0].resource_arn == topic_arn @@ -222,7 +222,7 @@ class Test_sns_topics_not_publicly_accessible: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"SNS topic {topic_name} is public because its policy allows public access" + == f"SNS topic {topic_name} is public because its policy allows public access." ) assert result[0].resource_id == topic_name assert result[0].resource_arn == topic_arn diff --git a/tests/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible_test.py b/tests/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible_test.py index 0e1ff6b6..6d547317 100644 --- a/tests/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible_test.py +++ b/tests/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible_test.py @@ -202,7 +202,7 @@ class Test_sqs_queues_not_publicly_accessible: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"SQS queue {queue_id} is not public because its policy only allows access from the same account" + == f"SQS queue {queue_id} is not public because its policy only allows access from the same account." ) assert result[0].resource_id == queue_id assert result[0].resource_arn == "arn_test" diff --git a/tests/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets_test.py b/tests/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets_test.py index 1f0c3e6e..2ebfd33e 100644 --- a/tests/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets_test.py +++ b/tests/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets_test.py @@ -60,7 +60,7 @@ class Test_ssm_documents_secrets: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"Potential secret found in SSM Document {document_name} -> Secret Keyword on line 2" + == f"Potential secret found in SSM Document {document_name} -> Secret Keyword on line 2." ) def test_document_no_secrets(self): @@ -98,5 +98,5 @@ class Test_ssm_documents_secrets: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"No secrets found in SSM Document {document_name}" + == f"No secrets found in SSM Document {document_name}." ) diff --git a/tests/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public_test.py b/tests/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public_test.py index e38abe0a..4216b62f 100644 --- a/tests/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public_test.py +++ b/tests/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public_test.py @@ -59,7 +59,7 @@ class Test_ssm_documents_set_as_public: assert result[0].resource_arn == document_arn assert result[0].status == "FAIL" assert ( - result[0].status_extended == f"SSM Document {document_name} is public" + result[0].status_extended == f"SSM Document {document_name} is public." ) def test_document_not_public(self): @@ -97,5 +97,5 @@ class Test_ssm_documents_set_as_public: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"SSM Document {document_name} is not public" + == f"SSM Document {document_name} is not public." ) diff --git a/tests/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions_test.py b/tests/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions_test.py index 0930d0c3..7856c206 100644 --- a/tests/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions_test.py +++ b/tests/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions_test.py @@ -109,6 +109,6 @@ class Test_vpc_different_regions: assert len(result) == 1 assert result[0].status == "FAIL" assert result[0].region == "us-east-1" - assert result[0].status_extended == "VPCs found only in one region" + assert result[0].status_extended == "VPCs found only in one region." assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_tags == [] diff --git a/tests/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default_test.py b/tests/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default_test.py index 0388eadc..d8a94dfb 100644 --- a/tests/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default_test.py +++ b/tests/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default_test.py @@ -83,7 +83,7 @@ class Test_vpc_subnet_separate_private_public: assert result.status == "FAIL" assert ( result.status_extended - == f"VPC subnet {subnet_private['Subnet']['SubnetId']} assigns public IP by default" + == f"VPC subnet {subnet_private['Subnet']['SubnetId']} assigns public IP by default." ) @mock_ec2 @@ -127,5 +127,5 @@ class Test_vpc_subnet_separate_private_public: assert result.status == "PASS" assert ( result.status_extended - == f"VPC subnet {subnet_private['Subnet']['SubnetId']} does NOT assign public IP by default" + == f"VPC subnet {subnet_private['Subnet']['SubnetId']} does NOT assign public IP by default." )