From 512d3e018fa581eef63f98e994beb1c92c5a76de Mon Sep 17 00:00:00 2001
From: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
Date: Tue, 14 Nov 2023 08:00:17 +0100
Subject: [PATCH] chore(accessanalyzer): include service in
 allowlist_non_default_regions (#3025)

---
 prowler/config/config.yaml                    |  2 +-
 .../accessanalyzer_enabled.py                 | 26 ++++++++-----
 .../accessanalyzer_enabled_test.py            | 39 +++++++++++++++++++
 3 files changed, 56 insertions(+), 11 deletions(-)

diff --git a/prowler/config/config.yaml b/prowler/config/config.yaml
index 89568e77..86a03b5a 100644
--- a/prowler/config/config.yaml
+++ b/prowler/config/config.yaml
@@ -2,7 +2,7 @@
 aws:
 
   # AWS Global Configuration
-  # aws.allowlist_non_default_regions --> Set to True to allowlist failed findings in non-default regions for GuardDuty, SecurityHub, DRS and Config
+  # aws.allowlist_non_default_regions --> Set to True to allowlist failed findings in non-default regions for AccessAnalyzer, GuardDuty, SecurityHub, DRS and Config
   allowlist_non_default_regions: False
   # If you want to allowlist/mute failed findings only in specific regions, create a file with the following syntax and run it with `prowler aws -w allowlist.yaml`:
   # Allowlist:
diff --git a/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.py b/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.py
index 608cfe18..2b51630b 100644
--- a/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.py
+++ b/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.py
@@ -19,17 +19,23 @@ class accessanalyzer_enabled(Check):
                     f"IAM Access Analyzer {analyzer.name} is enabled."
                 )
 
-            elif analyzer.status == "NOT_AVAILABLE":
-                report.status = "FAIL"
-                report.status_extended = (
-                    f"IAM Access Analyzer in account {analyzer.name} is not enabled."
-                )
-
             else:
-                report.status = "FAIL"
-                report.status_extended = (
-                    f"IAM Access Analyzer {analyzer.name} is not active."
-                )
+                if analyzer.status == "NOT_AVAILABLE":
+                    report.status = "FAIL"
+                    report.status_extended = f"IAM Access Analyzer in account {analyzer.name} is not enabled."
+
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = (
+                        f"IAM Access Analyzer {analyzer.name} is not active."
+                    )
+                if (
+                    accessanalyzer_client.audit_config.get(
+                        "allowlist_non_default_regions", False
+                    )
+                    and not analyzer.region == accessanalyzer_client.region
+                ):
+                    report.status = "WARNING"
 
             findings.append(report)
 
diff --git a/tests/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled_test.py b/tests/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled_test.py
index 17f35627..3a0178e9 100644
--- a/tests/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled_test.py
+++ b/tests/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled_test.py
@@ -33,6 +33,7 @@ class Test_accessanalyzer_enabled:
     def test_one_analyzer_not_available(self):
         # Include analyzers to check
         accessanalyzer_client = mock.MagicMock
+        accessanalyzer_client.region = AWS_REGION_1
         accessanalyzer_client.analyzers = [
             Analyzer(
                 arn=AWS_ACCOUNT_ARN,
@@ -65,8 +66,46 @@ class Test_accessanalyzer_enabled:
             assert result[0].region == AWS_REGION_1
             assert result[0].resource_tags == []
 
+    def test_one_analyzer_not_available_allowlisted(self):
+        # Include analyzers to check
+        accessanalyzer_client = mock.MagicMock
+        accessanalyzer_client.region = AWS_REGION_2
+        accessanalyzer_client.audit_config = {"allowlist_non_default_regions": True}
+        accessanalyzer_client.analyzers = [
+            Analyzer(
+                arn=AWS_ACCOUNT_ARN,
+                name=AWS_ACCOUNT_NUMBER,
+                status="NOT_AVAILABLE",
+                tags=[],
+                type="",
+                region=AWS_REGION_1,
+            )
+        ]
+        with mock.patch(
+            "prowler.providers.aws.services.accessanalyzer.accessanalyzer_service.AccessAnalyzer",
+            accessanalyzer_client,
+        ):
+            from prowler.providers.aws.services.accessanalyzer.accessanalyzer_enabled.accessanalyzer_enabled import (
+                accessanalyzer_enabled,
+            )
+
+            check = accessanalyzer_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "WARNING"
+            assert (
+                result[0].status_extended
+                == f"IAM Access Analyzer in account {AWS_ACCOUNT_NUMBER} is not enabled."
+            )
+            assert result[0].resource_id == AWS_ACCOUNT_NUMBER
+            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert result[0].region == AWS_REGION_1
+            assert result[0].resource_tags == []
+
     def test_two_analyzers(self):
         accessanalyzer_client = mock.MagicMock
+        accessanalyzer_client.region = AWS_REGION_1
         accessanalyzer_client.analyzers = [
             Analyzer(
                 arn=AWS_ACCOUNT_ARN,