chore(accessanalyzer): include service in allowlist_non_default_regions (#3025)

prowler/config/config.yaml

@@ -2,7 +2,7 @@
 aws:
 
   # AWS Global Configuration
-  # aws.allowlist_non_default_regions --> Set to True to allowlist failed findings in non-default regions for GuardDuty, SecurityHub, DRS and Config
+  # aws.allowlist_non_default_regions --> Set to True to allowlist failed findings in non-default regions for AccessAnalyzer, GuardDuty, SecurityHub, DRS and Config
   allowlist_non_default_regions: False
   # If you want to allowlist/mute failed findings only in specific regions, create a file with the following syntax and run it with `prowler aws -w allowlist.yaml`:
   # Allowlist:

prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.py

@@ -19,17 +19,23 @@ class accessanalyzer_enabled(Check):
                     f"IAM Access Analyzer {analyzer.name} is enabled."
                 )
 
-            elif analyzer.status == "NOT_AVAILABLE":
-                report.status = "FAIL"
-                report.status_extended = (
-                    f"IAM Access Analyzer in account {analyzer.name} is not enabled."
-                )
-
             else:
-                report.status = "FAIL"
+                if analyzer.status == "NOT_AVAILABLE":
-                report.status_extended = (
+                    report.status = "FAIL"
-                    f"IAM Access Analyzer {analyzer.name} is not active."
+                    report.status_extended = f"IAM Access Analyzer in account {analyzer.name} is not enabled."
-                )
+
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = (
+                        f"IAM Access Analyzer {analyzer.name} is not active."
+                    )
+                if (
+                    accessanalyzer_client.audit_config.get(
+                        "allowlist_non_default_regions", False
+                    )
+                    and not analyzer.region == accessanalyzer_client.region
+                ):
+                    report.status = "WARNING"
 
             findings.append(report)
 

tests/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled_test.py

@@ -33,6 +33,7 @@ class Test_accessanalyzer_enabled:
     def test_one_analyzer_not_available(self):
         # Include analyzers to check
         accessanalyzer_client = mock.MagicMock
+        accessanalyzer_client.region = AWS_REGION_1
         accessanalyzer_client.analyzers = [
             Analyzer(
                 arn=AWS_ACCOUNT_ARN,
@@ -65,8 +66,46 @@ class Test_accessanalyzer_enabled:
             assert result[0].region == AWS_REGION_1
             assert result[0].resource_tags == []
 
+    def test_one_analyzer_not_available_allowlisted(self):
+        # Include analyzers to check
+        accessanalyzer_client = mock.MagicMock
+        accessanalyzer_client.region = AWS_REGION_2
+        accessanalyzer_client.audit_config = {"allowlist_non_default_regions": True}
+        accessanalyzer_client.analyzers = [
+            Analyzer(
+                arn=AWS_ACCOUNT_ARN,
+                name=AWS_ACCOUNT_NUMBER,
+                status="NOT_AVAILABLE",
+                tags=[],
+                type="",
+                region=AWS_REGION_1,
+            )
+        ]
+        with mock.patch(
+            "prowler.providers.aws.services.accessanalyzer.accessanalyzer_service.AccessAnalyzer",
+            accessanalyzer_client,
+        ):
+            from prowler.providers.aws.services.accessanalyzer.accessanalyzer_enabled.accessanalyzer_enabled import (
+                accessanalyzer_enabled,
+            )
+
+            check = accessanalyzer_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "WARNING"
+            assert (
+                result[0].status_extended
+                == f"IAM Access Analyzer in account {AWS_ACCOUNT_NUMBER} is not enabled."
+            )
+            assert result[0].resource_id == AWS_ACCOUNT_NUMBER
+            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert result[0].region == AWS_REGION_1
+            assert result[0].resource_tags == []
+
     def test_two_analyzers(self):
         accessanalyzer_client = mock.MagicMock
+        accessanalyzer_client.region = AWS_REGION_1
         accessanalyzer_client.analyzers = [
             Analyzer(
                 arn=AWS_ACCOUNT_ARN,