mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 06:45:08 +00:00
refactor(vpc_endpoint_connections_trust_boundaries) (#2667)
This commit is contained in:
Pepe Fagoaga
@@ -24,29 +24,24 @@ class vpc_endpoint_connections_trust_boundaries(Check):
|
||||
if not access_from_trusted_accounts:
|
||||
break
|
||||
if "*" == statement["Principal"]:
|
||||
access_from_trusted_accounts = False
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = endpoint.region
|
||||
report.resource_id = endpoint.id
|
||||
report.resource_arn = endpoint.arn
|
||||
report.resource_tags = endpoint.tags
|
||||
|
||||
for account_id in trusted_account_ids:
|
||||
if (
|
||||
"Condition" in statement
|
||||
and is_account_only_allowed_in_condition(
|
||||
if "Condition" in statement:
|
||||
for account_id in trusted_account_ids:
|
||||
if is_account_only_allowed_in_condition(
|
||||
statement["Condition"], account_id
|
||||
)
|
||||
):
|
||||
access_from_trusted_accounts = True
|
||||
else:
|
||||
access_from_trusted_accounts = False
|
||||
break
|
||||
):
|
||||
access_from_trusted_accounts = True
|
||||
else:
|
||||
access_from_trusted_accounts = False
|
||||
break
|
||||
|
||||
if (
|
||||
not access_from_trusted_accounts
|
||||
or len(trusted_account_ids) == 0
|
||||
):
|
||||
access_from_trusted_accounts = False
|
||||
if not access_from_trusted_accounts:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} can be accessed from non-trusted accounts."
|
||||
else:
|
||||
@@ -63,30 +58,25 @@ class vpc_endpoint_connections_trust_boundaries(Check):
|
||||
else:
|
||||
principals = statement["Principal"]["AWS"]
|
||||
for principal_arn in principals:
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = endpoint.region
|
||||
report.resource_id = endpoint.id
|
||||
report.resource_arn = endpoint.arn
|
||||
report.resource_tags = endpoint.tags
|
||||
|
||||
if principal_arn == "*":
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = endpoint.region
|
||||
report.resource_id = endpoint.id
|
||||
report.resource_arn = endpoint.arn
|
||||
report.resource_tags = endpoint.tags
|
||||
|
||||
for account_id in trusted_account_ids:
|
||||
if (
|
||||
"Condition" in statement
|
||||
and is_account_only_allowed_in_condition(
|
||||
access_from_trusted_accounts = False
|
||||
if "Condition" in statement:
|
||||
for account_id in trusted_account_ids:
|
||||
if is_account_only_allowed_in_condition(
|
||||
statement["Condition"], account_id
|
||||
)
|
||||
):
|
||||
access_from_trusted_accounts = True
|
||||
else:
|
||||
access_from_trusted_accounts = False
|
||||
break
|
||||
):
|
||||
access_from_trusted_accounts = True
|
||||
else:
|
||||
access_from_trusted_accounts = False
|
||||
break
|
||||
|
||||
if (
|
||||
not access_from_trusted_accounts
|
||||
or len(trusted_account_ids) == 0
|
||||
):
|
||||
access_from_trusted_accounts = False
|
||||
if not access_from_trusted_accounts:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} can be accessed from non-trusted accounts."
|
||||
else:
|
||||
@@ -104,50 +94,29 @@ class vpc_endpoint_connections_trust_boundaries(Check):
|
||||
account_id = principal_arn.split(":")[4]
|
||||
else:
|
||||
account_id = match.string
|
||||
if (
|
||||
account_id in trusted_account_ids
|
||||
or account_id in vpc_client.audited_account
|
||||
):
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = endpoint.region
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Found trusted account {account_id} in VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id}."
|
||||
report.resource_id = endpoint.id
|
||||
report.resource_arn = endpoint.arn
|
||||
report.resource_tags = endpoint.tags
|
||||
findings.append(report)
|
||||
else:
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = endpoint.region
|
||||
report.resource_id = endpoint.id
|
||||
report.resource_arn = endpoint.arn
|
||||
report.resource_tags = endpoint.tags
|
||||
|
||||
if account_id not in trusted_account_ids:
|
||||
access_from_trusted_accounts = False
|
||||
|
||||
if "Condition" in statement:
|
||||
for account_id in trusted_account_ids:
|
||||
if (
|
||||
"Condition" in statement
|
||||
and is_account_only_allowed_in_condition(
|
||||
statement["Condition"], account_id
|
||||
)
|
||||
if is_account_only_allowed_in_condition(
|
||||
statement["Condition"], account_id
|
||||
):
|
||||
access_from_trusted_accounts = True
|
||||
else:
|
||||
access_from_trusted_accounts = False
|
||||
break
|
||||
|
||||
if (
|
||||
not access_from_trusted_accounts
|
||||
or len(trusted_account_ids) == 0
|
||||
):
|
||||
access_from_trusted_accounts = False
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} can be accessed from non-trusted accounts."
|
||||
else:
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} can only be accessed from trusted accounts."
|
||||
if not access_from_trusted_accounts:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} can be accessed from non-trusted accounts."
|
||||
else:
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} can only be accessed from trusted accounts."
|
||||
|
||||
findings.append(report)
|
||||
if not access_from_trusted_accounts:
|
||||
break
|
||||
findings.append(report)
|
||||
if not access_from_trusted_accounts:
|
||||
break
|
||||
|
||||
return findings
|
||||
|
||||
@@ -186,7 +186,7 @@ class Test_vpc_endpoint_connections_trust_boundaries:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Found trusted account {AWS_ACCOUNT_NUMBER} in VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']}."
|
||||
== f"VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']} can only be accessed from trusted accounts."
|
||||
)
|
||||
assert (
|
||||
result[0].resource_id
|
||||
@@ -244,7 +244,7 @@ class Test_vpc_endpoint_connections_trust_boundaries:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Found trusted account {AWS_ACCOUNT_NUMBER} in VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']}."
|
||||
== f"VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']} can only be accessed from trusted accounts."
|
||||
)
|
||||
assert (
|
||||
result[0].resource_id
|
||||
@@ -368,7 +368,7 @@ class Test_vpc_endpoint_connections_trust_boundaries:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Found trusted account {TRUSTED_AWS_ACCOUNT_NUMBER} in VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']}."
|
||||
== f"VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']} can only be accessed from trusted accounts."
|
||||
)
|
||||
assert (
|
||||
result[0].resource_id
|
||||
@@ -430,7 +430,7 @@ class Test_vpc_endpoint_connections_trust_boundaries:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Found trusted account {TRUSTED_AWS_ACCOUNT_NUMBER} in VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']}."
|
||||
== f"VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']} can only be accessed from trusted accounts."
|
||||
)
|
||||
assert (
|
||||
result[0].resource_id
|
||||
|
||||
Reference in New Issue
Block a user