diff --git a/prowler/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries.py b/prowler/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries.py index 6d282282..bf803d1d 100644 --- a/prowler/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries.py +++ b/prowler/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries.py @@ -24,29 +24,24 @@ class vpc_endpoint_connections_trust_boundaries(Check): if not access_from_trusted_accounts: break if "*" == statement["Principal"]: + access_from_trusted_accounts = False report = Check_Report_AWS(self.metadata()) report.region = endpoint.region report.resource_id = endpoint.id report.resource_arn = endpoint.arn report.resource_tags = endpoint.tags - for account_id in trusted_account_ids: - if ( - "Condition" in statement - and is_account_only_allowed_in_condition( + if "Condition" in statement: + for account_id in trusted_account_ids: + if is_account_only_allowed_in_condition( statement["Condition"], account_id - ) - ): - access_from_trusted_accounts = True - else: - access_from_trusted_accounts = False - break + ): + access_from_trusted_accounts = True + else: + access_from_trusted_accounts = False + break - if ( - not access_from_trusted_accounts - or len(trusted_account_ids) == 0 - ): - access_from_trusted_accounts = False + if not access_from_trusted_accounts: report.status = "FAIL" report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} can be accessed from non-trusted accounts." else: @@ -63,30 +58,25 @@ class vpc_endpoint_connections_trust_boundaries(Check): else: principals = statement["Principal"]["AWS"] for principal_arn in principals: + report = Check_Report_AWS(self.metadata()) + report.region = endpoint.region + report.resource_id = endpoint.id + report.resource_arn = endpoint.arn + report.resource_tags = endpoint.tags + if principal_arn == "*": - report = Check_Report_AWS(self.metadata()) - report.region = endpoint.region - report.resource_id = endpoint.id - report.resource_arn = endpoint.arn - report.resource_tags = endpoint.tags - - for account_id in trusted_account_ids: - if ( - "Condition" in statement - and is_account_only_allowed_in_condition( + access_from_trusted_accounts = False + if "Condition" in statement: + for account_id in trusted_account_ids: + if is_account_only_allowed_in_condition( statement["Condition"], account_id - ) - ): - access_from_trusted_accounts = True - else: - access_from_trusted_accounts = False - break + ): + access_from_trusted_accounts = True + else: + access_from_trusted_accounts = False + break - if ( - not access_from_trusted_accounts - or len(trusted_account_ids) == 0 - ): - access_from_trusted_accounts = False + if not access_from_trusted_accounts: report.status = "FAIL" report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} can be accessed from non-trusted accounts." else: @@ -104,50 +94,29 @@ class vpc_endpoint_connections_trust_boundaries(Check): account_id = principal_arn.split(":")[4] else: account_id = match.string - if ( - account_id in trusted_account_ids - or account_id in vpc_client.audited_account - ): - report = Check_Report_AWS(self.metadata()) - report.region = endpoint.region - report.status = "PASS" - report.status_extended = f"Found trusted account {account_id} in VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id}." - report.resource_id = endpoint.id - report.resource_arn = endpoint.arn - report.resource_tags = endpoint.tags - findings.append(report) - else: - report = Check_Report_AWS(self.metadata()) - report.region = endpoint.region - report.resource_id = endpoint.id - report.resource_arn = endpoint.arn - report.resource_tags = endpoint.tags + if account_id not in trusted_account_ids: + access_from_trusted_accounts = False + + if "Condition" in statement: for account_id in trusted_account_ids: - if ( - "Condition" in statement - and is_account_only_allowed_in_condition( - statement["Condition"], account_id - ) + if is_account_only_allowed_in_condition( + statement["Condition"], account_id ): access_from_trusted_accounts = True else: access_from_trusted_accounts = False break - if ( - not access_from_trusted_accounts - or len(trusted_account_ids) == 0 - ): - access_from_trusted_accounts = False - report.status = "FAIL" - report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} can be accessed from non-trusted accounts." - else: - report.status = "PASS" - report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} can only be accessed from trusted accounts." + if not access_from_trusted_accounts: + report.status = "FAIL" + report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} can be accessed from non-trusted accounts." + else: + report.status = "PASS" + report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} can only be accessed from trusted accounts." - findings.append(report) - if not access_from_trusted_accounts: - break + findings.append(report) + if not access_from_trusted_accounts: + break return findings diff --git a/tests/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries_test.py b/tests/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries_test.py index a56de713..eb940bc1 100644 --- a/tests/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries_test.py +++ b/tests/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries_test.py @@ -186,7 +186,7 @@ class Test_vpc_endpoint_connections_trust_boundaries: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Found trusted account {AWS_ACCOUNT_NUMBER} in VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']}." + == f"VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']} can only be accessed from trusted accounts." ) assert ( result[0].resource_id @@ -244,7 +244,7 @@ class Test_vpc_endpoint_connections_trust_boundaries: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Found trusted account {AWS_ACCOUNT_NUMBER} in VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']}." + == f"VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']} can only be accessed from trusted accounts." ) assert ( result[0].resource_id @@ -368,7 +368,7 @@ class Test_vpc_endpoint_connections_trust_boundaries: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Found trusted account {TRUSTED_AWS_ACCOUNT_NUMBER} in VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']}." + == f"VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']} can only be accessed from trusted accounts." ) assert ( result[0].resource_id @@ -430,7 +430,7 @@ class Test_vpc_endpoint_connections_trust_boundaries: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"Found trusted account {TRUSTED_AWS_ACCOUNT_NUMBER} in VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']}." + == f"VPC Endpoint {vpc_endpoint['VpcEndpoint']['VpcEndpointId']} in VPC {vpc['VpcId']} can only be accessed from trusted accounts." ) assert ( result[0].resource_id