ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(iam tests): mock audit_info object (#2226)

Browse Source 
Co-authored-by: n4ch04 <nachor1992@gmail.com>
This commit is contained in:
Sergio Garcia
2023-04-17 11:14:48 +02:00
committed by GitHub
parent c4757684c1
commit 5e567f3e37
29 changed files with 2065 additions and 977 deletions
Download Patch File Download Diff File Expand all files Collapse all files

214
tests/providers/aws/services/iam/iam_administrator_access_with_mfa/iam_administrator_access_with_mfa_test.py
View File

@@ -2,11 +2,40 @@ from json import dumps
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_administrator_access_with_mfa_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_group_with_no_policies(self):
iam = client("iam")
@@ -14,28 +43,31 @@ class Test_iam_administrator_access_with_mfa_test:
arn = iam.create_group(GroupName=group_name)["Group"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client",
new=IAM(current_audit_info),
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import (
iam_administrator_access_with_mfa,
)
with mock.patch(
"prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client",
new=IAM(audit_info),
):
from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import (
iam_administrator_access_with_mfa,
)
check = iam_administrator_access_with_mfa()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert result[0].resource_id == group_name
assert result[0].resource_arn == arn
assert search(
f"Group {group_name} has no policies.", result[0].status_extended
)
check = iam_administrator_access_with_mfa()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert result[0].resource_id == group_name
assert result[0].resource_arn == arn
assert search(
f"Group {group_name} has no policies.", result[0].status_extended
)
@mock_iam
def test_group_non_administrative_policy(self):
@@ -54,29 +86,32 @@ class Test_iam_administrator_access_with_mfa_test:
arn = iam.create_group(GroupName=group_name)["Group"]["Arn"]
iam.attach_group_policy(GroupName=group_name, PolicyArn=policy_arn)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client",
new=IAM(current_audit_info),
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import (
iam_administrator_access_with_mfa,
)
with mock.patch(
"prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client",
new=IAM(audit_info),
):
from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import (
iam_administrator_access_with_mfa,
)
check = iam_administrator_access_with_mfa()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert result[0].resource_id == group_name
assert result[0].resource_arn == arn
assert search(
f"Group {group_name} provides non-administrative access.",
result[0].status_extended,
)
check = iam_administrator_access_with_mfa()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert result[0].resource_id == group_name
assert result[0].resource_arn == arn
assert search(
f"Group {group_name} provides non-administrative access.",
result[0].status_extended,
)
@mock_iam
def test_admin_policy_no_users(self):
@@ -89,29 +124,32 @@ class Test_iam_administrator_access_with_mfa_test:
PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess",
)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client",
new=IAM(current_audit_info),
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import (
iam_administrator_access_with_mfa,
)
with mock.patch(
"prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client",
new=IAM(audit_info),
):
from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import (
iam_administrator_access_with_mfa,
)
check = iam_administrator_access_with_mfa()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert result[0].resource_id == group_name
assert result[0].resource_arn == arn
assert search(
f"Group {group_name} provides administrative access but does not have users.",
result[0].status_extended,
)
check = iam_administrator_access_with_mfa()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert result[0].resource_id == group_name
assert result[0].resource_arn == arn
assert search(
f"Group {group_name} provides administrative access but does not have users.",
result[0].status_extended,
)
@mock_iam
def test_admin_policy_with_user_without_mfa(self):
@@ -126,29 +164,32 @@ class Test_iam_administrator_access_with_mfa_test:
)
iam.add_user_to_group(GroupName=group_name, UserName=user_name)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client",
new=IAM(current_audit_info),
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import (
iam_administrator_access_with_mfa,
)
with mock.patch(
"prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client",
new=IAM(audit_info),
):
from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import (
iam_administrator_access_with_mfa,
)
check = iam_administrator_access_with_mfa()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert result[0].resource_id == group_name
assert result[0].resource_arn == arn
assert search(
f"Group {group_name} provides administrator access to User {user_name} with MFA disabled.",
result[0].status_extended,
)
check = iam_administrator_access_with_mfa()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert result[0].resource_id == group_name
assert result[0].resource_arn == arn
assert search(
f"Group {group_name} provides administrator access to User {user_name} with MFA disabled.",
result[0].status_extended,
)
@mock_iam
def test_various_policies_with_users_with_and_without_mfa(self):
@@ -187,26 +228,29 @@ class Test_iam_administrator_access_with_mfa_test:
iam.add_user_to_group(GroupName=group_name, UserName=user_name_no_mfa)
iam.add_user_to_group(GroupName=group_name, UserName=user_name_mfa)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client",
new=IAM(current_audit_info),
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import (
iam_administrator_access_with_mfa,
)
with mock.patch(
"prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa.iam_client",
new=IAM(audit_info),
):
from prowler.providers.aws.services.iam.iam_administrator_access_with_mfa.iam_administrator_access_with_mfa import (
iam_administrator_access_with_mfa,
)
check = iam_administrator_access_with_mfa()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert result[0].resource_id == group_name
assert result[0].resource_arn == arn_group
assert search(
f"Group {group_name} provides administrator access to User {user_name_no_mfa} with MFA disabled.",
result[0].status_extended,
)
check = iam_administrator_access_with_mfa()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert result[0].resource_id == group_name
assert result[0].resource_arn == arn_group
assert search(
f"Group {group_name} provides administrator access to User {user_name_no_mfa} with MFA disabled.",
result[0].status_extended,
)

314
tests/providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage_test.py
View File

@@ -3,10 +3,40 @@ from csv import DictReader
from re import search
from unittest import mock
from boto3 import session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_avoid_root_usage:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_root_not_used(self):
raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated
@@ -15,29 +45,34 @@ class Test_iam_avoid_root_usage:
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
)
@mock_iam
def test_root_password_recently_used(self):
@@ -50,28 +85,34 @@ class Test_iam_avoid_root_usage:
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
"Root user in the account was last accessed", result[0].status_extended
)
assert result[0].resource_id == "<root_account>"
assert result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
"Root user in the account was last accessed",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
)
@mock_iam
def test_root_access_key_1_recently_used(self):
@@ -84,28 +125,34 @@ class Test_iam_avoid_root_usage:
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
"Root user in the account was last accessed", result[0].status_extended
)
assert result[0].resource_id == "<root_account>"
assert result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
"Root user in the account was last accessed",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
)
@mock_iam
def test_root_access_key_2_recently_used(self):
@@ -118,28 +165,34 @@ class Test_iam_avoid_root_usage:
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
"Root user in the account was last accessed", result[0].status_extended
)
assert result[0].resource_id == "<root_account>"
assert result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
"Root user in the account was last accessed",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
)
@mock_iam
def test_root_password_used(self):
@@ -152,29 +205,34 @@ class Test_iam_avoid_root_usage:
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last 1 days",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last 1 days",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
)
@mock_iam
def test_root_access_key_1_used(self):
@@ -187,29 +245,34 @@ class Test_iam_avoid_root_usage:
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last 1 days",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last 1 days",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
)
@mock_iam
def test_root_access_key_2_used(self):
@@ -222,26 +285,31 @@ class Test_iam_avoid_root_usage:
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_avoid_root_usage.iam_avoid_root_usage import (
iam_avoid_root_usage,
)
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last 1 days",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
service_client.credential_report = credential_list
check = iam_avoid_root_usage()
result = check.execute()
assert result[0].status == "PASS"
assert search(
"Root user in the account wasn't accessed in the last 1 days",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn == "arn:aws:iam::123456789012:<root_account>"
)

56
tests/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts_test.py
View File

@@ -1,10 +1,39 @@
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_check_saml_providers_sts:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_iam_check_saml_providers_sts(self):
iam_client = client("iam")
@@ -41,20 +70,23 @@ nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
SAMLMetadataDocument=xml_template, Name=saml_provider_name
)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_check_saml_providers_sts.iam_check_saml_providers_sts.iam_client",
new=IAM(current_audit_info),
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
# Test Check
from prowler.providers.aws.services.iam.iam_check_saml_providers_sts.iam_check_saml_providers_sts import (
iam_check_saml_providers_sts,
)
with mock.patch(
"prowler.providers.aws.services.iam.iam_check_saml_providers_sts.iam_check_saml_providers_sts.iam_client",
new=IAM(audit_info),
):
# Test Check
from prowler.providers.aws.services.iam.iam_check_saml_providers_sts.iam_check_saml_providers_sts import (
iam_check_saml_providers_sts,
)
check = iam_check_saml_providers_sts()
result = check.execute()
assert result[0].status == "PASS"
check = iam_check_saml_providers_sts()
result = check.execute()
assert result[0].status == "PASS"

287
tests/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials_test.py
View File

@@ -2,11 +2,40 @@ import datetime
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_disable_30_days_credentials_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_iam_user_logged_30_days(self):
password_last_used = (
@@ -15,29 +44,33 @@ class Test_iam_disable_30_days_credentials_test:
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
service_client.users[0].password_last_used = password_last_used
check = iam_disable_30_days_credentials()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"User {user} has logged in to the console in the past 30 days.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
service_client.users[0].password_last_used = password_last_used
check = iam_disable_30_days_credentials()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"User {user} has logged in to the console in the past 30 days.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
@mock_iam
def test_iam_user_not_logged_30_days(self):
@@ -47,59 +80,67 @@ class Test_iam_disable_30_days_credentials_test:
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
service_client.users[0].password_last_used = password_last_used
check = iam_disable_30_days_credentials()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
f"User {user} has not logged in to the console in the past 30 days.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
service_client.users[0].password_last_used = password_last_used
check = iam_disable_30_days_credentials()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
f"User {user} has not logged in to the console in the past 30 days.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
@mock_iam
def test_iam_user_not_logged(self):
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
service_client.users[0].password_last_used = ""
# raise Exception
check = iam_disable_30_days_credentials()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"User {user} does not have a console password or is unused.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
service_client.users[0].password_last_used = ""
# raise Exception
check = iam_disable_30_days_credentials()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"User {user} does not have a console password or is unused.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
@mock_iam
def test_user_no_access_keys(self):
@@ -107,30 +148,38 @@ class Test_iam_disable_30_days_credentials_test:
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
service_client.credential_report[0]["access_key_1_last_rotated"] == "N/A"
service_client.credential_report[0]["access_key_2_last_rotated"] == "N/A"
service_client.credential_report[0][
"access_key_1_last_rotated"
] == "N/A"
service_client.credential_report[0][
"access_key_2_last_rotated"
] == "N/A"
check = iam_disable_30_days_credentials()
result = check.execute()
assert result[-1].status == "PASS"
assert (
result[-1].status_extended == f"User {user} does not have access keys."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn
check = iam_disable_30_days_credentials()
result = check.execute()
assert result[-1].status == "PASS"
assert (
result[-1].status_extended
== f"User {user} does not have access keys."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn
@mock_iam
def test_user_access_key_1_not_used(self):
@@ -141,33 +190,36 @@ class Test_iam_disable_30_days_credentials_test:
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
check = iam_disable_30_days_credentials()
result = check.execute()
assert result[-1].status == "FAIL"
assert (
result[-1].status_extended
== f"User {user} has not used access key 1 in the last 30 days (100 days)."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn
check = iam_disable_30_days_credentials()
result = check.execute()
assert result[-1].status == "FAIL"
assert (
result[-1].status_extended
== f"User {user} has not used access key 1 in the last 30 days (100 days)."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn
@mock_iam
def test_user_access_key_2_not_used(self):
@@ -178,30 +230,33 @@ class Test_iam_disable_30_days_credentials_test:
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_30_days_credentials.iam_disable_30_days_credentials import (
iam_disable_30_days_credentials,
)
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
check = iam_disable_30_days_credentials()
result = check.execute()
assert result[-1].status == "FAIL"
assert (
result[-1].status_extended
== f"User {user} has not used access key 2 in the last 30 days (100 days)."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn
check = iam_disable_30_days_credentials()
result = check.execute()
assert result[-1].status == "FAIL"
assert (
result[-1].status_extended
== f"User {user} has not used access key 2 in the last 30 days (100 days)."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn

287
tests/providers/aws/services/iam/iam_disable_45_days_credentials/iam_disable_45_days_credentials_test.py
View File

@@ -2,11 +2,40 @@ import datetime
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_disable_45_days_credentials_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_iam_user_logged_45_days(self):
password_last_used = (
@@ -15,29 +44,33 @@ class Test_iam_disable_45_days_credentials_test:
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
service_client.users[0].password_last_used = password_last_used
check = iam_disable_45_days_credentials()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"User {user} has logged in to the console in the past 45 days.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
service_client.users[0].password_last_used = password_last_used
check = iam_disable_45_days_credentials()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"User {user} has logged in to the console in the past 45 days.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
@mock_iam
def test_iam_user_not_logged_45_days(self):
@@ -47,59 +80,67 @@ class Test_iam_disable_45_days_credentials_test:
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
service_client.users[0].password_last_used = password_last_used
check = iam_disable_45_days_credentials()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
f"User {user} has not logged in to the console in the past 45 days.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
service_client.users[0].password_last_used = password_last_used
check = iam_disable_45_days_credentials()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
f"User {user} has not logged in to the console in the past 45 days.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
@mock_iam
def test_iam_user_not_logged(self):
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
service_client.users[0].password_last_used = ""
# raise Exception
check = iam_disable_45_days_credentials()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"User {user} does not have a console password or is unused.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
service_client.users[0].password_last_used = ""
# raise Exception
check = iam_disable_45_days_credentials()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"User {user} does not have a console password or is unused.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
@mock_iam
def test_user_no_access_keys(self):
@@ -107,30 +148,38 @@ class Test_iam_disable_45_days_credentials_test:
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
service_client.credential_report[0]["access_key_1_last_rotated"] == "N/A"
service_client.credential_report[0]["access_key_2_last_rotated"] == "N/A"
service_client.credential_report[0][
"access_key_1_last_rotated"
] == "N/A"
service_client.credential_report[0][
"access_key_2_last_rotated"
] == "N/A"
check = iam_disable_45_days_credentials()
result = check.execute()
assert result[-1].status == "PASS"
assert (
result[-1].status_extended == f"User {user} does not have access keys."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn
check = iam_disable_45_days_credentials()
result = check.execute()
assert result[-1].status == "PASS"
assert (
result[-1].status_extended
== f"User {user} does not have access keys."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn
@mock_iam
def test_user_access_key_1_not_used(self):
@@ -141,33 +190,36 @@ class Test_iam_disable_45_days_credentials_test:
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
check = iam_disable_45_days_credentials()
result = check.execute()
assert result[-1].status == "FAIL"
assert (
result[-1].status_extended
== f"User {user} has not used access key 1 in the last 45 days (100 days)."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn
check = iam_disable_45_days_credentials()
result = check.execute()
assert result[-1].status == "FAIL"
assert (
result[-1].status_extended
== f"User {user} has not used access key 1 in the last 45 days (100 days)."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn
@mock_iam
def test_user_access_key_2_not_used(self):
@@ -178,30 +230,33 @@ class Test_iam_disable_45_days_credentials_test:
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_45_days_credentials.iam_disable_45_days_credentials import (
iam_disable_45_days_credentials,
)
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
check = iam_disable_45_days_credentials()
result = check.execute()
assert result[-1].status == "FAIL"
assert (
result[-1].status_extended
== f"User {user} has not used access key 2 in the last 45 days (100 days)."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn
check = iam_disable_45_days_credentials()
result = check.execute()
assert result[-1].status == "FAIL"
assert (
result[-1].status_extended
== f"User {user} has not used access key 2 in the last 45 days (100 days)."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn

286
tests/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials_test.py
View File

@@ -2,11 +2,40 @@ import datetime
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_disable_90_days_credentials_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_iam_user_logged_90_days(self):
password_last_used = (
@@ -15,29 +44,32 @@ class Test_iam_disable_90_days_credentials_test:
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
service_client.users[0].password_last_used = password_last_used
check = iam_disable_90_days_credentials()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"User {user} has logged in to the console in the past 90 days.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
service_client.users[0].password_last_used = password_last_used
check = iam_disable_90_days_credentials()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"User {user} has logged in to the console in the past 90 days.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
@mock_iam
def test_iam_user_not_logged_90_days(self):
@@ -47,59 +79,67 @@ class Test_iam_disable_90_days_credentials_test:
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
service_client.users[0].password_last_used = password_last_used
check = iam_disable_90_days_credentials()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
f"User {user} has not logged in to the console in the past 90 days.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
service_client.users[0].password_last_used = password_last_used
check = iam_disable_90_days_credentials()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
f"User {user} has not logged in to the console in the past 90 days.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
@mock_iam
def test_iam_user_not_logged(self):
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
service_client.users[0].password_last_used = ""
# raise Exception
check = iam_disable_90_days_credentials()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"User {user} does not have a console password or is unused.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
service_client.users[0].password_last_used = ""
# raise Exception
check = iam_disable_90_days_credentials()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"User {user} does not have a console password or is unused.",
result[0].status_extended,
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
@mock_iam
def test_user_no_access_keys(self):
@@ -107,30 +147,38 @@ class Test_iam_disable_90_days_credentials_test:
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
service_client.credential_report[0]["access_key_1_last_rotated"] == "N/A"
service_client.credential_report[0]["access_key_2_last_rotated"] == "N/A"
service_client.credential_report[0][
"access_key_1_last_rotated"
] == "N/A"
service_client.credential_report[0][
"access_key_2_last_rotated"
] == "N/A"
check = iam_disable_90_days_credentials()
result = check.execute()
assert result[-1].status == "PASS"
assert (
result[-1].status_extended == f"User {user} does not have access keys."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn
check = iam_disable_90_days_credentials()
result = check.execute()
assert result[-1].status == "PASS"
assert (
result[-1].status_extended
== f"User {user} does not have access keys."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn
@mock_iam
def test_user_access_key_1_not_used(self):
@@ -141,33 +189,36 @@ class Test_iam_disable_90_days_credentials_test:
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0][
"access_key_1_last_used_date"
] = credentials_last_rotated
check = iam_disable_90_days_credentials()
result = check.execute()
assert result[-1].status == "FAIL"
assert (
result[-1].status_extended
== f"User {user} has not used access key 1 in the last 90 days (100 days)."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn
check = iam_disable_90_days_credentials()
result = check.execute()
assert result[-1].status == "FAIL"
assert (
result[-1].status_extended
== f"User {user} has not used access key 1 in the last 90 days (100 days)."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn
@mock_iam
def test_user_access_key_2_not_used(self):
@@ -178,30 +229,33 @@ class Test_iam_disable_90_days_credentials_test:
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_disable_90_days_credentials.iam_disable_90_days_credentials import (
iam_disable_90_days_credentials,
)
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
service_client.credential_report[0]["access_key_2_active"] = "true"
service_client.credential_report[0][
"access_key_2_last_used_date"
] = credentials_last_rotated
check = iam_disable_90_days_credentials()
result = check.execute()
assert result[-1].status == "FAIL"
assert (
result[-1].status_extended
== f"User {user} has not used access key 2 in the last 90 days (100 days)."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn
check = iam_disable_90_days_credentials()
result = check.execute()
assert result[-1].status == "FAIL"
assert (
result[-1].status_extended
== f"User {user} has not used access key 2 in the last 90 days (100 days)."
)
assert result[-1].resource_id == user
assert result[-1].resource_arn == arn

223
tests/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption_test.py
View File

@@ -2,11 +2,40 @@ from json import dumps
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_no_custom_policy_permissive_role_assumption:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_policy_allows_permissive_role_assumption_wildcard(self):
iam_client = client("iam")
@@ -21,28 +50,31 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
new=IAM(current_audit_info),
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import (
iam_no_custom_policy_permissive_role_assumption,
)
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
new=IAM(audit_info),
):
from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import (
iam_no_custom_policy_permissive_role_assumption,
)
check = iam_no_custom_policy_permissive_role_assumption()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
f"Custom Policy {policy_name} allows permissive STS Role assumption",
result[0].status_extended,
)
assert result[0].resource_arn == arn
assert result[0].resource_id == policy_name
check = iam_no_custom_policy_permissive_role_assumption()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
f"Custom Policy {policy_name} allows permissive STS Role assumption",
result[0].status_extended,
)
assert result[0].resource_arn == arn
assert result[0].resource_id == policy_name
@mock_iam
def test_policy_allows_permissive_role_assumption_no_wilcard(self):
@@ -58,28 +90,31 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
new=IAM(current_audit_info),
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import (
iam_no_custom_policy_permissive_role_assumption,
)
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
new=IAM(audit_info),
):
from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import (
iam_no_custom_policy_permissive_role_assumption,
)
check = iam_no_custom_policy_permissive_role_assumption()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
f"Custom Policy {policy_name} allows permissive STS Role assumption",
result[0].status_extended,
)
assert result[0].resource_arn == arn
assert result[0].resource_id == policy_name
check = iam_no_custom_policy_permissive_role_assumption()
result = check.execute()
assert result[0].status == "FAIL"
assert search(
f"Custom Policy {policy_name} allows permissive STS Role assumption",
result[0].status_extended,
)
assert result[0].resource_arn == arn
assert result[0].resource_id == policy_name
@mock_iam
def test_policy_assume_role_not_allow_permissive_role_assumption(self):
@@ -98,28 +133,32 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
arn = iam_client.create_policy(
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
new=IAM(current_audit_info),
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import (
iam_no_custom_policy_permissive_role_assumption,
)
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
new=IAM(audit_info),
):
from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import (
iam_no_custom_policy_permissive_role_assumption,
)
check = iam_no_custom_policy_permissive_role_assumption()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"Custom Policy {policy_name} does not allow permissive STS Role assumption",
result[0].status_extended,
)
assert result[0].resource_arn == arn
assert result[0].resource_id == policy_name
check = iam_no_custom_policy_permissive_role_assumption()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"Custom Policy {policy_name} does not allow permissive STS Role assumption",
result[0].status_extended,
)
assert result[0].resource_arn == arn
assert result[0].resource_id == policy_name
@mock_iam
def test_policy_not_allow_permissive_role_assumption(self):
@@ -135,28 +174,31 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
new=IAM(current_audit_info),
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import (
iam_no_custom_policy_permissive_role_assumption,
)
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
new=IAM(audit_info),
):
from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import (
iam_no_custom_policy_permissive_role_assumption,
)
check = iam_no_custom_policy_permissive_role_assumption()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"Custom Policy {policy_name} does not allow permissive STS Role assumption",
result[0].status_extended,
)
assert result[0].resource_arn == arn
assert result[0].resource_id == policy_name
check = iam_no_custom_policy_permissive_role_assumption()
result = check.execute()
assert result[0].status == "PASS"
assert search(
f"Custom Policy {policy_name} does not allow permissive STS Role assumption",
result[0].status_extended,
)
assert result[0].resource_arn == arn
assert result[0].resource_id == policy_name
@mock_iam
def test_policy_permissive_and_not_permissive(self):
@@ -184,33 +226,36 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
PolicyDocument=dumps(policy_document_permissive),
)["Policy"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
new=IAM(current_audit_info),
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import (
iam_no_custom_policy_permissive_role_assumption,
)
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
new=IAM(audit_info),
):
from prowler.providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import (
iam_no_custom_policy_permissive_role_assumption,
)
check = iam_no_custom_policy_permissive_role_assumption()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert result[0].resource_arn == arn_non_permissive
assert search(
f"Policy {policy_name_non_permissive} does not allow permissive STS Role assumption",
result[0].status_extended,
)
assert result[0].resource_id == policy_name_non_permissive
assert result[1].status == "FAIL"
assert result[1].resource_arn == arn_permissive
assert search(
f"Policy {policy_name_permissive} allows permissive STS Role assumption",
result[1].status_extended,
)
assert result[1].resource_id == policy_name_permissive
check = iam_no_custom_policy_permissive_role_assumption()
result = check.execute()
assert len(result) == 2
assert result[0].status == "PASS"
assert result[0].resource_arn == arn_non_permissive
assert search(
f"Policy {policy_name_non_permissive} does not allow permissive STS Role assumption",
result[0].status_extended,
)
assert result[0].resource_id == policy_name_non_permissive
assert result[1].status == "FAIL"
assert result[1].resource_arn == arn_permissive
assert search(
f"Policy {policy_name_permissive} allows permissive STS Role assumption",
result[1].status_extended,
)
assert result[1].resource_id == policy_name_permissive

90
tests/providers/aws/services/iam/iam_no_expired_server_certificates_stored/iam_no_expired_server_certificates_stored_test.py
View File

@@ -1,28 +1,62 @@
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_no_expired_server_certificates_stored_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_no_certificates(self):
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored.iam_client",
new=IAM(current_audit_info),
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
from prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored import (
iam_no_expired_server_certificates_stored,
)
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored.iam_client",
new=IAM(audit_info),
):
from prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored import (
iam_no_expired_server_certificates_stored,
)
check = iam_no_expired_server_certificates_stored()
result = check.execute()
check = iam_no_expired_server_certificates_stored()
result = check.execute()
assert len(result) == 0
assert len(result) == 0
@mock_iam
def test_expired_certificate(self):
@@ -33,25 +67,31 @@ class Test_iam_no_expired_server_certificates_stored_test:
CertificateBody="certbody",
PrivateKey="privatekey",
)["ServerCertificateMetadata"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored.iam_client",
new=IAM(current_audit_info),
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
from prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored import (
iam_no_expired_server_certificates_stored,
)
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored.iam_client",
new=IAM(audit_info),
):
from prowler.providers.aws.services.iam.iam_no_expired_server_certificates_stored.iam_no_expired_server_certificates_stored import (
iam_no_expired_server_certificates_stored,
)
check = iam_no_expired_server_certificates_stored()
result = check.execute()
check = iam_no_expired_server_certificates_stored()
result = check.execute()
assert len(result) == 1
assert len(result) == 1
assert result[0].status == "FAIL"
assert search(
"IAM Certificate certname has expired", result[0].status_extended
)
assert result[0].resource_id == cert["ServerCertificateId"]
assert result[0].resource_arn == cert["Arn"]
assert result[0].status == "FAIL"
assert search(
"IAM Certificate certname has expired", result[0].status_extended
)
assert result[0].resource_id == cert["ServerCertificateId"]
assert result[0].resource_arn == cert["Arn"]

259
tests/providers/aws/services/iam/iam_no_root_access_key/iam_no_root_access_key_test.py
View File

@@ -1,50 +1,82 @@
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_no_root_access_key_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_iam_root_no_access_keys(self):
iam_client = client("iam")
user = "test"
iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import (
iam_no_root_access_key,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import (
iam_no_root_access_key,
)
service_client.credential_report[0]["user"] = "<root_account>"
service_client.credential_report[0][
"arn"
] = "arn:aws:iam::123456789012:user/<root_account>"
service_client.credential_report[0]["access_key_1_active"] = "false"
service_client.credential_report[0]["access_key_2_active"] = "false"
check = iam_no_root_access_key()
result = check.execute()
service_client.credential_report[0]["user"] = "<root_account>"
service_client.credential_report[0][
"arn"
] = "arn:aws:iam::123456789012:user/<root_account>"
service_client.credential_report[0]["access_key_1_active"] = "false"
service_client.credential_report[0]["access_key_2_active"] = "false"
check = iam_no_root_access_key()
result = check.execute()
# raise Exception
assert result[0].status == "PASS"
assert search(
"User <root_account> does not have access keys.",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn
== "arn:aws:iam::123456789012:user/<root_account>"
)
# raise Exception
assert result[0].status == "PASS"
assert search(
"User <root_account> does not have access keys.",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn
== "arn:aws:iam::123456789012:user/<root_account>"
)
@mock_iam
def test_iam_root_access_key_1(self):
@@ -52,39 +84,42 @@ class Test_iam_no_root_access_key_test:
user = "test"
iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import (
iam_no_root_access_key,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import (
iam_no_root_access_key,
)
service_client.credential_report[0]["user"] = "<root_account>"
service_client.credential_report[0][
"arn"
] = "arn:aws:iam::123456789012:user/<root_account>"
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0]["access_key_2_active"] = "false"
check = iam_no_root_access_key()
result = check.execute()
service_client.credential_report[0]["user"] = "<root_account>"
service_client.credential_report[0][
"arn"
] = "arn:aws:iam::123456789012:user/<root_account>"
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0]["access_key_2_active"] = "false"
check = iam_no_root_access_key()
result = check.execute()
# raise Exception
assert result[0].status == "FAIL"
assert search(
"User <root_account> has one active access key.",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn
== "arn:aws:iam::123456789012:user/<root_account>"
)
# raise Exception
assert result[0].status == "FAIL"
assert search(
"User <root_account> has one active access key.",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn
== "arn:aws:iam::123456789012:user/<root_account>"
)
@mock_iam
def test_iam_root_access_key_2(self):
@@ -92,39 +127,42 @@ class Test_iam_no_root_access_key_test:
user = "test"
iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import (
iam_no_root_access_key,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import (
iam_no_root_access_key,
)
service_client.credential_report[0]["user"] = "<root_account>"
service_client.credential_report[0][
"arn"
] = "arn:aws:iam::123456789012:user/<root_account>"
service_client.credential_report[0]["access_key_1_active"] = "false"
service_client.credential_report[0]["access_key_2_active"] = "true"
check = iam_no_root_access_key()
result = check.execute()
service_client.credential_report[0]["user"] = "<root_account>"
service_client.credential_report[0][
"arn"
] = "arn:aws:iam::123456789012:user/<root_account>"
service_client.credential_report[0]["access_key_1_active"] = "false"
service_client.credential_report[0]["access_key_2_active"] = "true"
check = iam_no_root_access_key()
result = check.execute()
# raise Exception
assert result[0].status == "FAIL"
assert search(
"User <root_account> has one active access key.",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn
== "arn:aws:iam::123456789012:user/<root_account>"
)
# raise Exception
assert result[0].status == "FAIL"
assert search(
"User <root_account> has one active access key.",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn
== "arn:aws:iam::123456789012:user/<root_account>"
)
@mock_iam
def test_iam_root_both_access_keys(self):
@@ -132,36 +170,39 @@ class Test_iam_no_root_access_key_test:
user = "test"
iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import (
iam_no_root_access_key,
)
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_no_root_access_key.iam_no_root_access_key import (
iam_no_root_access_key,
)
service_client.credential_report[0]["user"] = "<root_account>"
service_client.credential_report[0][
"arn"
] = "arn:aws:iam::123456789012:user/<root_account>"
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0]["access_key_2_active"] = "true"
check = iam_no_root_access_key()
result = check.execute()
service_client.credential_report[0]["user"] = "<root_account>"
service_client.credential_report[0][
"arn"
] = "arn:aws:iam::123456789012:user/<root_account>"
service_client.credential_report[0]["access_key_1_active"] = "true"
service_client.credential_report[0]["access_key_2_active"] = "true"
check = iam_no_root_access_key()
result = check.execute()
# raise Exception
assert result[0].status == "FAIL"
assert search(
"User <root_account> has two active access key.",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn
== "arn:aws:iam::123456789012:user/<root_account>"
)
# raise Exception
assert result[0].status == "FAIL"
assert search(
"User <root_account> has two active access key.",
result[0].status_extended,
)
assert result[0].resource_id == "<root_account>"
assert (
result[0].resource_arn
== "arn:aws:iam::123456789012:user/<root_account>"
)

213
tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py
View File

@@ -1,108 +1,153 @@
from re import search
from unittest import mock
from boto3 import session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_password_expiration_lower_90(self):
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM, PasswordPolicy
with mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less import (
iam_password_policy_expires_passwords_within_90_days_or_less,
)
audit_info = self.set_mocked_audit_info()
service_client.password_policy = PasswordPolicy(
length=10,
symbols=True,
numbers=True,
uppercase=True,
lowercase=True,
allow_change=True,
expiration=True,
max_age=40,
reuse_prevention=2,
hard_expiry=True,
)
check = iam_password_policy_expires_passwords_within_90_days_or_less()
result = check.execute()
assert result[0].status == "PASS"
assert result[0].resource_id == "password_policy"
assert search(
"Password expiration is set lower than 90 days",
result[0].status_extended,
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less import (
iam_password_policy_expires_passwords_within_90_days_or_less,
)
service_client.password_policy = PasswordPolicy(
length=10,
symbols=True,
numbers=True,
uppercase=True,
lowercase=True,
allow_change=True,
expiration=True,
max_age=40,
reuse_prevention=2,
hard_expiry=True,
)
check = iam_password_policy_expires_passwords_within_90_days_or_less()
result = check.execute()
assert result[0].status == "PASS"
assert result[0].resource_id == "password_policy"
assert search(
"Password expiration is set lower than 90 days",
result[0].status_extended,
)
@mock_iam
def test_password_expiration_greater_90(self):
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM, PasswordPolicy
with mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less import (
iam_password_policy_expires_passwords_within_90_days_or_less,
)
audit_info = self.set_mocked_audit_info()
service_client.password_policy = PasswordPolicy(
length=10,
symbols=True,
numbers=True,
uppercase=True,
lowercase=True,
allow_change=True,
expiration=True,
max_age=100,
reuse_prevention=2,
hard_expiry=True,
)
check = iam_password_policy_expires_passwords_within_90_days_or_less()
result = check.execute()
assert result[0].status == "FAIL"
assert result[0].resource_id == "password_policy"
assert search(
"Password expiration is set greater than 90 days",
result[0].status_extended,
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less import (
iam_password_policy_expires_passwords_within_90_days_or_less,
)
service_client.password_policy = PasswordPolicy(
length=10,
symbols=True,
numbers=True,
uppercase=True,
lowercase=True,
allow_change=True,
expiration=True,
max_age=100,
reuse_prevention=2,
hard_expiry=True,
)
check = iam_password_policy_expires_passwords_within_90_days_or_less()
result = check.execute()
assert result[0].status == "FAIL"
assert result[0].resource_id == "password_policy"
assert search(
"Password expiration is set greater than 90 days",
result[0].status_extended,
)
@mock_iam
def test_password_expiration_just_90(self):
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM, PasswordPolicy
with mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less.iam_client",
new=IAM(current_audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less import (
iam_password_policy_expires_passwords_within_90_days_or_less,
)
audit_info = self.set_mocked_audit_info()
service_client.password_policy = PasswordPolicy(
length=10,
symbols=True,
numbers=True,
uppercase=True,
lowercase=True,
allow_change=True,
expiration=True,
max_age=90,
reuse_prevention=2,
hard_expiry=True,
)
check = iam_password_policy_expires_passwords_within_90_days_or_less()
result = check.execute()
assert result[0].status == "PASS"
assert result[0].resource_id == "password_policy"
assert search(
"Password expiration is set lower than 90 days",
result[0].status_extended,
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=audit_info,
):
with mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less.iam_client",
new=IAM(audit_info),
) as service_client:
from prowler.providers.aws.services.iam.iam_password_policy_expires_passwords_within_90_days_or_less.iam_password_policy_expires_passwords_within_90_days_or_less import (
iam_password_policy_expires_passwords_within_90_days_or_less,
)
service_client.password_policy = PasswordPolicy(
length=10,
symbols=True,
numbers=True,
uppercase=True,
lowercase=True,
allow_change=True,
expiration=True,
max_age=90,
reuse_prevention=2,
hard_expiry=True,
)
check = iam_password_policy_expires_passwords_within_90_days_or_less()
result = check.execute()
assert result[0].status == "PASS"
assert result[0].resource_id == "password_policy"
assert search(
"Password expiration is set lower than 90 days",
result[0].status_extended,
)

41
tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py
View File

@@ -1,23 +1,52 @@
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_password_policy_lowercase:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_iam_password_policy_no_lowercase_flag(self):
iam_client = client("iam")
# update password policy
iam_client.update_account_password_policy(RequireLowercaseCharacters=False)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_lowercase.iam_password_policy_lowercase.iam_client",
new=IAM(current_audit_info),
):
@@ -41,12 +70,14 @@ class Test_iam_password_policy_lowercase:
# update password policy
iam_client.update_account_password_policy(RequireLowercaseCharacters=True)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_lowercase.iam_password_policy_lowercase.iam_client",
new=IAM(current_audit_info),
):

47
tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py
View File

@@ -1,23 +1,52 @@
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_password_policy_minimum_length_14:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_iam_password_policy_minimum_length_equal_14(self):
iam_client = client("iam")
# update password policy
iam_client.update_account_password_policy(MinimumPasswordLength=14)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_minimum_length_14.iam_password_policy_minimum_length_14.iam_client",
new=IAM(current_audit_info),
):
@@ -41,12 +70,14 @@ class Test_iam_password_policy_minimum_length_14:
# update password policy
iam_client.update_account_password_policy(MinimumPasswordLength=20)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_minimum_length_14.iam_password_policy_minimum_length_14.iam_client",
new=IAM(current_audit_info),
):
@@ -70,12 +101,14 @@ class Test_iam_password_policy_minimum_length_14:
# update password policy
iam_client.update_account_password_policy(MinimumPasswordLength=10)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_minimum_length_14.iam_password_policy_minimum_length_14.iam_client",
new=IAM(current_audit_info),
):

41
tests/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_test.py
View File

@@ -1,23 +1,52 @@
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_password_policy_number:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_iam_password_policy_no_number_flag(self):
iam_client = client("iam")
# update password policy
iam_client.update_account_password_policy(RequireNumbers=False)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_number.iam_password_policy_number.iam_client",
new=IAM(current_audit_info),
):
@@ -41,12 +70,14 @@ class Test_iam_password_policy_number:
# update password policy
iam_client.update_account_password_policy(RequireNumbers=True)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_number.iam_password_policy_number.iam_client",
new=IAM(current_audit_info),
):

39
tests/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_test.py
View File

@@ -1,20 +1,50 @@
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_password_policy_reuse_24:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_iam_password_policy_reuse_prevention_equal_24(self):
iam_client = client("iam")
# update password policy
iam_client.update_account_password_policy(PasswordReusePrevention=24)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_reuse_24.iam_password_policy_reuse_24.iam_client",
new=IAM(current_audit_info),
):
@@ -33,10 +63,13 @@ class Test_iam_password_policy_reuse_24:
# update password policy
iam_client.update_account_password_policy(PasswordReusePrevention=20)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_reuse_24.iam_password_policy_reuse_24.iam_client",
new=IAM(current_audit_info),
):

41
tests/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_test.py
View File

@@ -1,23 +1,52 @@
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_password_policy_symbol:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_iam_password_policy_no_symbol_flag(self):
iam_client = client("iam")
# update password policy
iam_client.update_account_password_policy(RequireSymbols=False)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_symbol.iam_password_policy_symbol.iam_client",
new=IAM(current_audit_info),
):
@@ -41,12 +70,14 @@ class Test_iam_password_policy_symbol:
# update password policy
iam_client.update_account_password_policy(RequireSymbols=True)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_symbol.iam_password_policy_symbol.iam_client",
new=IAM(current_audit_info),
):

39
tests/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_test.py
View File

@@ -1,20 +1,50 @@
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_password_policy_uppercase:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_iam_password_policy_no_uppercase_flag(self):
iam_client = client("iam")
# update password policy
iam_client.update_account_password_policy(RequireUppercaseCharacters=False)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_uppercase.iam_password_policy_uppercase.iam_client",
new=IAM(current_audit_info),
):
@@ -33,10 +63,13 @@ class Test_iam_password_policy_uppercase:
# update password policy
iam_client.update_account_password_policy(RequireUppercaseCharacters=True)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_password_policy_uppercase.iam_password_policy_uppercase.iam_client",
new=IAM(current_audit_info),
):

51
tests/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation_test.py
View File

@@ -1,13 +1,39 @@
from json import dumps
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_REGION = "us-east-1"
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_policy_allows_privilege_escalation:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_iam_policy_allows_privilege_escalation_sts(self):
iam_client = client("iam", region_name=AWS_REGION)
@@ -22,10 +48,13 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_policy_allows_privilege_escalation.iam_policy_allows_privilege_escalation.iam_client",
new=IAM(current_audit_info),
):
@@ -47,7 +76,6 @@ class Test_iam_policy_allows_privilege_escalation:
@mock_iam
def test_iam_policy_not_allows_privilege_escalation(self):
iam_client = client("iam", region_name=AWS_REGION)
policy_name = "policy1"
policy_document = {
@@ -62,10 +90,13 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_policy_allows_privilege_escalation.iam_policy_allows_privilege_escalation.iam_client",
new=IAM(current_audit_info),
):
@@ -87,7 +118,6 @@ class Test_iam_policy_allows_privilege_escalation:
@mock_iam
def test_iam_policy_not_allows_privilege_escalation_glue_GetDevEndpoints(self):
iam_client = client("iam", region_name=AWS_REGION)
policy_name = "policy1"
policy_document = {
@@ -106,10 +136,13 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_policy_allows_privilege_escalation.iam_policy_allows_privilege_escalation.iam_client",
new=IAM(current_audit_info),
):
@@ -131,7 +164,6 @@ class Test_iam_policy_allows_privilege_escalation:
@mock_iam
def test_iam_policy_not_allows_privilege_escalation_dynamodb_PutItem(self):
iam_client = client("iam", region_name=AWS_REGION)
policy_name = "policy1"
policy_document = {
@@ -161,10 +193,13 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_policy_allows_privilege_escalation.iam_policy_allows_privilege_escalation.iam_client",
new=IAM(current_audit_info),
):

49
tests/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles_test.py
View File

@@ -2,11 +2,38 @@ from json import dumps
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_policy_attached_only_to_group_or_roles:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_iam_user_attached_policy(self):
result = []
@@ -25,10 +52,13 @@ class Test_iam_policy_attached_only_to_group_or_roles:
)["Policy"]["Arn"]
iam_client.attach_user_policy(UserName=user, PolicyArn=policyArn)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_policy_attached_only_to_group_or_roles.iam_policy_attached_only_to_group_or_roles.iam_client",
new=IAM(current_audit_info),
):
@@ -61,10 +91,13 @@ class Test_iam_policy_attached_only_to_group_or_roles:
)["Policy"]["Arn"]
iam_client.attach_user_policy(UserName=user, PolicyArn=policyArn)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_policy_attached_only_to_group_or_roles.iam_policy_attached_only_to_group_or_roles.iam_client",
new=IAM(current_audit_info),
):
@@ -103,10 +136,13 @@ class Test_iam_policy_attached_only_to_group_or_roles:
UserName=user, PolicyName=policyName, PolicyDocument=dumps(policyDocument)
)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_policy_attached_only_to_group_or_roles.iam_policy_attached_only_to_group_or_roles.iam_client",
new=IAM(current_audit_info),
):
@@ -125,10 +161,13 @@ class Test_iam_policy_attached_only_to_group_or_roles:
user = "test_no_policies"
iam_client.create_user(UserName=user)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_policy_attached_only_to_group_or_roles.iam_policy_attached_only_to_group_or_roles.iam_client",
new=IAM(current_audit_info),
):

47
tests/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges_test.py
View File

@@ -2,14 +2,40 @@ from json import dumps
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_policy_no_administrative_privileges_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_policy_administrative(self):
iam_client = client("iam")
policy_name = "policy1"
policy_document = {
@@ -22,10 +48,13 @@ class Test_iam_policy_no_administrative_privileges_test:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_policy_no_administrative_privileges.iam_policy_no_administrative_privileges.iam_client",
new=IAM(current_audit_info),
):
@@ -42,7 +71,6 @@ class Test_iam_policy_no_administrative_privileges_test:
@mock_iam
def test_policy_non_administrative(self):
iam_client = client("iam")
policy_name = "policy1"
policy_document = {
@@ -55,10 +83,13 @@ class Test_iam_policy_no_administrative_privileges_test:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_policy_no_administrative_privileges.iam_policy_no_administrative_privileges.iam_client",
new=IAM(current_audit_info),
):
@@ -77,7 +108,6 @@ class Test_iam_policy_no_administrative_privileges_test:
@mock_iam
def test_policy_administrative_and_non_administrative(self):
iam_client = client("iam")
policy_name_non_administrative = "policy1"
policy_document_non_administrative = {
@@ -102,10 +132,13 @@ class Test_iam_policy_no_administrative_privileges_test:
PolicyDocument=dumps(policy_document_administrative),
)["Policy"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_policy_no_administrative_privileges.iam_policy_no_administrative_privileges.iam_client",
new=IAM(current_audit_info),
):

39
tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py
View File

@@ -1,14 +1,39 @@
from json import dumps
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_REGION = "us-east-1"
AWS_ACCOUNT_ID = "123456789012"
class Test_iam_role_cross_service_confused_deputy_prevention:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_ID,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_iam_service_role_without_cross_service_confused_deputy_prevention(self):
iam_client = client("iam", region_name=AWS_REGION)
@@ -27,12 +52,14 @@ class Test_iam_role_cross_service_confused_deputy_prevention:
AssumeRolePolicyDocument=dumps(policy_document),
)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_role_cross_service_confused_deputy_prevention.iam_role_cross_service_confused_deputy_prevention.iam_client",
new=IAM(current_audit_info),
):
@@ -73,12 +100,14 @@ class Test_iam_role_cross_service_confused_deputy_prevention:
AssumeRolePolicyDocument=dumps(policy_document),
)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_role_cross_service_confused_deputy_prevention.iam_role_cross_service_confused_deputy_prevention.iam_client",
new=IAM(current_audit_info),
):

43
tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py
View File

@@ -1,22 +1,52 @@
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_root_hardware_mfa_enabled_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_root_hardware_virtual_mfa_enabled(self):
iam = client("iam")
mfa_device_name = "mfa-test"
iam.create_virtual_mfa_device(VirtualMFADeviceName=mfa_device_name)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled.iam_client",
new=IAM(current_audit_info),
) as service_client:
@@ -41,12 +71,15 @@ class Test_iam_root_hardware_mfa_enabled_test:
iam = client("iam")
mfa_device_name = "mfa-test"
iam.create_virtual_mfa_device(VirtualMFADeviceName=mfa_device_name)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_root_hardware_mfa_enabled.iam_root_hardware_mfa_enabled.iam_client",
new=IAM(current_audit_info),
) as service_client:

41
tests/providers/aws/services/iam/iam_root_mfa_enabled/iam_root_mfa_enabled_test.py
View File

@@ -1,20 +1,51 @@
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_root_mfa_enabled_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_root_mfa_not_enabled(self):
iam_client = client("iam")
user = "test-user"
iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_root_mfa_enabled.iam_root_mfa_enabled.iam_client",
new=IAM(current_audit_info),
) as service_client:
@@ -42,10 +73,14 @@ class Test_iam_root_mfa_enabled_test:
iam_client = client("iam")
user = "test-user"
iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_root_mfa_enabled.iam_root_mfa_enabled.iam_client",
new=IAM(current_audit_info),
) as service_client:

47
tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py
View File

@@ -1,23 +1,52 @@
import datetime
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_rotate_access_key_90_days_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_user_no_access_keys(self):
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_rotate_access_key_90_days.iam_rotate_access_key_90_days.iam_client",
new=IAM(current_audit_info),
) as service_client:
@@ -46,12 +75,14 @@ class Test_iam_rotate_access_key_90_days_test:
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_rotate_access_key_90_days.iam_rotate_access_key_90_days.iam_client",
new=IAM(current_audit_info),
) as service_client:
@@ -83,12 +114,14 @@ class Test_iam_rotate_access_key_90_days_test:
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_rotate_access_key_90_days.iam_rotate_access_key_90_days.iam_client",
new=IAM(current_audit_info),
) as service_client:

5
tests/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created_test.py
View File

@@ -8,9 +8,10 @@ from moto import mock_iam
from prowler.providers.aws.lib.audit_info.audit_info import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import IAM
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_securityaudit_role_created:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
@@ -20,7 +21,7 @@ class Test_iam_securityaudit_role_created:
profile_name=None,
botocore_session=None,
),
audited_account=None,
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,

40
tests/providers/aws/services/iam/iam_support_role_created/iam_support_role_created_test.py
View File

@@ -2,11 +2,38 @@ from json import dumps
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_support_role_created:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_support_role_created(self):
iam = client("iam")
@@ -29,10 +56,13 @@ class Test_iam_support_role_created:
PolicyArn="arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy",
)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_support_role_created.iam_support_role_created.iam_client",
new=IAM(current_audit_info),
):
@@ -55,11 +85,13 @@ class Test_iam_support_role_created:
@mock_iam
def test_no_support_role_created(self):
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_support_role_created.iam_support_role_created.iam_client",
new=IAM(current_audit_info),
):

50
tests/providers/aws/services/iam/iam_user_hardware_mfa_enabled/iam_user_hardware_mfa_enabled_test.py
View File

@@ -1,22 +1,52 @@
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_user_hardware_mfa_enabled_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_user_no_mfa_devices(self):
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_user_hardware_mfa_enabled.iam_user_hardware_mfa_enabled.iam_client",
new=IAM(current_audit_info),
) as service_client:
@@ -41,12 +71,15 @@ class Test_iam_user_hardware_mfa_enabled_test:
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM, MFADevice
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_user_hardware_mfa_enabled.iam_user_hardware_mfa_enabled.iam_client",
new=IAM(current_audit_info),
) as service_client:
@@ -77,12 +110,15 @@ class Test_iam_user_hardware_mfa_enabled_test:
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM, MFADevice
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_user_hardware_mfa_enabled.iam_user_hardware_mfa_enabled.iam_client",
new=IAM(current_audit_info),
) as service_client:

54
tests/providers/aws/services/iam/iam_user_mfa_enabled_console_access/iam_user_mfa_enabled_console_access_test.py
View File

@@ -1,21 +1,51 @@
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_user_mfa_enabled_console_access_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_root_user_not_password_console_enabled(self):
iam_client = client("iam")
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_user_mfa_enabled_console_access.iam_user_mfa_enabled_console_access.iam_client",
new=IAM(current_audit_info),
) as service_client:
@@ -42,11 +72,13 @@ class Test_iam_user_mfa_enabled_console_access_test:
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_user_mfa_enabled_console_access.iam_user_mfa_enabled_console_access.iam_client",
new=IAM(current_audit_info),
) as service_client:
@@ -73,11 +105,13 @@ class Test_iam_user_mfa_enabled_console_access_test:
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_user_mfa_enabled_console_access.iam_user_mfa_enabled_console_access.iam_client",
new=IAM(current_audit_info),
) as service_client:
@@ -105,11 +139,13 @@ class Test_iam_user_mfa_enabled_console_access_test:
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_user_mfa_enabled_console_access.iam_user_mfa_enabled_console_access.iam_client",
new=IAM(current_audit_info),
) as service_client:

43
tests/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key_test.py
View File

@@ -2,10 +2,38 @@ from csv import DictReader
from re import search
from unittest import mock
from boto3 import session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_user_no_setup_initial_access_key_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_setup_access_key_1_fail(self):
raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated
@@ -14,10 +42,13 @@ test_false_access_key_1,arn:aws:iam::123456789012:test_false_access_key_1,2022-0
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_user_no_setup_initial_access_key.iam_user_no_setup_initial_access_key.iam_client",
new=IAM(current_audit_info),
) as service_client:
@@ -40,10 +71,13 @@ test_false_access_key_2,arn:aws:iam::123456789012:test_false_access_key_2,2022-0
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_user_no_setup_initial_access_key.iam_user_no_setup_initial_access_key.iam_client",
new=IAM(current_audit_info),
) as service_client:
@@ -66,10 +100,13 @@ test_pass,arn:aws:iam::123456789012:test_pass,2022-02-17T14:59:38+00:00,not_supp
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_user_no_setup_initial_access_key.iam_user_no_setup_initial_access_key.iam_client",
new=IAM(current_audit_info),
) as service_client:

56
tests/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key_test.py
View File

@@ -1,11 +1,38 @@
from re import search
from unittest import mock
from boto3 import client
from boto3 import client, session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_user_two_active_access_key:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
)
return audit_info
@mock_iam
def test_iam_user_two_active_access_key(self):
# Create IAM Mocked Resources
@@ -17,12 +44,17 @@ class Test_iam_user_two_active_access_key:
# Create Access Key 2
iam_client.create_access_key(UserName=user)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key.iam_client",
new=IAM(current_audit_info),
):
@@ -51,12 +83,14 @@ class Test_iam_user_two_active_access_key:
# Create Access Key 1
iam_client.create_access_key(UserName=user)
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key.iam_client",
new=IAM(current_audit_info),
):
@@ -84,12 +118,14 @@ class Test_iam_user_two_active_access_key:
user = "test1"
user_arn = iam_client.create_user(UserName=user)["User"]["Arn"]
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key.iam_client",
new=IAM(current_audit_info),
):
@@ -112,12 +148,14 @@ class Test_iam_user_two_active_access_key:
@mock_iam
def test_iam_no_users(self):
from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info.audited_partition = "aws"
current_audit_info = self.set_mocked_audit_info()
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
), mock.patch(
"prowler.providers.aws.services.iam.iam_user_two_active_access_key.iam_user_two_active_access_key.iam_client",
new=IAM(current_audit_info),
):