mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 06:45:08 +00:00
feat(aws): Add MFA flag if try to assume role in AWS (#2478)
Co-authored-by: Pepe Fagoaga <pepe@verica.io> Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
This commit is contained in:
Sebastian Nyberg
@@ -30,6 +30,13 @@ Those credentials must be associated to a user or role with proper permissions t
|
|||||||
|
|
||||||
> If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
|
> If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
|
||||||
|
|
||||||
|
### Multi-Factor Authentication
|
||||||
|
|
||||||
|
If your IAM entity enforces MFA you can use `--mfa` and Prowler will ask you to input the following values to get a new session:
|
||||||
|
|
||||||
|
- ARN of your MFA device
|
||||||
|
- TOTP (Time-Based One-Time Password)
|
||||||
|
|
||||||
## Azure
|
## Azure
|
||||||
|
|
||||||
Prowler for azure supports the following authentication types:
|
Prowler for azure supports the following authentication types:
|
||||||
|
|||||||
31
docs/tutorials/aws/authentication.md
Normal file
31
docs/tutorials/aws/authentication.md
Normal file
@@ -0,0 +1,31 @@
|
|||||||
|
# AWS Authentication
|
||||||
|
|
||||||
|
Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or instance profile/role):
|
||||||
|
|
||||||
|
```console
|
||||||
|
aws configure
|
||||||
|
```
|
||||||
|
|
||||||
|
or
|
||||||
|
|
||||||
|
```console
|
||||||
|
export AWS_ACCESS_KEY_ID="ASXXXXXXX"
|
||||||
|
export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
|
||||||
|
export AWS_SESSION_TOKEN="XXXXXXXXX"
|
||||||
|
```
|
||||||
|
|
||||||
|
Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the following AWS managed policies to the user or role being used:
|
||||||
|
|
||||||
|
- arn:aws:iam::aws:policy/SecurityAudit
|
||||||
|
- arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
|
||||||
|
|
||||||
|
> Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using.
|
||||||
|
|
||||||
|
> If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
|
||||||
|
|
||||||
|
## Multi-Factor Authentication
|
||||||
|
|
||||||
|
If your IAM entity enforces MFA you can use `--mfa` and Prowler will ask you to input the following values to get a new session:
|
||||||
|
|
||||||
|
- ARN of your MFA device
|
||||||
|
- TOTP (Time-Based One-Time Password)
|
||||||
@@ -5,7 +5,7 @@ Prowler uses the AWS SDK (Boto3) underneath so it uses the same authentication m
|
|||||||
However, there are few ways to run Prowler against multiple accounts using IAM Assume Role feature depending on each use case:
|
However, there are few ways to run Prowler against multiple accounts using IAM Assume Role feature depending on each use case:
|
||||||
|
|
||||||
1. You can just set up your custom profile inside `~/.aws/config` with all needed information about the role to assume then call it with `prowler aws -p/--profile your-custom-profile`.
|
1. You can just set up your custom profile inside `~/.aws/config` with all needed information about the role to assume then call it with `prowler aws -p/--profile your-custom-profile`.
|
||||||
- An example profile that performs role-chaining is given below. The `credential_source` can either be set to `Environment`, `Ec2InstanceMetadata`, or `EcsContainer`.
|
- An example profile that performs role-chaining is given below. The `credential_source` can either be set to `Environment`, `Ec2InstanceMetadata`, or `EcsContainer`.
|
||||||
- Alternatively, you could use the `source_profile` instead of `credential_source` to specify a separate named profile that contains IAM user credentials with permission to assume the target the role. More information can be found [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html).
|
- Alternatively, you could use the `source_profile` instead of `credential_source` to specify a separate named profile that contains IAM user credentials with permission to assume the target the role. More information can be found [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html).
|
||||||
```
|
```
|
||||||
[profile crossaccountrole]
|
[profile crossaccountrole]
|
||||||
@@ -23,6 +23,13 @@ prowler aws -R arn:aws:iam::<account_id>:role/<role_name>
|
|||||||
prowler aws -T/--session-duration <seconds> -I/--external-id <external_id> -R arn:aws:iam::<account_id>:role/<role_name>
|
prowler aws -T/--session-duration <seconds> -I/--external-id <external_id> -R arn:aws:iam::<account_id>:role/<role_name>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Role MFA
|
||||||
|
|
||||||
|
If your IAM Role has MFA configured you can use `--mfa` along with `-R`/`--role <role_arn>` and Prowler will ask you to input the following values to get a new temporary session for the IAM Role provided:
|
||||||
|
- ARN of your MFA device
|
||||||
|
- TOTP (Time-Based One-Time Password)
|
||||||
|
|
||||||
|
|
||||||
## Create Role
|
## Create Role
|
||||||
|
|
||||||
To create a role to be assumed in one or multiple accounts you can use either as CloudFormation Stack or StackSet the following [template](https://github.com/prowler-cloud/prowler/blob/master/permissions/create_role_to_assume_cfn.yaml) and adapt it.
|
To create a role to be assumed in one or multiple accounts you can use either as CloudFormation Stack or StackSet the following [template](https://github.com/prowler-cloud/prowler/blob/master/permissions/create_role_to_assume_cfn.yaml) and adapt it.
|
||||||
|
|||||||
@@ -40,6 +40,7 @@ nav:
|
|||||||
- Pentesting: tutorials/pentesting.md
|
- Pentesting: tutorials/pentesting.md
|
||||||
- Developer Guide: tutorials/developer-guide.md
|
- Developer Guide: tutorials/developer-guide.md
|
||||||
- AWS:
|
- AWS:
|
||||||
|
- Authentication: tutorials/aws/authentication.md
|
||||||
- Assume Role: tutorials/aws/role-assumption.md
|
- Assume Role: tutorials/aws/role-assumption.md
|
||||||
- AWS Security Hub: tutorials/aws/securityhub.md
|
- AWS Security Hub: tutorials/aws/securityhub.md
|
||||||
- AWS Organizations: tutorials/aws/organizations.md
|
- AWS Organizations: tutorials/aws/organizations.md
|
||||||
|
|||||||
@@ -289,6 +289,11 @@ Detailed documentation at https://docs.prowler.cloud
|
|||||||
help="ARN of the role to be assumed",
|
help="ARN of the role to be assumed",
|
||||||
# Pending ARN validation
|
# Pending ARN validation
|
||||||
)
|
)
|
||||||
|
aws_auth_subparser.add_argument(
|
||||||
|
"--mfa",
|
||||||
|
action="store_true",
|
||||||
|
help="IAM entity enforces MFA so you need to input the MFA ARN and the TOTP",
|
||||||
|
)
|
||||||
aws_auth_subparser.add_argument(
|
aws_auth_subparser.add_argument(
|
||||||
"-T",
|
"-T",
|
||||||
"--session-duration",
|
"--session-duration",
|
||||||
|
|||||||
@@ -2,7 +2,7 @@ import os
|
|||||||
import pathlib
|
import pathlib
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
from boto3 import session
|
from boto3 import client, session
|
||||||
from botocore.credentials import RefreshableCredentials
|
from botocore.credentials import RefreshableCredentials
|
||||||
from botocore.session import get_session
|
from botocore.session import get_session
|
||||||
|
|
||||||
@@ -25,8 +25,8 @@ class AWS_Provider:
|
|||||||
|
|
||||||
def set_session(self, audit_info):
|
def set_session(self, audit_info):
|
||||||
try:
|
try:
|
||||||
|
# If we receive a credentials object filled is coming form an assumed role, so renewal is needed
|
||||||
if audit_info.credentials:
|
if audit_info.credentials:
|
||||||
# If we receive a credentials object filled is coming form an assumed role, so renewal is needed
|
|
||||||
logger.info("Creating session for assumed role ...")
|
logger.info("Creating session for assumed role ...")
|
||||||
# From botocore we can use RefreshableCredentials class, which has an attribute (refresh_using)
|
# From botocore we can use RefreshableCredentials class, which has an attribute (refresh_using)
|
||||||
# that needs to be a method without arguments that retrieves a new set of fresh credentials
|
# that needs to be a method without arguments that retrieves a new set of fresh credentials
|
||||||
@@ -52,9 +52,37 @@ class AWS_Provider:
|
|||||||
# If we do not receive credentials start the session using the profile
|
# If we do not receive credentials start the session using the profile
|
||||||
else:
|
else:
|
||||||
logger.info("Creating session for not assumed identity ...")
|
logger.info("Creating session for not assumed identity ...")
|
||||||
return session.Session(profile_name=audit_info.profile)
|
# Input MFA only if a role is not going to be assumed
|
||||||
|
if audit_info.mfa_enabled and not audit_info.assumed_role_info.role_arn:
|
||||||
|
mfa_ARN, mfa_TOTP = input_role_mfa_token_and_code()
|
||||||
|
get_session_token_arguments = {
|
||||||
|
"SerialNumber": mfa_ARN,
|
||||||
|
"TokenCode": mfa_TOTP,
|
||||||
|
}
|
||||||
|
sts_client = client("sts")
|
||||||
|
session_credentials = sts_client.get_session_token(
|
||||||
|
**get_session_token_arguments
|
||||||
|
)
|
||||||
|
return session.Session(
|
||||||
|
aws_access_key_id=session_credentials["Credentials"][
|
||||||
|
"AccessKeyId"
|
||||||
|
],
|
||||||
|
aws_secret_access_key=session_credentials["Credentials"][
|
||||||
|
"SecretAccessKey"
|
||||||
|
],
|
||||||
|
aws_session_token=session_credentials["Credentials"][
|
||||||
|
"SessionToken"
|
||||||
|
],
|
||||||
|
profile_name=audit_info.profile,
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
return session.Session(
|
||||||
|
profile_name=audit_info.profile,
|
||||||
|
)
|
||||||
except Exception as error:
|
except Exception as error:
|
||||||
logger.critical(f"{error.__class__.__name__} -- {error}")
|
logger.critical(
|
||||||
|
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
|
||||||
|
)
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
# Refresh credentials method using assume role
|
# Refresh credentials method using assume role
|
||||||
@@ -79,31 +107,40 @@ class AWS_Provider:
|
|||||||
|
|
||||||
def assume_role(session: session.Session, assumed_role_info: AWS_Assume_Role) -> dict:
|
def assume_role(session: session.Session, assumed_role_info: AWS_Assume_Role) -> dict:
|
||||||
try:
|
try:
|
||||||
|
assume_role_arguments = {
|
||||||
|
"RoleArn": assumed_role_info.role_arn,
|
||||||
|
"RoleSessionName": "ProwlerAsessmentSession",
|
||||||
|
"DurationSeconds": assumed_role_info.session_duration,
|
||||||
|
}
|
||||||
|
|
||||||
|
if assumed_role_info.external_id:
|
||||||
|
assume_role_arguments["ExternalId"] = assumed_role_info.external_id
|
||||||
|
|
||||||
|
if assumed_role_info.mfa_enabled:
|
||||||
|
mfa_ARN, mfa_TOTP = input_role_mfa_token_and_code()
|
||||||
|
assume_role_arguments["SerialNumber"] = mfa_ARN
|
||||||
|
assume_role_arguments["TokenCode"] = mfa_TOTP
|
||||||
|
|
||||||
# set the info to assume the role from the partition, account and role name
|
# set the info to assume the role from the partition, account and role name
|
||||||
sts_client = session.client("sts")
|
sts_client = session.client("sts")
|
||||||
# If external id, set it to the assume role api call
|
assumed_credentials = sts_client.assume_role(**assume_role_arguments)
|
||||||
if assumed_role_info.external_id:
|
|
||||||
assumed_credentials = sts_client.assume_role(
|
|
||||||
RoleArn=assumed_role_info.role_arn,
|
|
||||||
RoleSessionName="ProwlerAsessmentSession",
|
|
||||||
DurationSeconds=assumed_role_info.session_duration,
|
|
||||||
ExternalId=assumed_role_info.external_id,
|
|
||||||
)
|
|
||||||
# else assume the role without the external id
|
|
||||||
else:
|
|
||||||
assumed_credentials = sts_client.assume_role(
|
|
||||||
RoleArn=assumed_role_info.role_arn,
|
|
||||||
RoleSessionName="ProwlerProAsessmentSession",
|
|
||||||
DurationSeconds=assumed_role_info.session_duration,
|
|
||||||
)
|
|
||||||
except Exception as error:
|
except Exception as error:
|
||||||
logger.critical(f"{error.__class__.__name__} -- {error}")
|
logger.critical(
|
||||||
|
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
|
||||||
|
)
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
else:
|
else:
|
||||||
return assumed_credentials
|
return assumed_credentials
|
||||||
|
|
||||||
|
|
||||||
|
def input_role_mfa_token_and_code() -> tuple[str]:
|
||||||
|
"""input_role_mfa_token_and_code ask for the AWS MFA ARN and TOTP and returns it."""
|
||||||
|
mfa_ARN = input("Enter ARN of MFA: ")
|
||||||
|
mfa_TOTP = input("Enter MFA code: ")
|
||||||
|
return (mfa_ARN.strip(), mfa_TOTP.strip())
|
||||||
|
|
||||||
|
|
||||||
def generate_regional_clients(
|
def generate_regional_clients(
|
||||||
service: str, audit_info: AWS_Audit_Info, global_service: bool = False
|
service: str, audit_info: AWS_Audit_Info, global_service: bool = False
|
||||||
) -> dict:
|
) -> dict:
|
||||||
|
|||||||
@@ -29,7 +29,9 @@ current_audit_info = AWS_Audit_Info(
|
|||||||
role_arn=None,
|
role_arn=None,
|
||||||
session_duration=None,
|
session_duration=None,
|
||||||
external_id=None,
|
external_id=None,
|
||||||
|
mfa_enabled=None,
|
||||||
),
|
),
|
||||||
|
mfa_enabled=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
|
|||||||
@@ -19,6 +19,7 @@ class AWS_Assume_Role:
|
|||||||
role_arn: str
|
role_arn: str
|
||||||
session_duration: int
|
session_duration: int
|
||||||
external_id: str
|
external_id: str
|
||||||
|
mfa_enabled: bool
|
||||||
|
|
||||||
|
|
||||||
@dataclass
|
@dataclass
|
||||||
@@ -44,6 +45,7 @@ class AWS_Audit_Info:
|
|||||||
profile: str
|
profile: str
|
||||||
profile_region: str
|
profile_region: str
|
||||||
credentials: AWS_Credentials
|
credentials: AWS_Credentials
|
||||||
|
mfa_enabled: bool
|
||||||
assumed_role_info: AWS_Assume_Role
|
assumed_role_info: AWS_Assume_Role
|
||||||
audited_regions: list
|
audited_regions: list
|
||||||
audit_resources: list
|
audit_resources: list
|
||||||
|
|||||||
@@ -77,8 +77,10 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
|
|||||||
|
|
||||||
# Assume Role Options
|
# Assume Role Options
|
||||||
input_role = arguments.get("role")
|
input_role = arguments.get("role")
|
||||||
|
current_audit_info.assumed_role_info.role_arn = input_role
|
||||||
input_session_duration = arguments.get("session_duration")
|
input_session_duration = arguments.get("session_duration")
|
||||||
input_external_id = arguments.get("external_id")
|
input_external_id = arguments.get("external_id")
|
||||||
|
|
||||||
# Since the range(i,j) goes from i to j-1 we have to j+1
|
# Since the range(i,j) goes from i to j-1 we have to j+1
|
||||||
if input_session_duration and input_session_duration not in range(900, 43201):
|
if input_session_duration and input_session_duration not in range(900, 43201):
|
||||||
raise Exception("Value for -T option must be between 900 and 43200")
|
raise Exception("Value for -T option must be between 900 and 43200")
|
||||||
@@ -89,6 +91,10 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
|
|||||||
if not input_role:
|
if not input_role:
|
||||||
raise Exception("To use -I/-T options -R option is needed")
|
raise Exception("To use -I/-T options -R option is needed")
|
||||||
|
|
||||||
|
# MFA Configuration (false by default)
|
||||||
|
input_mfa = arguments.get("mfa")
|
||||||
|
current_audit_info.mfa_enabled = input_mfa
|
||||||
|
|
||||||
input_profile = arguments.get("profile")
|
input_profile = arguments.get("profile")
|
||||||
input_regions = arguments.get("region")
|
input_regions = arguments.get("region")
|
||||||
organizations_role_arn = arguments.get("organizations_role")
|
organizations_role_arn = arguments.get("organizations_role")
|
||||||
@@ -143,6 +149,8 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
|
|||||||
current_audit_info.assumed_role_info.session_duration = (
|
current_audit_info.assumed_role_info.session_duration = (
|
||||||
input_session_duration
|
input_session_duration
|
||||||
)
|
)
|
||||||
|
current_audit_info.assumed_role_info.external_id = input_external_id
|
||||||
|
current_audit_info.assumed_role_info.mfa_enabled = input_mfa
|
||||||
|
|
||||||
# Check if role arn is valid
|
# Check if role arn is valid
|
||||||
try:
|
try:
|
||||||
@@ -174,6 +182,7 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
|
|||||||
input_session_duration
|
input_session_duration
|
||||||
)
|
)
|
||||||
current_audit_info.assumed_role_info.external_id = input_external_id
|
current_audit_info.assumed_role_info.external_id = input_external_id
|
||||||
|
current_audit_info.assumed_role_info.mfa_enabled = input_mfa
|
||||||
|
|
||||||
# Check if role arn is valid
|
# Check if role arn is valid
|
||||||
try:
|
try:
|
||||||
@@ -210,6 +219,7 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
|
|||||||
)
|
)
|
||||||
# new session is needed
|
# new session is needed
|
||||||
assumed_session = aws_provider.set_session(current_audit_info)
|
assumed_session = aws_provider.set_session(current_audit_info)
|
||||||
|
|
||||||
if assumed_session:
|
if assumed_session:
|
||||||
logger.info("Audit session is the new session created assuming role")
|
logger.info("Audit session is the new session created assuming role")
|
||||||
current_audit_info.audit_session = assumed_session
|
current_audit_info.audit_session = assumed_session
|
||||||
@@ -219,6 +229,7 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
|
|||||||
else:
|
else:
|
||||||
logger.info("Audit session is the original one")
|
logger.info("Audit session is the original one")
|
||||||
current_audit_info.audit_session = current_audit_info.original_session
|
current_audit_info.audit_session = current_audit_info.original_session
|
||||||
|
|
||||||
# Setting default region of session
|
# Setting default region of session
|
||||||
if current_audit_info.audit_session.region_name:
|
if current_audit_info.audit_session.region_name:
|
||||||
current_audit_info.profile_region = (
|
current_audit_info.profile_region = (
|
||||||
|
|||||||
@@ -157,6 +157,7 @@ class Test_Check:
|
|||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -677,6 +677,12 @@ class Test_Parser:
|
|||||||
parsed = self.parser.parse(command)
|
parsed = self.parser.parse(command)
|
||||||
assert parsed.role == role
|
assert parsed.role == role
|
||||||
|
|
||||||
|
def test_aws_parser_mfa(self):
|
||||||
|
argument = "--mfa"
|
||||||
|
command = [prowler_command, argument]
|
||||||
|
parsed = self.parser.parse(command)
|
||||||
|
assert parsed.mfa
|
||||||
|
|
||||||
def test_aws_parser_session_duration_short(self):
|
def test_aws_parser_session_duration_short(self):
|
||||||
argument = "-T"
|
argument = "-T"
|
||||||
duration = "900"
|
duration = "900"
|
||||||
|
|||||||
@@ -94,6 +94,7 @@ class Test_Outputs:
|
|||||||
audited_regions=["eu-west-2", "eu-west-1"],
|
audited_regions=["eu-west-2", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
test_output_modes = [
|
test_output_modes = [
|
||||||
["csv"],
|
["csv"],
|
||||||
@@ -413,6 +414,7 @@ class Test_Outputs:
|
|||||||
audited_regions=["eu-west-2", "eu-west-1"],
|
audited_regions=["eu-west-2", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
finding = Check_Report(
|
finding = Check_Report(
|
||||||
load_check_metadata(
|
load_check_metadata(
|
||||||
@@ -489,6 +491,7 @@ class Test_Outputs:
|
|||||||
audited_regions=["eu-west-2", "eu-west-1"],
|
audited_regions=["eu-west-2", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
# Creat mock bucket
|
# Creat mock bucket
|
||||||
bucket_name = "test_bucket"
|
bucket_name = "test_bucket"
|
||||||
@@ -539,6 +542,7 @@ class Test_Outputs:
|
|||||||
audited_regions=["eu-west-2", "eu-west-1"],
|
audited_regions=["eu-west-2", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
# Creat mock bucket
|
# Creat mock bucket
|
||||||
bucket_name = "test_bucket"
|
bucket_name = "test_bucket"
|
||||||
@@ -596,6 +600,7 @@ class Test_Outputs:
|
|||||||
audited_regions=["eu-west-2", "eu-west-1"],
|
audited_regions=["eu-west-2", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
# Creat mock bucket
|
# Creat mock bucket
|
||||||
bucket_name = "test_bucket"
|
bucket_name = "test_bucket"
|
||||||
@@ -704,6 +709,7 @@ class Test_Outputs:
|
|||||||
audited_regions=["eu-west-2", "eu-west-1"],
|
audited_regions=["eu-west-2", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
finding = Check_Report(
|
finding = Check_Report(
|
||||||
load_check_metadata(
|
load_check_metadata(
|
||||||
|
|||||||
@@ -43,6 +43,7 @@ class Test_Slack_Integration:
|
|||||||
audited_regions=["eu-west-2", "eu-west-1"],
|
audited_regions=["eu-west-2", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
gcp_audit_info = GCP_Audit_Info(
|
gcp_audit_info = GCP_Audit_Info(
|
||||||
credentials=None,
|
credentials=None,
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
import boto3
|
import boto3
|
||||||
import sure # noqa
|
import sure # noqa
|
||||||
|
from mock import patch
|
||||||
from moto import mock_iam, mock_sts
|
from moto import mock_iam, mock_sts
|
||||||
|
|
||||||
from prowler.providers.aws.aws_provider import (
|
from prowler.providers.aws.aws_provider import (
|
||||||
@@ -15,13 +16,13 @@ ACCOUNT_ID = 123456789012
|
|||||||
class Test_AWS_Provider:
|
class Test_AWS_Provider:
|
||||||
@mock_iam
|
@mock_iam
|
||||||
@mock_sts
|
@mock_sts
|
||||||
def test_assume_role(self):
|
def test_assume_role_without_mfa(self):
|
||||||
# Variables
|
# Variables
|
||||||
role_name = "test-role"
|
role_name = "test-role"
|
||||||
role_arn = f"arn:aws:iam::{ACCOUNT_ID}:role/{role_name}"
|
role_arn = f"arn:aws:iam::{ACCOUNT_ID}:role/{role_name}"
|
||||||
session_duration_seconds = 900
|
session_duration_seconds = 900
|
||||||
audited_regions = "eu-west-1"
|
audited_regions = "eu-west-1"
|
||||||
sessionName = "ProwlerProAsessmentSession"
|
sessionName = "ProwlerAsessmentSession"
|
||||||
# Boto 3 client to create our user
|
# Boto 3 client to create our user
|
||||||
iam_client = boto3.client("iam", region_name="us-east-1")
|
iam_client = boto3.client("iam", region_name="us-east-1")
|
||||||
# IAM user
|
# IAM user
|
||||||
@@ -55,10 +56,12 @@ class Test_AWS_Provider:
|
|||||||
role_arn=role_arn,
|
role_arn=role_arn,
|
||||||
session_duration=session_duration_seconds,
|
session_duration=session_duration_seconds,
|
||||||
external_id=None,
|
external_id=None,
|
||||||
|
mfa_enabled=False,
|
||||||
),
|
),
|
||||||
audited_regions=audited_regions,
|
audited_regions=audited_regions,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
# Call assume_role
|
# Call assume_role
|
||||||
@@ -92,6 +95,92 @@ class Test_AWS_Provider:
|
|||||||
21 + 1 + len(sessionName)
|
21 + 1 + len(sessionName)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@mock_iam
|
||||||
|
@mock_sts
|
||||||
|
def test_assume_role_with_mfa(self):
|
||||||
|
# Variables
|
||||||
|
role_name = "test-role"
|
||||||
|
role_arn = f"arn:aws:iam::{ACCOUNT_ID}:role/{role_name}"
|
||||||
|
session_duration_seconds = 900
|
||||||
|
audited_regions = "eu-west-1"
|
||||||
|
sessionName = "ProwlerAsessmentSession"
|
||||||
|
# Boto 3 client to create our user
|
||||||
|
iam_client = boto3.client("iam", region_name="us-east-1")
|
||||||
|
# IAM user
|
||||||
|
iam_user = iam_client.create_user(UserName="test-user")["User"]
|
||||||
|
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
|
||||||
|
"AccessKey"
|
||||||
|
]
|
||||||
|
access_key_id = access_key["AccessKeyId"]
|
||||||
|
secret_access_key = access_key["SecretAccessKey"]
|
||||||
|
# New Boto3 session with the previously create user
|
||||||
|
session = boto3.session.Session(
|
||||||
|
aws_access_key_id=access_key_id,
|
||||||
|
aws_secret_access_key=secret_access_key,
|
||||||
|
region_name="us-east-1",
|
||||||
|
)
|
||||||
|
|
||||||
|
# Fulfil the input session object for Prowler
|
||||||
|
audit_info = AWS_Audit_Info(
|
||||||
|
session_config=None,
|
||||||
|
original_session=session,
|
||||||
|
audit_session=None,
|
||||||
|
audited_account=None,
|
||||||
|
audited_account_arn=None,
|
||||||
|
audited_partition=None,
|
||||||
|
audited_identity_arn=None,
|
||||||
|
audited_user_id=None,
|
||||||
|
profile=None,
|
||||||
|
profile_region=None,
|
||||||
|
credentials=None,
|
||||||
|
assumed_role_info=AWS_Assume_Role(
|
||||||
|
role_arn=role_arn,
|
||||||
|
session_duration=session_duration_seconds,
|
||||||
|
external_id=None,
|
||||||
|
mfa_enabled=True,
|
||||||
|
),
|
||||||
|
audited_regions=audited_regions,
|
||||||
|
organizations_metadata=None,
|
||||||
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
# Call assume_role
|
||||||
|
aws_provider = AWS_Provider(audit_info)
|
||||||
|
# Patch MFA
|
||||||
|
with patch(
|
||||||
|
"prowler.providers.aws.aws_provider.input_role_mfa_token_and_code",
|
||||||
|
return_value=(f"arn:aws:iam::{ACCOUNT_ID}:mfa/test-role-mfa", "111111"),
|
||||||
|
):
|
||||||
|
assume_role_response = assume_role(
|
||||||
|
aws_provider.aws_session, aws_provider.role_info
|
||||||
|
)
|
||||||
|
# Recover credentials for the assume role operation
|
||||||
|
credentials = assume_role_response["Credentials"]
|
||||||
|
# Test the response
|
||||||
|
# SessionToken
|
||||||
|
credentials["SessionToken"].should.have.length_of(356)
|
||||||
|
credentials["SessionToken"].startswith("FQoGZXIvYXdzE")
|
||||||
|
# AccessKeyId
|
||||||
|
credentials["AccessKeyId"].should.have.length_of(20)
|
||||||
|
credentials["AccessKeyId"].startswith("ASIA")
|
||||||
|
# SecretAccessKey
|
||||||
|
credentials["SecretAccessKey"].should.have.length_of(40)
|
||||||
|
# Assumed Role
|
||||||
|
assume_role_response["AssumedRoleUser"]["Arn"].should.equal(
|
||||||
|
f"arn:aws:sts::{ACCOUNT_ID}:assumed-role/{role_name}/{sessionName}"
|
||||||
|
)
|
||||||
|
# AssumedRoleUser
|
||||||
|
assert assume_role_response["AssumedRoleUser"]["AssumedRoleId"].startswith(
|
||||||
|
"AROA"
|
||||||
|
)
|
||||||
|
assert assume_role_response["AssumedRoleUser"]["AssumedRoleId"].endswith(
|
||||||
|
":" + sessionName
|
||||||
|
)
|
||||||
|
assume_role_response["AssumedRoleUser"][
|
||||||
|
"AssumedRoleId"
|
||||||
|
].should.have.length_of(21 + 1 + len(sessionName))
|
||||||
|
|
||||||
def test_generate_regional_clients(self):
|
def test_generate_regional_clients(self):
|
||||||
# New Boto3 session with the previously create user
|
# New Boto3 session with the previously create user
|
||||||
session = boto3.session.Session(
|
session = boto3.session.Session(
|
||||||
@@ -115,6 +204,7 @@ class Test_AWS_Provider:
|
|||||||
audited_regions=audited_regions,
|
audited_regions=audited_regions,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
generate_regional_clients_response = generate_regional_clients(
|
generate_regional_clients_response = generate_regional_clients(
|
||||||
"ec2", audit_info
|
"ec2", audit_info
|
||||||
@@ -146,6 +236,7 @@ class Test_AWS_Provider:
|
|||||||
audited_regions=audited_regions,
|
audited_regions=audited_regions,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
generate_regional_clients_response = generate_regional_clients(
|
generate_regional_clients_response = generate_regional_clients(
|
||||||
"route53", audit_info, global_service=True
|
"route53", audit_info, global_service=True
|
||||||
@@ -176,6 +267,7 @@ class Test_AWS_Provider:
|
|||||||
audited_regions=audited_regions,
|
audited_regions=audited_regions,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
generate_regional_clients_response = generate_regional_clients(
|
generate_regional_clients_response = generate_regional_clients(
|
||||||
"shield", audit_info, global_service=True
|
"shield", audit_info, global_service=True
|
||||||
|
|||||||
@@ -37,6 +37,7 @@ class Test_Allowlist:
|
|||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -90,6 +90,7 @@ class Test_AccessAnalyzer_Service:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -116,6 +116,7 @@ class Test_ACM_Service:
|
|||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_apigateway_authorizers_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_apigateway_client_certificate_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_apigateway_endpoint_public:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_apigateway_logging_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_APIGateway_Service:
|
|||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_apigateway_waf_acl_attached:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -59,6 +59,7 @@ class Test_apigatewayv2_access_logging_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -59,6 +59,7 @@ class Test_apigatewayv2_authorizers_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -61,6 +61,7 @@ class Test_ApiGatewayV2_Service:
|
|||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -83,6 +83,7 @@ class Test_AppStream_Service:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_autoscaling_find_secrets_ec2_launch_configuration:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_autoscaling_group_multiple_az:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -32,6 +32,7 @@ class Test_AutoScaling_Service:
|
|||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -45,6 +45,7 @@ class Test_awslambda_function_invoke_api_operations_cloudtrail_logging_enabled:
|
|||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -87,6 +87,7 @@ class Test_Lambda_Service:
|
|||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
audit_metadata=Audit_Metadata(
|
audit_metadata=Audit_Metadata(
|
||||||
services_scanned=0,
|
services_scanned=0,
|
||||||
# We need to set this check to call __list_functions__
|
# We need to set this check to call __list_functions__
|
||||||
|
|||||||
@@ -93,6 +93,7 @@ class Test_Backup_Service:
|
|||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -154,6 +154,7 @@ class Test_CloudFormation_Service:
|
|||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -175,6 +175,7 @@ class Test_CloudFront_Service:
|
|||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -36,6 +36,7 @@ class Test_cloudtrail_bucket_requires_mfa_delete:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudtrail_cloudwatch_logging_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_cloudtrail_insights_exist:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_cloudtrail_kms_encryption_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_cloudtrail_log_file_validation_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_cloudtrail_logs_s3_bucket_access_logging_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_cloudtrail_logs_s3_bucket_is_not_publicly_accessible:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudtrail_multi_region_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_cloudtrail_s3_dataevents_read_enabled:
|
|||||||
audited_regions=["us-east-1"],
|
audited_regions=["us-east-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_cloudtrail_s3_dataevents_write_enabled:
|
|||||||
audited_regions=["us-east-1"],
|
audited_regions=["us-east-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -29,6 +29,7 @@ class Test_Cloudtrail_Service:
|
|||||||
audited_regions=["eu-west-1", "us-east-1"],
|
audited_regions=["eu-west-1", "us-east-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_changes_to_network_acls_alarm_configured:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_changes_to_network_gateways_alarm_configured:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_changes_to_network_route_tables_alarm_configured:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_changes_to_vpcs_alarm_configured:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_cloudwatch_cross_account_sharing_disabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_cloudwatch_log_group_kms_encryption_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -32,6 +32,7 @@ class Test_cloudwatch_log_group_no_secrets_in_logs:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_cloudwatch_log_group_retention_policy_specific_days_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_c
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_c
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_authentication_failures:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_aws_organizations_changes:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_for_s3_bucket_policy_changes:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_root_usage:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_sign_in_without_mfa:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -34,6 +34,7 @@ class Test_CloudWatch_Service:
|
|||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
audit_metadata=Audit_Metadata(
|
audit_metadata=Audit_Metadata(
|
||||||
services_scanned=0,
|
services_scanned=0,
|
||||||
# We need to set this check to call __describe_log_groups__
|
# We need to set this check to call __describe_log_groups__
|
||||||
|
|||||||
@@ -123,6 +123,7 @@ class Test_CodeArtifact_Service:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -72,6 +72,7 @@ class Test_Codebuild_Service:
|
|||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_config_recorder_all_regions_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_Config_Service:
|
|||||||
audited_regions=["eu-west-1", "us-east-1"],
|
audited_regions=["eu-west-1", "us-east-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -138,6 +138,7 @@ class Test_DirectoryService_Service:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -76,6 +76,7 @@ class Test_DRS_Service:
|
|||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_dynamodb_accelerator_cluster_encryption_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_DynamoDB_Service:
|
|||||||
audited_regions=None,
|
audited_regions=None,
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_dynamodb_tables_kms_cmk_encryption_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_dynamodb_tables_pitr_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_ec2_ami_public:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -32,6 +32,7 @@ class Test_ec2_ebs_default_encryption:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -41,6 +41,7 @@ class Test_ec2_ebs_public_snapshot:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -41,6 +41,7 @@ class Test_ec2_ebs_snapshots_encrypted:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_ec2_ebs_volume_encryption:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -32,6 +32,7 @@ class Test_ec2_elastic_ip_shodan:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -32,6 +32,7 @@ class Test_ec2_elastic_ip_unassgined:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -32,6 +32,7 @@ class Test_ec2_instance_imdsv2_enabled:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -32,6 +32,7 @@ class Test_ec2_instance_internet_facing_with_instance_profile:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -34,6 +34,7 @@ class Test_ec2_instance_older_than_specific_days:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -32,6 +32,7 @@ class Test_ec2_instance_profile_attached:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -32,6 +32,7 @@ class Test_ec2_instance_public_ip:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_ec2_instance_secrets_user_data:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class ec2_networkacl_allow_ingress_any_port:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_22:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_3389:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_any_port:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_2
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsear
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092:
|
|||||||
audited_regions=["us-east-1", "eu-west-1"],
|
audited_regions=["us-east-1", "eu-west-1"],
|
||||||
organizations_metadata=None,
|
organizations_metadata=None,
|
||||||
audit_resources=None,
|
audit_resources=None,
|
||||||
|
mfa_enabled=False,
|
||||||
)
|
)
|
||||||
|
|
||||||
return audit_info
|
return audit_info
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user