mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 06:45:08 +00:00
feat(aws): Add MFA flag if try to assume role in AWS (#2478)
Co-authored-by: Pepe Fagoaga <pepe@verica.io> Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
This commit is contained in:
Sebastian Nyberg
@@ -30,6 +30,13 @@ Those credentials must be associated to a user or role with proper permissions t
|
||||
|
||||
> If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
|
||||
|
||||
### Multi-Factor Authentication
|
||||
|
||||
If your IAM entity enforces MFA you can use `--mfa` and Prowler will ask you to input the following values to get a new session:
|
||||
|
||||
- ARN of your MFA device
|
||||
- TOTP (Time-Based One-Time Password)
|
||||
|
||||
## Azure
|
||||
|
||||
Prowler for azure supports the following authentication types:
|
||||
|
||||
31
docs/tutorials/aws/authentication.md
Normal file
31
docs/tutorials/aws/authentication.md
Normal file
@@ -0,0 +1,31 @@
|
||||
# AWS Authentication
|
||||
|
||||
Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly (or instance profile/role):
|
||||
|
||||
```console
|
||||
aws configure
|
||||
```
|
||||
|
||||
or
|
||||
|
||||
```console
|
||||
export AWS_ACCESS_KEY_ID="ASXXXXXXX"
|
||||
export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
|
||||
export AWS_SESSION_TOKEN="XXXXXXXXX"
|
||||
```
|
||||
|
||||
Those credentials must be associated to a user or role with proper permissions to do all checks. To make sure, add the following AWS managed policies to the user or role being used:
|
||||
|
||||
- arn:aws:iam::aws:policy/SecurityAudit
|
||||
- arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
|
||||
|
||||
> Moreover, some read-only additional permissions are needed for several checks, make sure you attach also the custom policy [prowler-additions-policy.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-additions-policy.json) to the role you are using.
|
||||
|
||||
> If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json).
|
||||
|
||||
## Multi-Factor Authentication
|
||||
|
||||
If your IAM entity enforces MFA you can use `--mfa` and Prowler will ask you to input the following values to get a new session:
|
||||
|
||||
- ARN of your MFA device
|
||||
- TOTP (Time-Based One-Time Password)
|
||||
@@ -5,7 +5,7 @@ Prowler uses the AWS SDK (Boto3) underneath so it uses the same authentication m
|
||||
However, there are few ways to run Prowler against multiple accounts using IAM Assume Role feature depending on each use case:
|
||||
|
||||
1. You can just set up your custom profile inside `~/.aws/config` with all needed information about the role to assume then call it with `prowler aws -p/--profile your-custom-profile`.
|
||||
- An example profile that performs role-chaining is given below. The `credential_source` can either be set to `Environment`, `Ec2InstanceMetadata`, or `EcsContainer`.
|
||||
- An example profile that performs role-chaining is given below. The `credential_source` can either be set to `Environment`, `Ec2InstanceMetadata`, or `EcsContainer`.
|
||||
- Alternatively, you could use the `source_profile` instead of `credential_source` to specify a separate named profile that contains IAM user credentials with permission to assume the target the role. More information can be found [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html).
|
||||
```
|
||||
[profile crossaccountrole]
|
||||
@@ -23,6 +23,13 @@ prowler aws -R arn:aws:iam::<account_id>:role/<role_name>
|
||||
prowler aws -T/--session-duration <seconds> -I/--external-id <external_id> -R arn:aws:iam::<account_id>:role/<role_name>
|
||||
```
|
||||
|
||||
## Role MFA
|
||||
|
||||
If your IAM Role has MFA configured you can use `--mfa` along with `-R`/`--role <role_arn>` and Prowler will ask you to input the following values to get a new temporary session for the IAM Role provided:
|
||||
- ARN of your MFA device
|
||||
- TOTP (Time-Based One-Time Password)
|
||||
|
||||
|
||||
## Create Role
|
||||
|
||||
To create a role to be assumed in one or multiple accounts you can use either as CloudFormation Stack or StackSet the following [template](https://github.com/prowler-cloud/prowler/blob/master/permissions/create_role_to_assume_cfn.yaml) and adapt it.
|
||||
|
||||
@@ -40,6 +40,7 @@ nav:
|
||||
- Pentesting: tutorials/pentesting.md
|
||||
- Developer Guide: tutorials/developer-guide.md
|
||||
- AWS:
|
||||
- Authentication: tutorials/aws/authentication.md
|
||||
- Assume Role: tutorials/aws/role-assumption.md
|
||||
- AWS Security Hub: tutorials/aws/securityhub.md
|
||||
- AWS Organizations: tutorials/aws/organizations.md
|
||||
|
||||
@@ -289,6 +289,11 @@ Detailed documentation at https://docs.prowler.cloud
|
||||
help="ARN of the role to be assumed",
|
||||
# Pending ARN validation
|
||||
)
|
||||
aws_auth_subparser.add_argument(
|
||||
"--mfa",
|
||||
action="store_true",
|
||||
help="IAM entity enforces MFA so you need to input the MFA ARN and the TOTP",
|
||||
)
|
||||
aws_auth_subparser.add_argument(
|
||||
"-T",
|
||||
"--session-duration",
|
||||
|
||||
@@ -2,7 +2,7 @@ import os
|
||||
import pathlib
|
||||
import sys
|
||||
|
||||
from boto3 import session
|
||||
from boto3 import client, session
|
||||
from botocore.credentials import RefreshableCredentials
|
||||
from botocore.session import get_session
|
||||
|
||||
@@ -25,8 +25,8 @@ class AWS_Provider:
|
||||
|
||||
def set_session(self, audit_info):
|
||||
try:
|
||||
# If we receive a credentials object filled is coming form an assumed role, so renewal is needed
|
||||
if audit_info.credentials:
|
||||
# If we receive a credentials object filled is coming form an assumed role, so renewal is needed
|
||||
logger.info("Creating session for assumed role ...")
|
||||
# From botocore we can use RefreshableCredentials class, which has an attribute (refresh_using)
|
||||
# that needs to be a method without arguments that retrieves a new set of fresh credentials
|
||||
@@ -52,9 +52,37 @@ class AWS_Provider:
|
||||
# If we do not receive credentials start the session using the profile
|
||||
else:
|
||||
logger.info("Creating session for not assumed identity ...")
|
||||
return session.Session(profile_name=audit_info.profile)
|
||||
# Input MFA only if a role is not going to be assumed
|
||||
if audit_info.mfa_enabled and not audit_info.assumed_role_info.role_arn:
|
||||
mfa_ARN, mfa_TOTP = input_role_mfa_token_and_code()
|
||||
get_session_token_arguments = {
|
||||
"SerialNumber": mfa_ARN,
|
||||
"TokenCode": mfa_TOTP,
|
||||
}
|
||||
sts_client = client("sts")
|
||||
session_credentials = sts_client.get_session_token(
|
||||
**get_session_token_arguments
|
||||
)
|
||||
return session.Session(
|
||||
aws_access_key_id=session_credentials["Credentials"][
|
||||
"AccessKeyId"
|
||||
],
|
||||
aws_secret_access_key=session_credentials["Credentials"][
|
||||
"SecretAccessKey"
|
||||
],
|
||||
aws_session_token=session_credentials["Credentials"][
|
||||
"SessionToken"
|
||||
],
|
||||
profile_name=audit_info.profile,
|
||||
)
|
||||
else:
|
||||
return session.Session(
|
||||
profile_name=audit_info.profile,
|
||||
)
|
||||
except Exception as error:
|
||||
logger.critical(f"{error.__class__.__name__} -- {error}")
|
||||
logger.critical(
|
||||
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
|
||||
)
|
||||
sys.exit(1)
|
||||
|
||||
# Refresh credentials method using assume role
|
||||
@@ -79,31 +107,40 @@ class AWS_Provider:
|
||||
|
||||
def assume_role(session: session.Session, assumed_role_info: AWS_Assume_Role) -> dict:
|
||||
try:
|
||||
assume_role_arguments = {
|
||||
"RoleArn": assumed_role_info.role_arn,
|
||||
"RoleSessionName": "ProwlerAsessmentSession",
|
||||
"DurationSeconds": assumed_role_info.session_duration,
|
||||
}
|
||||
|
||||
if assumed_role_info.external_id:
|
||||
assume_role_arguments["ExternalId"] = assumed_role_info.external_id
|
||||
|
||||
if assumed_role_info.mfa_enabled:
|
||||
mfa_ARN, mfa_TOTP = input_role_mfa_token_and_code()
|
||||
assume_role_arguments["SerialNumber"] = mfa_ARN
|
||||
assume_role_arguments["TokenCode"] = mfa_TOTP
|
||||
|
||||
# set the info to assume the role from the partition, account and role name
|
||||
sts_client = session.client("sts")
|
||||
# If external id, set it to the assume role api call
|
||||
if assumed_role_info.external_id:
|
||||
assumed_credentials = sts_client.assume_role(
|
||||
RoleArn=assumed_role_info.role_arn,
|
||||
RoleSessionName="ProwlerAsessmentSession",
|
||||
DurationSeconds=assumed_role_info.session_duration,
|
||||
ExternalId=assumed_role_info.external_id,
|
||||
)
|
||||
# else assume the role without the external id
|
||||
else:
|
||||
assumed_credentials = sts_client.assume_role(
|
||||
RoleArn=assumed_role_info.role_arn,
|
||||
RoleSessionName="ProwlerProAsessmentSession",
|
||||
DurationSeconds=assumed_role_info.session_duration,
|
||||
)
|
||||
assumed_credentials = sts_client.assume_role(**assume_role_arguments)
|
||||
except Exception as error:
|
||||
logger.critical(f"{error.__class__.__name__} -- {error}")
|
||||
logger.critical(
|
||||
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
|
||||
)
|
||||
sys.exit(1)
|
||||
|
||||
else:
|
||||
return assumed_credentials
|
||||
|
||||
|
||||
def input_role_mfa_token_and_code() -> tuple[str]:
|
||||
"""input_role_mfa_token_and_code ask for the AWS MFA ARN and TOTP and returns it."""
|
||||
mfa_ARN = input("Enter ARN of MFA: ")
|
||||
mfa_TOTP = input("Enter MFA code: ")
|
||||
return (mfa_ARN.strip(), mfa_TOTP.strip())
|
||||
|
||||
|
||||
def generate_regional_clients(
|
||||
service: str, audit_info: AWS_Audit_Info, global_service: bool = False
|
||||
) -> dict:
|
||||
|
||||
@@ -29,7 +29,9 @@ current_audit_info = AWS_Audit_Info(
|
||||
role_arn=None,
|
||||
session_duration=None,
|
||||
external_id=None,
|
||||
mfa_enabled=None,
|
||||
),
|
||||
mfa_enabled=None,
|
||||
audit_resources=None,
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
|
||||
@@ -19,6 +19,7 @@ class AWS_Assume_Role:
|
||||
role_arn: str
|
||||
session_duration: int
|
||||
external_id: str
|
||||
mfa_enabled: bool
|
||||
|
||||
|
||||
@dataclass
|
||||
@@ -44,6 +45,7 @@ class AWS_Audit_Info:
|
||||
profile: str
|
||||
profile_region: str
|
||||
credentials: AWS_Credentials
|
||||
mfa_enabled: bool
|
||||
assumed_role_info: AWS_Assume_Role
|
||||
audited_regions: list
|
||||
audit_resources: list
|
||||
|
||||
@@ -77,8 +77,10 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
|
||||
|
||||
# Assume Role Options
|
||||
input_role = arguments.get("role")
|
||||
current_audit_info.assumed_role_info.role_arn = input_role
|
||||
input_session_duration = arguments.get("session_duration")
|
||||
input_external_id = arguments.get("external_id")
|
||||
|
||||
# Since the range(i,j) goes from i to j-1 we have to j+1
|
||||
if input_session_duration and input_session_duration not in range(900, 43201):
|
||||
raise Exception("Value for -T option must be between 900 and 43200")
|
||||
@@ -89,6 +91,10 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
|
||||
if not input_role:
|
||||
raise Exception("To use -I/-T options -R option is needed")
|
||||
|
||||
# MFA Configuration (false by default)
|
||||
input_mfa = arguments.get("mfa")
|
||||
current_audit_info.mfa_enabled = input_mfa
|
||||
|
||||
input_profile = arguments.get("profile")
|
||||
input_regions = arguments.get("region")
|
||||
organizations_role_arn = arguments.get("organizations_role")
|
||||
@@ -143,6 +149,8 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
|
||||
current_audit_info.assumed_role_info.session_duration = (
|
||||
input_session_duration
|
||||
)
|
||||
current_audit_info.assumed_role_info.external_id = input_external_id
|
||||
current_audit_info.assumed_role_info.mfa_enabled = input_mfa
|
||||
|
||||
# Check if role arn is valid
|
||||
try:
|
||||
@@ -174,6 +182,7 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
|
||||
input_session_duration
|
||||
)
|
||||
current_audit_info.assumed_role_info.external_id = input_external_id
|
||||
current_audit_info.assumed_role_info.mfa_enabled = input_mfa
|
||||
|
||||
# Check if role arn is valid
|
||||
try:
|
||||
@@ -210,6 +219,7 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
|
||||
)
|
||||
# new session is needed
|
||||
assumed_session = aws_provider.set_session(current_audit_info)
|
||||
|
||||
if assumed_session:
|
||||
logger.info("Audit session is the new session created assuming role")
|
||||
current_audit_info.audit_session = assumed_session
|
||||
@@ -219,6 +229,7 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
|
||||
else:
|
||||
logger.info("Audit session is the original one")
|
||||
current_audit_info.audit_session = current_audit_info.original_session
|
||||
|
||||
# Setting default region of session
|
||||
if current_audit_info.audit_session.region_name:
|
||||
current_audit_info.profile_region = (
|
||||
|
||||
@@ -157,6 +157,7 @@ class Test_Check:
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -677,6 +677,12 @@ class Test_Parser:
|
||||
parsed = self.parser.parse(command)
|
||||
assert parsed.role == role
|
||||
|
||||
def test_aws_parser_mfa(self):
|
||||
argument = "--mfa"
|
||||
command = [prowler_command, argument]
|
||||
parsed = self.parser.parse(command)
|
||||
assert parsed.mfa
|
||||
|
||||
def test_aws_parser_session_duration_short(self):
|
||||
argument = "-T"
|
||||
duration = "900"
|
||||
|
||||
@@ -94,6 +94,7 @@ class Test_Outputs:
|
||||
audited_regions=["eu-west-2", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
test_output_modes = [
|
||||
["csv"],
|
||||
@@ -413,6 +414,7 @@ class Test_Outputs:
|
||||
audited_regions=["eu-west-2", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
finding = Check_Report(
|
||||
load_check_metadata(
|
||||
@@ -489,6 +491,7 @@ class Test_Outputs:
|
||||
audited_regions=["eu-west-2", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
# Creat mock bucket
|
||||
bucket_name = "test_bucket"
|
||||
@@ -539,6 +542,7 @@ class Test_Outputs:
|
||||
audited_regions=["eu-west-2", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
# Creat mock bucket
|
||||
bucket_name = "test_bucket"
|
||||
@@ -596,6 +600,7 @@ class Test_Outputs:
|
||||
audited_regions=["eu-west-2", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
# Creat mock bucket
|
||||
bucket_name = "test_bucket"
|
||||
@@ -704,6 +709,7 @@ class Test_Outputs:
|
||||
audited_regions=["eu-west-2", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
finding = Check_Report(
|
||||
load_check_metadata(
|
||||
|
||||
@@ -43,6 +43,7 @@ class Test_Slack_Integration:
|
||||
audited_regions=["eu-west-2", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
gcp_audit_info = GCP_Audit_Info(
|
||||
credentials=None,
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
import boto3
|
||||
import sure # noqa
|
||||
from mock import patch
|
||||
from moto import mock_iam, mock_sts
|
||||
|
||||
from prowler.providers.aws.aws_provider import (
|
||||
@@ -15,13 +16,13 @@ ACCOUNT_ID = 123456789012
|
||||
class Test_AWS_Provider:
|
||||
@mock_iam
|
||||
@mock_sts
|
||||
def test_assume_role(self):
|
||||
def test_assume_role_without_mfa(self):
|
||||
# Variables
|
||||
role_name = "test-role"
|
||||
role_arn = f"arn:aws:iam::{ACCOUNT_ID}:role/{role_name}"
|
||||
session_duration_seconds = 900
|
||||
audited_regions = "eu-west-1"
|
||||
sessionName = "ProwlerProAsessmentSession"
|
||||
sessionName = "ProwlerAsessmentSession"
|
||||
# Boto 3 client to create our user
|
||||
iam_client = boto3.client("iam", region_name="us-east-1")
|
||||
# IAM user
|
||||
@@ -55,10 +56,12 @@ class Test_AWS_Provider:
|
||||
role_arn=role_arn,
|
||||
session_duration=session_duration_seconds,
|
||||
external_id=None,
|
||||
mfa_enabled=False,
|
||||
),
|
||||
audited_regions=audited_regions,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
# Call assume_role
|
||||
@@ -92,6 +95,92 @@ class Test_AWS_Provider:
|
||||
21 + 1 + len(sessionName)
|
||||
)
|
||||
|
||||
@mock_iam
|
||||
@mock_sts
|
||||
def test_assume_role_with_mfa(self):
|
||||
# Variables
|
||||
role_name = "test-role"
|
||||
role_arn = f"arn:aws:iam::{ACCOUNT_ID}:role/{role_name}"
|
||||
session_duration_seconds = 900
|
||||
audited_regions = "eu-west-1"
|
||||
sessionName = "ProwlerAsessmentSession"
|
||||
# Boto 3 client to create our user
|
||||
iam_client = boto3.client("iam", region_name="us-east-1")
|
||||
# IAM user
|
||||
iam_user = iam_client.create_user(UserName="test-user")["User"]
|
||||
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
|
||||
"AccessKey"
|
||||
]
|
||||
access_key_id = access_key["AccessKeyId"]
|
||||
secret_access_key = access_key["SecretAccessKey"]
|
||||
# New Boto3 session with the previously create user
|
||||
session = boto3.session.Session(
|
||||
aws_access_key_id=access_key_id,
|
||||
aws_secret_access_key=secret_access_key,
|
||||
region_name="us-east-1",
|
||||
)
|
||||
|
||||
# Fulfil the input session object for Prowler
|
||||
audit_info = AWS_Audit_Info(
|
||||
session_config=None,
|
||||
original_session=session,
|
||||
audit_session=None,
|
||||
audited_account=None,
|
||||
audited_account_arn=None,
|
||||
audited_partition=None,
|
||||
audited_identity_arn=None,
|
||||
audited_user_id=None,
|
||||
profile=None,
|
||||
profile_region=None,
|
||||
credentials=None,
|
||||
assumed_role_info=AWS_Assume_Role(
|
||||
role_arn=role_arn,
|
||||
session_duration=session_duration_seconds,
|
||||
external_id=None,
|
||||
mfa_enabled=True,
|
||||
),
|
||||
audited_regions=audited_regions,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
# Call assume_role
|
||||
aws_provider = AWS_Provider(audit_info)
|
||||
# Patch MFA
|
||||
with patch(
|
||||
"prowler.providers.aws.aws_provider.input_role_mfa_token_and_code",
|
||||
return_value=(f"arn:aws:iam::{ACCOUNT_ID}:mfa/test-role-mfa", "111111"),
|
||||
):
|
||||
assume_role_response = assume_role(
|
||||
aws_provider.aws_session, aws_provider.role_info
|
||||
)
|
||||
# Recover credentials for the assume role operation
|
||||
credentials = assume_role_response["Credentials"]
|
||||
# Test the response
|
||||
# SessionToken
|
||||
credentials["SessionToken"].should.have.length_of(356)
|
||||
credentials["SessionToken"].startswith("FQoGZXIvYXdzE")
|
||||
# AccessKeyId
|
||||
credentials["AccessKeyId"].should.have.length_of(20)
|
||||
credentials["AccessKeyId"].startswith("ASIA")
|
||||
# SecretAccessKey
|
||||
credentials["SecretAccessKey"].should.have.length_of(40)
|
||||
# Assumed Role
|
||||
assume_role_response["AssumedRoleUser"]["Arn"].should.equal(
|
||||
f"arn:aws:sts::{ACCOUNT_ID}:assumed-role/{role_name}/{sessionName}"
|
||||
)
|
||||
# AssumedRoleUser
|
||||
assert assume_role_response["AssumedRoleUser"]["AssumedRoleId"].startswith(
|
||||
"AROA"
|
||||
)
|
||||
assert assume_role_response["AssumedRoleUser"]["AssumedRoleId"].endswith(
|
||||
":" + sessionName
|
||||
)
|
||||
assume_role_response["AssumedRoleUser"][
|
||||
"AssumedRoleId"
|
||||
].should.have.length_of(21 + 1 + len(sessionName))
|
||||
|
||||
def test_generate_regional_clients(self):
|
||||
# New Boto3 session with the previously create user
|
||||
session = boto3.session.Session(
|
||||
@@ -115,6 +204,7 @@ class Test_AWS_Provider:
|
||||
audited_regions=audited_regions,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
generate_regional_clients_response = generate_regional_clients(
|
||||
"ec2", audit_info
|
||||
@@ -146,6 +236,7 @@ class Test_AWS_Provider:
|
||||
audited_regions=audited_regions,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
generate_regional_clients_response = generate_regional_clients(
|
||||
"route53", audit_info, global_service=True
|
||||
@@ -176,6 +267,7 @@ class Test_AWS_Provider:
|
||||
audited_regions=audited_regions,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
generate_regional_clients_response = generate_regional_clients(
|
||||
"shield", audit_info, global_service=True
|
||||
|
||||
@@ -37,6 +37,7 @@ class Test_Allowlist:
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -90,6 +90,7 @@ class Test_AccessAnalyzer_Service:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -116,6 +116,7 @@ class Test_ACM_Service:
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_apigateway_authorizers_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_apigateway_client_certificate_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_apigateway_endpoint_public:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_apigateway_logging_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_APIGateway_Service:
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_apigateway_waf_acl_attached:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -59,6 +59,7 @@ class Test_apigatewayv2_access_logging_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -59,6 +59,7 @@ class Test_apigatewayv2_authorizers_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -61,6 +61,7 @@ class Test_ApiGatewayV2_Service:
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -83,6 +83,7 @@ class Test_AppStream_Service:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_autoscaling_find_secrets_ec2_launch_configuration:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_autoscaling_group_multiple_az:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -32,6 +32,7 @@ class Test_AutoScaling_Service:
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -45,6 +45,7 @@ class Test_awslambda_function_invoke_api_operations_cloudtrail_logging_enabled:
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -87,6 +87,7 @@ class Test_Lambda_Service:
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
audit_metadata=Audit_Metadata(
|
||||
services_scanned=0,
|
||||
# We need to set this check to call __list_functions__
|
||||
|
||||
@@ -93,6 +93,7 @@ class Test_Backup_Service:
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -154,6 +154,7 @@ class Test_CloudFormation_Service:
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -175,6 +175,7 @@ class Test_CloudFront_Service:
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -36,6 +36,7 @@ class Test_cloudtrail_bucket_requires_mfa_delete:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudtrail_cloudwatch_logging_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_cloudtrail_insights_exist:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_cloudtrail_kms_encryption_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_cloudtrail_log_file_validation_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_cloudtrail_logs_s3_bucket_access_logging_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_cloudtrail_logs_s3_bucket_is_not_publicly_accessible:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudtrail_multi_region_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_cloudtrail_s3_dataevents_read_enabled:
|
||||
audited_regions=["us-east-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_cloudtrail_s3_dataevents_write_enabled:
|
||||
audited_regions=["us-east-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -29,6 +29,7 @@ class Test_Cloudtrail_Service:
|
||||
audited_regions=["eu-west-1", "us-east-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_changes_to_network_acls_alarm_configured:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_changes_to_network_gateways_alarm_configured:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_changes_to_network_route_tables_alarm_configured:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_changes_to_vpcs_alarm_configured:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_cloudwatch_cross_account_sharing_disabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_cloudwatch_log_group_kms_encryption_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -32,6 +32,7 @@ class Test_cloudwatch_log_group_no_secrets_in_logs:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_cloudwatch_log_group_retention_policy_specific_days_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_c
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_c
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_authentication_failures:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_aws_organizations_changes:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_for_s3_bucket_policy_changes:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_root_usage:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_sign_in_without_mfa:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -34,6 +34,7 @@ class Test_CloudWatch_Service:
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
audit_metadata=Audit_Metadata(
|
||||
services_scanned=0,
|
||||
# We need to set this check to call __describe_log_groups__
|
||||
|
||||
@@ -123,6 +123,7 @@ class Test_CodeArtifact_Service:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -72,6 +72,7 @@ class Test_Codebuild_Service:
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_config_recorder_all_regions_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_Config_Service:
|
||||
audited_regions=["eu-west-1", "us-east-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -138,6 +138,7 @@ class Test_DirectoryService_Service:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -76,6 +76,7 @@ class Test_DRS_Service:
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_dynamodb_accelerator_cluster_encryption_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_DynamoDB_Service:
|
||||
audited_regions=None,
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
return audit_info
|
||||
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_dynamodb_tables_kms_cmk_encryption_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_dynamodb_tables_pitr_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_ec2_ami_public:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -32,6 +32,7 @@ class Test_ec2_ebs_default_encryption:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -41,6 +41,7 @@ class Test_ec2_ebs_public_snapshot:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -41,6 +41,7 @@ class Test_ec2_ebs_snapshots_encrypted:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_ec2_ebs_volume_encryption:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -32,6 +32,7 @@ class Test_ec2_elastic_ip_shodan:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -32,6 +32,7 @@ class Test_ec2_elastic_ip_unassgined:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -32,6 +32,7 @@ class Test_ec2_instance_imdsv2_enabled:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -32,6 +32,7 @@ class Test_ec2_instance_internet_facing_with_instance_profile:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -34,6 +34,7 @@ class Test_ec2_instance_older_than_specific_days:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -32,6 +32,7 @@ class Test_ec2_instance_profile_attached:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -32,6 +32,7 @@ class Test_ec2_instance_public_ip:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_ec2_instance_secrets_user_data:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -30,6 +30,7 @@ class ec2_networkacl_allow_ingress_any_port:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_22:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -30,6 +30,7 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_3389:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_any_port:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_2
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsear
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
@@ -31,6 +31,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092:
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
)
|
||||
|
||||
return audit_info
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user