From 7bdca0420ed7ee82b5279f6d862a85975b5e4f74 Mon Sep 17 00:00:00 2001
From: Pepe Fagoaga <pepe@verica.io>
Date: Mon, 31 Jul 2023 17:50:21 +0200
Subject: [PATCH] fix(cloudtrail): Set status to INFO when trail is outside the
 audited account (#2643)

---
 .../cloudtrail_bucket_requires_mfa_delete.py                  | 2 +-
 .../cloudtrail_logs_s3_bucket_access_logging_enabled.py       | 1 +
 .../cloudtrail_logs_s3_bucket_is_not_publicly_accessible.py   | 1 +
 .../cloudtrail_bucket_requires_mfa_delete_test.py             | 4 ++--
 .../cloudtrail_logs_s3_bucket_access_logging_enabled_test.py  | 2 +-
 ...oudtrail_logs_s3_bucket_is_not_publicly_accessible_test.py | 2 +-
 6 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.py
index d03c1cb7..21582011 100644
--- a/prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.py
+++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.py
@@ -27,7 +27,7 @@ class cloudtrail_bucket_requires_mfa_delete(Check):
                             report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) has MFA delete enabled."
                 # check if trail bucket is a cross account bucket
                 if not trail_bucket_is_in_account:
-                    report.status = "PASS"
+                    report.status = "INFO"
                     report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually."
 
                 findings.append(report)
diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py
index cffc5272..73505ba7 100644
--- a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py
+++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py
@@ -35,6 +35,7 @@ class cloudtrail_logs_s3_bucket_access_logging_enabled(Check):
 
                 # check if trail is delivering logs in a cross account bucket
                 if not trail_bucket_is_in_account:
+                    report.status = "INFO"
                     report.status_extended = f"Trail {trail.name} is delivering logs in a cross-account bucket {trail_bucket} in another account out of Prowler's permissions scope, please check it manually"
                 findings.append(report)
 
diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.py
index 1dfff638..5ed57ae6 100644
--- a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.py
+++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.py
@@ -41,6 +41,7 @@ class cloudtrail_logs_s3_bucket_is_not_publicly_accessible(Check):
                                     break
                 # check if trail bucket is a cross account bucket
                 if not trail_bucket_is_in_account:
+                    report.status = "INFO"
                     report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually"
                 findings.append(report)
 
diff --git a/tests/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete_test.py b/tests/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete_test.py
index a1f80833..b1ef26aa 100644
--- a/tests/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete_test.py
+++ b/tests/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete_test.py
@@ -207,7 +207,7 @@ class Test_cloudtrail_bucket_requires_mfa_delete:
             check = cloudtrail_bucket_requires_mfa_delete()
             result = check.execute()
             assert len(result) == 1
-            assert result[0].status == "PASS"
+            assert result[0].status == "INFO"
             assert (
                 result[0].status_extended
                 == f"Trail {trail_name_us} bucket ({bucket_name_us}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually."
@@ -259,7 +259,7 @@ class Test_cloudtrail_bucket_requires_mfa_delete:
             check = cloudtrail_bucket_requires_mfa_delete()
             result = check.execute()
             assert len(result) == 1
-            assert result[0].status == "PASS"
+            assert result[0].status == "INFO"
             assert (
                 result[0].status_extended
                 == f"Trail {trail_name_us} bucket ({bucket_name_us}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually."
diff --git a/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled_test.py b/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled_test.py
index 81377db9..b1addcf1 100644
--- a/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled_test.py
+++ b/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled_test.py
@@ -188,7 +188,7 @@ class Test_cloudtrail_logs_s3_bucket_access_logging_enabled:
             result = check.execute()
 
             assert len(result) == 1
-            assert result[0].status == "FAIL"
+            assert result[0].status == "INFO"
             assert search(
                 "in another account out of Prowler's permissions scope, please check it manually",
                 result[0].status_extended,
diff --git a/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible_test.py b/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible_test.py
index b510349c..c5b90c53 100644
--- a/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible_test.py
+++ b/tests/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible_test.py
@@ -250,7 +250,7 @@ class Test_cloudtrail_logs_s3_bucket_is_not_publicly_accessible:
             result = check.execute()
 
             assert len(result) == 1
-            assert result[0].status == "PASS"
+            assert result[0].status == "INFO"
             assert result[0].resource_id == trail_name_us
             assert result[0].resource_arn == trail_us["TrailARN"]
             assert search(