fix(efs): Include resource ARN and handle from input (#2452)

2026-02-10 14:55:00 +00:00 · 2023-06-06 14:29:58 +02:00
parent ab12c201b4
commit 86cf2cd233
8 changed files with 45 additions and 20 deletions
--- a/prowler/providers/aws/aws_provider.py
+++ b/prowler/providers/aws/aws_provider.py
@@ -164,7 +164,7 @@ def get_checks_from_input_arn(audit_resources: list, provider: str) -> set:
    checks_from_arn = set()
    # Handle if there are audit resources so only their services are executed
    if audit_resources:
-        services_without_subservices = ["guardduty", "kms", "s3", "elb"]
+        services_without_subservices = ["guardduty", "kms", "s3", "elb", "efs"]
        service_list = set()
        sub_service_list = set()
        for resource in audit_resources:
@@ -175,8 +175,10 @@ def get_checks_from_input_arn(audit_resources: list, provider: str) -> set:
                # Parse services when they are different in the ARNs
                if service == "lambda":
                    service = "awslambda"
-                if service == "elasticloadbalancing":
+                elif service == "elasticloadbalancing":
                    service = "elb"
+                elif service == "elasticfilesystem":
+                    service = "efs"
                elif service == "logs":
                    service = "cloudwatch"
                # Check if Prowler has checks in service
@@ -204,7 +206,6 @@ def get_checks_from_input_arn(audit_resources: list, provider: str) -> set:
                    sub_service_list.add(sub_service)
                else:
                    sub_service_list.add(service)
-
        checks = recover_checks_from_service(service_list, provider)

        # Filter only checks with audited subservices
--- a/prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.py
+++ b/prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.py
@@ -9,8 +9,8 @@ class efs_encryption_at_rest_enabled(Check):
            report = Check_Report_AWS(self.metadata())
            report.region = fs.region
            report.resource_id = fs.id
+            report.resource_arn = fs.arn
            report.resource_tags = fs.tags
-            report.resource_arn = ""
            report.status = "FAIL"
            report.status_extended = (
                f"EFS {fs.id} does not have encryption at rest enabled"
--- a/prowler/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled.py
+++ b/prowler/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled.py
@@ -9,7 +9,7 @@ class efs_have_backup_enabled(Check):
            report = Check_Report_AWS(self.metadata())
            report.region = fs.region
            report.resource_id = fs.id
-            report.resource_arn = ""
+            report.resource_arn = fs.arn
            report.resource_tags = fs.tags
            report.status = "PASS"
            report.status_extended = f"EFS {fs.id} has backup enabled"
--- a/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py
+++ b/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py
@@ -9,11 +9,11 @@ class efs_not_publicly_accessible(Check):
            report = Check_Report_AWS(self.metadata())
            report.region = fs.region
            report.resource_id = fs.id
-            report.resource_arn = ""
+            report.resource_arn = fs.arn
            report.resource_tags = fs.tags
            report.status = "PASS"
            report.status_extended = (
-                f"EFS {fs.id} has policy which does not allow access to everyone"
+                f"EFS {fs.id} has a policy which does not allow access to everyone"
            )
            if not fs.policy:
                report.status = "FAIL"
@@ -34,7 +34,7 @@ class efs_not_publicly_accessible(Check):
                            )
                        ):
                            report.status = "FAIL"
-                            report.status_extended = f"EFS {fs.id} has policy which allows access to everyone"
+                            report.status_extended = f"EFS {fs.id} has a policy which allows access to everyone"
                            break
            findings.append(report)

--- a/prowler/providers/aws/services/efs/efs_service.py
+++ b/prowler/providers/aws/services/efs/efs_service.py
@@ -16,6 +16,8 @@ class EFS:
        self.service = "efs"
        self.session = audit_info.audit_session
        self.audit_resources = audit_info.audit_resources
+        self.audited_account = audit_info.audited_account
+        self.audited_partition = audit_info.audited_partition
        self.regional_clients = generate_regional_clients(self.service, audit_info)
        self.filesystems = []
        self.__threading_call__(self.__describe_file_systems__)
@@ -41,12 +43,15 @@ class EFS:
            )
            for page in describe_efs_paginator.paginate():
                for efs in page["FileSystems"]:
+                    efs_id = efs["FileSystemId"]
+                    efs_arn = f"arn:{self.audited_partition}:elasticfilesystem:{regional_client.region}:{self.audited_account}:file-system/{efs_id}"
                    if not self.audit_resources or (
-                        is_resource_filtered(efs["FileSystemId"], self.audit_resources)
+                        is_resource_filtered(efs_arn, self.audit_resources)
                    ):
                        self.filesystems.append(
                            FileSystem(
-                                id=efs["FileSystemId"],
+                                id=efs_id,
+                                arn=efs_arn,
                                region=regional_client.region,
                                policy=None,
                                backup_policy=None,
@@ -89,6 +94,7 @@ class EFS:

 class FileSystem(BaseModel):
    id: str
+    arn: str
    region: str
    policy: Optional[dict]
    backup_policy: Optional[str]
--- a/tests/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled_test.py
+++ b/tests/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled_test.py
@@ -15,9 +15,11 @@ backup_valid_policy_status = "ENABLED"
 class Test_efs_encryption_at_rest_enabled:
    def test_efs_encryption_enabled(self):
        efs_client = mock.MagicMock
+        efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
        efs_client.filesystems = [
            FileSystem(
                id=file_system_id,
+                arn=efs_arn,
                region=AWS_REGION,
                policy=None,
                backup_policy=backup_valid_policy_status,
@@ -38,13 +40,15 @@ class Test_efs_encryption_at_rest_enabled:
            assert result[0].status == "PASS"
            assert search("has encryption at rest enabled", result[0].status_extended)
            assert result[0].resource_id == file_system_id
-            assert result[0].resource_arn == ""
+            assert result[0].resource_arn == efs_arn

    def test_efs_encryption_disabled(self):
        efs_client = mock.MagicMock
+        efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
        efs_client.filesystems = [
            FileSystem(
                id=file_system_id,
+                arn=efs_arn,
                region=AWS_REGION,
                policy=None,
                backup_policy=backup_valid_policy_status,
@@ -67,4 +71,4 @@ class Test_efs_encryption_at_rest_enabled:
                "does not have encryption at rest enabled", result[0].status_extended
            )
            assert result[0].resource_id == file_system_id
-            assert result[0].resource_arn == ""
+            assert result[0].resource_arn == efs_arn
--- a/tests/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled_test.py
+++ b/tests/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled_test.py
@@ -17,9 +17,11 @@ backup_valid_invalid_policy_status_2 = "DISABLED"
 class Test_efs_have_backup_enabled:
    def test_efs_valid_backup_policy(self):
        efs_client = mock.MagicMock
+        efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
        efs_client.filesystems = [
            FileSystem(
                id=file_system_id,
+                arn=efs_arn,
                region=AWS_REGION,
                policy=None,
                backup_policy=backup_valid_policy_status,
@@ -40,13 +42,15 @@ class Test_efs_have_backup_enabled:
            assert result[0].status == "PASS"
            assert search("has backup enabled", result[0].status_extended)
            assert result[0].resource_id == file_system_id
-            assert result[0].resource_arn == ""
+            assert result[0].resource_arn == efs_arn

    def test_efs_invalid_policy_backup_1(self):
        efs_client = mock.MagicMock
+        efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
        efs_client.filesystems = [
            FileSystem(
                id=file_system_id,
+                arn=efs_arn,
                region=AWS_REGION,
                policy=None,
                backup_policy=backup_valid_invalid_policy_status_1,
@@ -67,13 +71,15 @@ class Test_efs_have_backup_enabled:
            assert result[0].status == "FAIL"
            assert search("does not have backup enabled", result[0].status_extended)
            assert result[0].resource_id == file_system_id
-            assert result[0].resource_arn == ""
+            assert result[0].resource_arn == efs_arn

    def test_efs_invalid_policy_backup_2(self):
        efs_client = mock.MagicMock
+        efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
        efs_client.filesystems = [
            FileSystem(
                id=file_system_id,
+                arn=efs_arn,
                region=AWS_REGION,
                policy=None,
                backup_policy=backup_valid_invalid_policy_status_2,
@@ -94,4 +100,4 @@ class Test_efs_have_backup_enabled:
            assert result[0].status == "FAIL"
            assert search("does not have backup enabled", result[0].status_extended)
            assert result[0].resource_id == file_system_id
-            assert result[0].resource_arn == ""
+            assert result[0].resource_arn == efs_arn
--- a/tests/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible_test.py
+++ b/tests/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible_test.py
@@ -36,9 +36,11 @@ filesystem_invalid_policy = {
 class Test_efs_not_publicly_accessible:
    def test_efs_valid_policy(self):
        efs_client = mock.MagicMock
+        efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
        efs_client.filesystems = [
            FileSystem(
                id=file_system_id,
+                arn=efs_arn,
                region=AWS_REGION,
                policy=filesystem_policy,
                backup_policy=None,
@@ -58,17 +60,20 @@ class Test_efs_not_publicly_accessible:
            assert len(result) == 1
            assert result[0].status == "PASS"
            assert search(
-                "has policy which does not allow access to everyone",
+                "has a policy which does not allow access to everyone",
                result[0].status_extended,
            )
            assert result[0].resource_id == file_system_id
-            assert result[0].resource_arn == ""
+            assert result[0].resource_arn == efs_arn

    def test_efs_invalid_policy(self):
        efs_client = mock.MagicMock
+        efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
+
        efs_client.filesystems = [
            FileSystem(
                id=file_system_id,
+                arn=efs_arn,
                region=AWS_REGION,
                policy=filesystem_invalid_policy,
                backup_policy=None,
@@ -88,16 +93,19 @@ class Test_efs_not_publicly_accessible:
            assert len(result) == 1
            assert result[0].status == "FAIL"
            assert search(
-                "has policy which allows access to everyone", result[0].status_extended
+                "has a policy which allows access to everyone",
+                result[0].status_extended,
            )
            assert result[0].resource_id == file_system_id
-            assert result[0].resource_arn == ""
+            assert result[0].resource_arn == efs_arn

    def test_efs_no_policy(self):
        efs_client = mock.MagicMock
+        efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
        efs_client.filesystems = [
            FileSystem(
                id=file_system_id,
+                arn=efs_arn,
                region=AWS_REGION,
                policy=None,
                backup_policy=None,
@@ -121,4 +129,4 @@ class Test_efs_not_publicly_accessible:
                result[0].status_extended,
            )
            assert result[0].resource_id == file_system_id
-            assert result[0].resource_arn == ""
+            assert result[0].resource_arn == efs_arn