From 86cf2cd2338c433d869becabbcc45d90fd66dce0 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Tue, 6 Jun 2023 14:29:58 +0200 Subject: [PATCH] fix(efs): Include resource ARN and handle from input (#2452) --- prowler/providers/aws/aws_provider.py | 7 ++++--- .../efs_encryption_at_rest_enabled.py | 2 +- .../efs_have_backup_enabled.py | 2 +- .../efs_not_publicly_accessible.py | 6 +++--- .../providers/aws/services/efs/efs_service.py | 10 ++++++++-- .../efs_encryption_at_rest_enabled_test.py | 8 ++++++-- .../efs_have_backup_enabled_test.py | 12 +++++++++--- .../efs_not_publicly_accessible_test.py | 18 +++++++++++++----- 8 files changed, 45 insertions(+), 20 deletions(-) diff --git a/prowler/providers/aws/aws_provider.py b/prowler/providers/aws/aws_provider.py index c373669a..94a4bb7b 100644 --- a/prowler/providers/aws/aws_provider.py +++ b/prowler/providers/aws/aws_provider.py @@ -164,7 +164,7 @@ def get_checks_from_input_arn(audit_resources: list, provider: str) -> set: checks_from_arn = set() # Handle if there are audit resources so only their services are executed if audit_resources: - services_without_subservices = ["guardduty", "kms", "s3", "elb"] + services_without_subservices = ["guardduty", "kms", "s3", "elb", "efs"] service_list = set() sub_service_list = set() for resource in audit_resources: @@ -175,8 +175,10 @@ def get_checks_from_input_arn(audit_resources: list, provider: str) -> set: # Parse services when they are different in the ARNs if service == "lambda": service = "awslambda" - if service == "elasticloadbalancing": + elif service == "elasticloadbalancing": service = "elb" + elif service == "elasticfilesystem": + service = "efs" elif service == "logs": service = "cloudwatch" # Check if Prowler has checks in service @@ -204,7 +206,6 @@ def get_checks_from_input_arn(audit_resources: list, provider: str) -> set: sub_service_list.add(sub_service) else: sub_service_list.add(service) - checks = recover_checks_from_service(service_list, provider) # Filter only checks with audited subservices diff --git a/prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.py b/prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.py index d503af15..2f187c2b 100644 --- a/prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.py +++ b/prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.py @@ -9,8 +9,8 @@ class efs_encryption_at_rest_enabled(Check): report = Check_Report_AWS(self.metadata()) report.region = fs.region report.resource_id = fs.id + report.resource_arn = fs.arn report.resource_tags = fs.tags - report.resource_arn = "" report.status = "FAIL" report.status_extended = ( f"EFS {fs.id} does not have encryption at rest enabled" diff --git a/prowler/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled.py b/prowler/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled.py index 158e8ebe..46392eb7 100644 --- a/prowler/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled.py +++ b/prowler/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled.py @@ -9,7 +9,7 @@ class efs_have_backup_enabled(Check): report = Check_Report_AWS(self.metadata()) report.region = fs.region report.resource_id = fs.id - report.resource_arn = "" + report.resource_arn = fs.arn report.resource_tags = fs.tags report.status = "PASS" report.status_extended = f"EFS {fs.id} has backup enabled" diff --git a/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py b/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py index 5200fd51..712de9c3 100644 --- a/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py +++ b/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py @@ -9,11 +9,11 @@ class efs_not_publicly_accessible(Check): report = Check_Report_AWS(self.metadata()) report.region = fs.region report.resource_id = fs.id - report.resource_arn = "" + report.resource_arn = fs.arn report.resource_tags = fs.tags report.status = "PASS" report.status_extended = ( - f"EFS {fs.id} has policy which does not allow access to everyone" + f"EFS {fs.id} has a policy which does not allow access to everyone" ) if not fs.policy: report.status = "FAIL" @@ -34,7 +34,7 @@ class efs_not_publicly_accessible(Check): ) ): report.status = "FAIL" - report.status_extended = f"EFS {fs.id} has policy which allows access to everyone" + report.status_extended = f"EFS {fs.id} has a policy which allows access to everyone" break findings.append(report) diff --git a/prowler/providers/aws/services/efs/efs_service.py b/prowler/providers/aws/services/efs/efs_service.py index 6e84b65f..9fe66554 100644 --- a/prowler/providers/aws/services/efs/efs_service.py +++ b/prowler/providers/aws/services/efs/efs_service.py @@ -16,6 +16,8 @@ class EFS: self.service = "efs" self.session = audit_info.audit_session self.audit_resources = audit_info.audit_resources + self.audited_account = audit_info.audited_account + self.audited_partition = audit_info.audited_partition self.regional_clients = generate_regional_clients(self.service, audit_info) self.filesystems = [] self.__threading_call__(self.__describe_file_systems__) @@ -41,12 +43,15 @@ class EFS: ) for page in describe_efs_paginator.paginate(): for efs in page["FileSystems"]: + efs_id = efs["FileSystemId"] + efs_arn = f"arn:{self.audited_partition}:elasticfilesystem:{regional_client.region}:{self.audited_account}:file-system/{efs_id}" if not self.audit_resources or ( - is_resource_filtered(efs["FileSystemId"], self.audit_resources) + is_resource_filtered(efs_arn, self.audit_resources) ): self.filesystems.append( FileSystem( - id=efs["FileSystemId"], + id=efs_id, + arn=efs_arn, region=regional_client.region, policy=None, backup_policy=None, @@ -89,6 +94,7 @@ class EFS: class FileSystem(BaseModel): id: str + arn: str region: str policy: Optional[dict] backup_policy: Optional[str] diff --git a/tests/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled_test.py b/tests/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled_test.py index c07eae0f..9d0036a1 100644 --- a/tests/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled_test.py +++ b/tests/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled_test.py @@ -15,9 +15,11 @@ backup_valid_policy_status = "ENABLED" class Test_efs_encryption_at_rest_enabled: def test_efs_encryption_enabled(self): efs_client = mock.MagicMock + efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}" efs_client.filesystems = [ FileSystem( id=file_system_id, + arn=efs_arn, region=AWS_REGION, policy=None, backup_policy=backup_valid_policy_status, @@ -38,13 +40,15 @@ class Test_efs_encryption_at_rest_enabled: assert result[0].status == "PASS" assert search("has encryption at rest enabled", result[0].status_extended) assert result[0].resource_id == file_system_id - assert result[0].resource_arn == "" + assert result[0].resource_arn == efs_arn def test_efs_encryption_disabled(self): efs_client = mock.MagicMock + efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}" efs_client.filesystems = [ FileSystem( id=file_system_id, + arn=efs_arn, region=AWS_REGION, policy=None, backup_policy=backup_valid_policy_status, @@ -67,4 +71,4 @@ class Test_efs_encryption_at_rest_enabled: "does not have encryption at rest enabled", result[0].status_extended ) assert result[0].resource_id == file_system_id - assert result[0].resource_arn == "" + assert result[0].resource_arn == efs_arn diff --git a/tests/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled_test.py b/tests/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled_test.py index c7940c15..4c53c100 100644 --- a/tests/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled_test.py +++ b/tests/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled_test.py @@ -17,9 +17,11 @@ backup_valid_invalid_policy_status_2 = "DISABLED" class Test_efs_have_backup_enabled: def test_efs_valid_backup_policy(self): efs_client = mock.MagicMock + efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}" efs_client.filesystems = [ FileSystem( id=file_system_id, + arn=efs_arn, region=AWS_REGION, policy=None, backup_policy=backup_valid_policy_status, @@ -40,13 +42,15 @@ class Test_efs_have_backup_enabled: assert result[0].status == "PASS" assert search("has backup enabled", result[0].status_extended) assert result[0].resource_id == file_system_id - assert result[0].resource_arn == "" + assert result[0].resource_arn == efs_arn def test_efs_invalid_policy_backup_1(self): efs_client = mock.MagicMock + efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}" efs_client.filesystems = [ FileSystem( id=file_system_id, + arn=efs_arn, region=AWS_REGION, policy=None, backup_policy=backup_valid_invalid_policy_status_1, @@ -67,13 +71,15 @@ class Test_efs_have_backup_enabled: assert result[0].status == "FAIL" assert search("does not have backup enabled", result[0].status_extended) assert result[0].resource_id == file_system_id - assert result[0].resource_arn == "" + assert result[0].resource_arn == efs_arn def test_efs_invalid_policy_backup_2(self): efs_client = mock.MagicMock + efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}" efs_client.filesystems = [ FileSystem( id=file_system_id, + arn=efs_arn, region=AWS_REGION, policy=None, backup_policy=backup_valid_invalid_policy_status_2, @@ -94,4 +100,4 @@ class Test_efs_have_backup_enabled: assert result[0].status == "FAIL" assert search("does not have backup enabled", result[0].status_extended) assert result[0].resource_id == file_system_id - assert result[0].resource_arn == "" + assert result[0].resource_arn == efs_arn diff --git a/tests/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible_test.py b/tests/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible_test.py index 10359841..67227779 100644 --- a/tests/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible_test.py +++ b/tests/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible_test.py @@ -36,9 +36,11 @@ filesystem_invalid_policy = { class Test_efs_not_publicly_accessible: def test_efs_valid_policy(self): efs_client = mock.MagicMock + efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}" efs_client.filesystems = [ FileSystem( id=file_system_id, + arn=efs_arn, region=AWS_REGION, policy=filesystem_policy, backup_policy=None, @@ -58,17 +60,20 @@ class Test_efs_not_publicly_accessible: assert len(result) == 1 assert result[0].status == "PASS" assert search( - "has policy which does not allow access to everyone", + "has a policy which does not allow access to everyone", result[0].status_extended, ) assert result[0].resource_id == file_system_id - assert result[0].resource_arn == "" + assert result[0].resource_arn == efs_arn def test_efs_invalid_policy(self): efs_client = mock.MagicMock + efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}" + efs_client.filesystems = [ FileSystem( id=file_system_id, + arn=efs_arn, region=AWS_REGION, policy=filesystem_invalid_policy, backup_policy=None, @@ -88,16 +93,19 @@ class Test_efs_not_publicly_accessible: assert len(result) == 1 assert result[0].status == "FAIL" assert search( - "has policy which allows access to everyone", result[0].status_extended + "has a policy which allows access to everyone", + result[0].status_extended, ) assert result[0].resource_id == file_system_id - assert result[0].resource_arn == "" + assert result[0].resource_arn == efs_arn def test_efs_no_policy(self): efs_client = mock.MagicMock + efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}" efs_client.filesystems = [ FileSystem( id=file_system_id, + arn=efs_arn, region=AWS_REGION, policy=None, backup_policy=None, @@ -121,4 +129,4 @@ class Test_efs_not_publicly_accessible: result[0].status_extended, ) assert result[0].resource_id == file_system_id - assert result[0].resource_arn == "" + assert result[0].resource_arn == efs_arn