mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-12 15:55:09 +00:00
fix(efs): Include resource ARN and handle from input (#2452)
This commit is contained in:
Pepe Fagoaga
@@ -164,7 +164,7 @@ def get_checks_from_input_arn(audit_resources: list, provider: str) -> set:
|
|||||||
checks_from_arn = set()
|
checks_from_arn = set()
|
||||||
# Handle if there are audit resources so only their services are executed
|
# Handle if there are audit resources so only their services are executed
|
||||||
if audit_resources:
|
if audit_resources:
|
||||||
services_without_subservices = ["guardduty", "kms", "s3", "elb"]
|
services_without_subservices = ["guardduty", "kms", "s3", "elb", "efs"]
|
||||||
service_list = set()
|
service_list = set()
|
||||||
sub_service_list = set()
|
sub_service_list = set()
|
||||||
for resource in audit_resources:
|
for resource in audit_resources:
|
||||||
@@ -175,8 +175,10 @@ def get_checks_from_input_arn(audit_resources: list, provider: str) -> set:
|
|||||||
# Parse services when they are different in the ARNs
|
# Parse services when they are different in the ARNs
|
||||||
if service == "lambda":
|
if service == "lambda":
|
||||||
service = "awslambda"
|
service = "awslambda"
|
||||||
if service == "elasticloadbalancing":
|
elif service == "elasticloadbalancing":
|
||||||
service = "elb"
|
service = "elb"
|
||||||
|
elif service == "elasticfilesystem":
|
||||||
|
service = "efs"
|
||||||
elif service == "logs":
|
elif service == "logs":
|
||||||
service = "cloudwatch"
|
service = "cloudwatch"
|
||||||
# Check if Prowler has checks in service
|
# Check if Prowler has checks in service
|
||||||
@@ -204,7 +206,6 @@ def get_checks_from_input_arn(audit_resources: list, provider: str) -> set:
|
|||||||
sub_service_list.add(sub_service)
|
sub_service_list.add(sub_service)
|
||||||
else:
|
else:
|
||||||
sub_service_list.add(service)
|
sub_service_list.add(service)
|
||||||
|
|
||||||
checks = recover_checks_from_service(service_list, provider)
|
checks = recover_checks_from_service(service_list, provider)
|
||||||
|
|
||||||
# Filter only checks with audited subservices
|
# Filter only checks with audited subservices
|
||||||
|
|||||||
@@ -9,8 +9,8 @@ class efs_encryption_at_rest_enabled(Check):
|
|||||||
report = Check_Report_AWS(self.metadata())
|
report = Check_Report_AWS(self.metadata())
|
||||||
report.region = fs.region
|
report.region = fs.region
|
||||||
report.resource_id = fs.id
|
report.resource_id = fs.id
|
||||||
|
report.resource_arn = fs.arn
|
||||||
report.resource_tags = fs.tags
|
report.resource_tags = fs.tags
|
||||||
report.resource_arn = ""
|
|
||||||
report.status = "FAIL"
|
report.status = "FAIL"
|
||||||
report.status_extended = (
|
report.status_extended = (
|
||||||
f"EFS {fs.id} does not have encryption at rest enabled"
|
f"EFS {fs.id} does not have encryption at rest enabled"
|
||||||
|
|||||||
@@ -9,7 +9,7 @@ class efs_have_backup_enabled(Check):
|
|||||||
report = Check_Report_AWS(self.metadata())
|
report = Check_Report_AWS(self.metadata())
|
||||||
report.region = fs.region
|
report.region = fs.region
|
||||||
report.resource_id = fs.id
|
report.resource_id = fs.id
|
||||||
report.resource_arn = ""
|
report.resource_arn = fs.arn
|
||||||
report.resource_tags = fs.tags
|
report.resource_tags = fs.tags
|
||||||
report.status = "PASS"
|
report.status = "PASS"
|
||||||
report.status_extended = f"EFS {fs.id} has backup enabled"
|
report.status_extended = f"EFS {fs.id} has backup enabled"
|
||||||
|
|||||||
@@ -9,11 +9,11 @@ class efs_not_publicly_accessible(Check):
|
|||||||
report = Check_Report_AWS(self.metadata())
|
report = Check_Report_AWS(self.metadata())
|
||||||
report.region = fs.region
|
report.region = fs.region
|
||||||
report.resource_id = fs.id
|
report.resource_id = fs.id
|
||||||
report.resource_arn = ""
|
report.resource_arn = fs.arn
|
||||||
report.resource_tags = fs.tags
|
report.resource_tags = fs.tags
|
||||||
report.status = "PASS"
|
report.status = "PASS"
|
||||||
report.status_extended = (
|
report.status_extended = (
|
||||||
f"EFS {fs.id} has policy which does not allow access to everyone"
|
f"EFS {fs.id} has a policy which does not allow access to everyone"
|
||||||
)
|
)
|
||||||
if not fs.policy:
|
if not fs.policy:
|
||||||
report.status = "FAIL"
|
report.status = "FAIL"
|
||||||
@@ -34,7 +34,7 @@ class efs_not_publicly_accessible(Check):
|
|||||||
)
|
)
|
||||||
):
|
):
|
||||||
report.status = "FAIL"
|
report.status = "FAIL"
|
||||||
report.status_extended = f"EFS {fs.id} has policy which allows access to everyone"
|
report.status_extended = f"EFS {fs.id} has a policy which allows access to everyone"
|
||||||
break
|
break
|
||||||
findings.append(report)
|
findings.append(report)
|
||||||
|
|
||||||
|
|||||||
@@ -16,6 +16,8 @@ class EFS:
|
|||||||
self.service = "efs"
|
self.service = "efs"
|
||||||
self.session = audit_info.audit_session
|
self.session = audit_info.audit_session
|
||||||
self.audit_resources = audit_info.audit_resources
|
self.audit_resources = audit_info.audit_resources
|
||||||
|
self.audited_account = audit_info.audited_account
|
||||||
|
self.audited_partition = audit_info.audited_partition
|
||||||
self.regional_clients = generate_regional_clients(self.service, audit_info)
|
self.regional_clients = generate_regional_clients(self.service, audit_info)
|
||||||
self.filesystems = []
|
self.filesystems = []
|
||||||
self.__threading_call__(self.__describe_file_systems__)
|
self.__threading_call__(self.__describe_file_systems__)
|
||||||
@@ -41,12 +43,15 @@ class EFS:
|
|||||||
)
|
)
|
||||||
for page in describe_efs_paginator.paginate():
|
for page in describe_efs_paginator.paginate():
|
||||||
for efs in page["FileSystems"]:
|
for efs in page["FileSystems"]:
|
||||||
|
efs_id = efs["FileSystemId"]
|
||||||
|
efs_arn = f"arn:{self.audited_partition}:elasticfilesystem:{regional_client.region}:{self.audited_account}:file-system/{efs_id}"
|
||||||
if not self.audit_resources or (
|
if not self.audit_resources or (
|
||||||
is_resource_filtered(efs["FileSystemId"], self.audit_resources)
|
is_resource_filtered(efs_arn, self.audit_resources)
|
||||||
):
|
):
|
||||||
self.filesystems.append(
|
self.filesystems.append(
|
||||||
FileSystem(
|
FileSystem(
|
||||||
id=efs["FileSystemId"],
|
id=efs_id,
|
||||||
|
arn=efs_arn,
|
||||||
region=regional_client.region,
|
region=regional_client.region,
|
||||||
policy=None,
|
policy=None,
|
||||||
backup_policy=None,
|
backup_policy=None,
|
||||||
@@ -89,6 +94,7 @@ class EFS:
|
|||||||
|
|
||||||
class FileSystem(BaseModel):
|
class FileSystem(BaseModel):
|
||||||
id: str
|
id: str
|
||||||
|
arn: str
|
||||||
region: str
|
region: str
|
||||||
policy: Optional[dict]
|
policy: Optional[dict]
|
||||||
backup_policy: Optional[str]
|
backup_policy: Optional[str]
|
||||||
|
|||||||
@@ -15,9 +15,11 @@ backup_valid_policy_status = "ENABLED"
|
|||||||
class Test_efs_encryption_at_rest_enabled:
|
class Test_efs_encryption_at_rest_enabled:
|
||||||
def test_efs_encryption_enabled(self):
|
def test_efs_encryption_enabled(self):
|
||||||
efs_client = mock.MagicMock
|
efs_client = mock.MagicMock
|
||||||
|
efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
|
||||||
efs_client.filesystems = [
|
efs_client.filesystems = [
|
||||||
FileSystem(
|
FileSystem(
|
||||||
id=file_system_id,
|
id=file_system_id,
|
||||||
|
arn=efs_arn,
|
||||||
region=AWS_REGION,
|
region=AWS_REGION,
|
||||||
policy=None,
|
policy=None,
|
||||||
backup_policy=backup_valid_policy_status,
|
backup_policy=backup_valid_policy_status,
|
||||||
@@ -38,13 +40,15 @@ class Test_efs_encryption_at_rest_enabled:
|
|||||||
assert result[0].status == "PASS"
|
assert result[0].status == "PASS"
|
||||||
assert search("has encryption at rest enabled", result[0].status_extended)
|
assert search("has encryption at rest enabled", result[0].status_extended)
|
||||||
assert result[0].resource_id == file_system_id
|
assert result[0].resource_id == file_system_id
|
||||||
assert result[0].resource_arn == ""
|
assert result[0].resource_arn == efs_arn
|
||||||
|
|
||||||
def test_efs_encryption_disabled(self):
|
def test_efs_encryption_disabled(self):
|
||||||
efs_client = mock.MagicMock
|
efs_client = mock.MagicMock
|
||||||
|
efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
|
||||||
efs_client.filesystems = [
|
efs_client.filesystems = [
|
||||||
FileSystem(
|
FileSystem(
|
||||||
id=file_system_id,
|
id=file_system_id,
|
||||||
|
arn=efs_arn,
|
||||||
region=AWS_REGION,
|
region=AWS_REGION,
|
||||||
policy=None,
|
policy=None,
|
||||||
backup_policy=backup_valid_policy_status,
|
backup_policy=backup_valid_policy_status,
|
||||||
@@ -67,4 +71,4 @@ class Test_efs_encryption_at_rest_enabled:
|
|||||||
"does not have encryption at rest enabled", result[0].status_extended
|
"does not have encryption at rest enabled", result[0].status_extended
|
||||||
)
|
)
|
||||||
assert result[0].resource_id == file_system_id
|
assert result[0].resource_id == file_system_id
|
||||||
assert result[0].resource_arn == ""
|
assert result[0].resource_arn == efs_arn
|
||||||
|
|||||||
@@ -17,9 +17,11 @@ backup_valid_invalid_policy_status_2 = "DISABLED"
|
|||||||
class Test_efs_have_backup_enabled:
|
class Test_efs_have_backup_enabled:
|
||||||
def test_efs_valid_backup_policy(self):
|
def test_efs_valid_backup_policy(self):
|
||||||
efs_client = mock.MagicMock
|
efs_client = mock.MagicMock
|
||||||
|
efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
|
||||||
efs_client.filesystems = [
|
efs_client.filesystems = [
|
||||||
FileSystem(
|
FileSystem(
|
||||||
id=file_system_id,
|
id=file_system_id,
|
||||||
|
arn=efs_arn,
|
||||||
region=AWS_REGION,
|
region=AWS_REGION,
|
||||||
policy=None,
|
policy=None,
|
||||||
backup_policy=backup_valid_policy_status,
|
backup_policy=backup_valid_policy_status,
|
||||||
@@ -40,13 +42,15 @@ class Test_efs_have_backup_enabled:
|
|||||||
assert result[0].status == "PASS"
|
assert result[0].status == "PASS"
|
||||||
assert search("has backup enabled", result[0].status_extended)
|
assert search("has backup enabled", result[0].status_extended)
|
||||||
assert result[0].resource_id == file_system_id
|
assert result[0].resource_id == file_system_id
|
||||||
assert result[0].resource_arn == ""
|
assert result[0].resource_arn == efs_arn
|
||||||
|
|
||||||
def test_efs_invalid_policy_backup_1(self):
|
def test_efs_invalid_policy_backup_1(self):
|
||||||
efs_client = mock.MagicMock
|
efs_client = mock.MagicMock
|
||||||
|
efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
|
||||||
efs_client.filesystems = [
|
efs_client.filesystems = [
|
||||||
FileSystem(
|
FileSystem(
|
||||||
id=file_system_id,
|
id=file_system_id,
|
||||||
|
arn=efs_arn,
|
||||||
region=AWS_REGION,
|
region=AWS_REGION,
|
||||||
policy=None,
|
policy=None,
|
||||||
backup_policy=backup_valid_invalid_policy_status_1,
|
backup_policy=backup_valid_invalid_policy_status_1,
|
||||||
@@ -67,13 +71,15 @@ class Test_efs_have_backup_enabled:
|
|||||||
assert result[0].status == "FAIL"
|
assert result[0].status == "FAIL"
|
||||||
assert search("does not have backup enabled", result[0].status_extended)
|
assert search("does not have backup enabled", result[0].status_extended)
|
||||||
assert result[0].resource_id == file_system_id
|
assert result[0].resource_id == file_system_id
|
||||||
assert result[0].resource_arn == ""
|
assert result[0].resource_arn == efs_arn
|
||||||
|
|
||||||
def test_efs_invalid_policy_backup_2(self):
|
def test_efs_invalid_policy_backup_2(self):
|
||||||
efs_client = mock.MagicMock
|
efs_client = mock.MagicMock
|
||||||
|
efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
|
||||||
efs_client.filesystems = [
|
efs_client.filesystems = [
|
||||||
FileSystem(
|
FileSystem(
|
||||||
id=file_system_id,
|
id=file_system_id,
|
||||||
|
arn=efs_arn,
|
||||||
region=AWS_REGION,
|
region=AWS_REGION,
|
||||||
policy=None,
|
policy=None,
|
||||||
backup_policy=backup_valid_invalid_policy_status_2,
|
backup_policy=backup_valid_invalid_policy_status_2,
|
||||||
@@ -94,4 +100,4 @@ class Test_efs_have_backup_enabled:
|
|||||||
assert result[0].status == "FAIL"
|
assert result[0].status == "FAIL"
|
||||||
assert search("does not have backup enabled", result[0].status_extended)
|
assert search("does not have backup enabled", result[0].status_extended)
|
||||||
assert result[0].resource_id == file_system_id
|
assert result[0].resource_id == file_system_id
|
||||||
assert result[0].resource_arn == ""
|
assert result[0].resource_arn == efs_arn
|
||||||
|
|||||||
@@ -36,9 +36,11 @@ filesystem_invalid_policy = {
|
|||||||
class Test_efs_not_publicly_accessible:
|
class Test_efs_not_publicly_accessible:
|
||||||
def test_efs_valid_policy(self):
|
def test_efs_valid_policy(self):
|
||||||
efs_client = mock.MagicMock
|
efs_client = mock.MagicMock
|
||||||
|
efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
|
||||||
efs_client.filesystems = [
|
efs_client.filesystems = [
|
||||||
FileSystem(
|
FileSystem(
|
||||||
id=file_system_id,
|
id=file_system_id,
|
||||||
|
arn=efs_arn,
|
||||||
region=AWS_REGION,
|
region=AWS_REGION,
|
||||||
policy=filesystem_policy,
|
policy=filesystem_policy,
|
||||||
backup_policy=None,
|
backup_policy=None,
|
||||||
@@ -58,17 +60,20 @@ class Test_efs_not_publicly_accessible:
|
|||||||
assert len(result) == 1
|
assert len(result) == 1
|
||||||
assert result[0].status == "PASS"
|
assert result[0].status == "PASS"
|
||||||
assert search(
|
assert search(
|
||||||
"has policy which does not allow access to everyone",
|
"has a policy which does not allow access to everyone",
|
||||||
result[0].status_extended,
|
result[0].status_extended,
|
||||||
)
|
)
|
||||||
assert result[0].resource_id == file_system_id
|
assert result[0].resource_id == file_system_id
|
||||||
assert result[0].resource_arn == ""
|
assert result[0].resource_arn == efs_arn
|
||||||
|
|
||||||
def test_efs_invalid_policy(self):
|
def test_efs_invalid_policy(self):
|
||||||
efs_client = mock.MagicMock
|
efs_client = mock.MagicMock
|
||||||
|
efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
|
||||||
|
|
||||||
efs_client.filesystems = [
|
efs_client.filesystems = [
|
||||||
FileSystem(
|
FileSystem(
|
||||||
id=file_system_id,
|
id=file_system_id,
|
||||||
|
arn=efs_arn,
|
||||||
region=AWS_REGION,
|
region=AWS_REGION,
|
||||||
policy=filesystem_invalid_policy,
|
policy=filesystem_invalid_policy,
|
||||||
backup_policy=None,
|
backup_policy=None,
|
||||||
@@ -88,16 +93,19 @@ class Test_efs_not_publicly_accessible:
|
|||||||
assert len(result) == 1
|
assert len(result) == 1
|
||||||
assert result[0].status == "FAIL"
|
assert result[0].status == "FAIL"
|
||||||
assert search(
|
assert search(
|
||||||
"has policy which allows access to everyone", result[0].status_extended
|
"has a policy which allows access to everyone",
|
||||||
|
result[0].status_extended,
|
||||||
)
|
)
|
||||||
assert result[0].resource_id == file_system_id
|
assert result[0].resource_id == file_system_id
|
||||||
assert result[0].resource_arn == ""
|
assert result[0].resource_arn == efs_arn
|
||||||
|
|
||||||
def test_efs_no_policy(self):
|
def test_efs_no_policy(self):
|
||||||
efs_client = mock.MagicMock
|
efs_client = mock.MagicMock
|
||||||
|
efs_arn = f"arn:aws:elasticfilesystem:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system_id}"
|
||||||
efs_client.filesystems = [
|
efs_client.filesystems = [
|
||||||
FileSystem(
|
FileSystem(
|
||||||
id=file_system_id,
|
id=file_system_id,
|
||||||
|
arn=efs_arn,
|
||||||
region=AWS_REGION,
|
region=AWS_REGION,
|
||||||
policy=None,
|
policy=None,
|
||||||
backup_policy=None,
|
backup_policy=None,
|
||||||
@@ -121,4 +129,4 @@ class Test_efs_not_publicly_accessible:
|
|||||||
result[0].status_extended,
|
result[0].status_extended,
|
||||||
)
|
)
|
||||||
assert result[0].resource_id == file_system_id
|
assert result[0].resource_id == file_system_id
|
||||||
assert result[0].resource_arn == ""
|
assert result[0].resource_arn == efs_arn
|
||||||
|
|||||||
Reference in New Issue
Block a user