From 8f015d06724999894f4956904eb99d113bad89d6 Mon Sep 17 00:00:00 2001 From: Nacho Rivera Date: Fri, 14 Jul 2023 09:55:27 +0200 Subject: [PATCH] fix(allowlist): single account checks handling (#2585) Co-authored-by: thomscode --- .../providers/aws/lib/allowlist/allowlist.py | 2 +- .../aws/lib/allowlist/allowlist_test.py | 24 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/prowler/providers/aws/lib/allowlist/allowlist.py b/prowler/providers/aws/lib/allowlist/allowlist.py index d6efc055..00ffe4cc 100644 --- a/prowler/providers/aws/lib/allowlist/allowlist.py +++ b/prowler/providers/aws/lib/allowlist/allowlist.py @@ -126,8 +126,8 @@ def is_allowlisted(allowlist, audited_account, check, region, resource, tags): # want to merge allowlisted checks from * to the other accounts check list if "*" in allowlist["Accounts"]: checks_multi_account = allowlist["Accounts"]["*"]["Checks"] + allowlisted_checks.update(checks_multi_account) # Test if it is allowlisted - allowlisted_checks.update(checks_multi_account) if is_allowlisted_in_check( allowlisted_checks, audited_account, diff --git a/tests/providers/aws/lib/allowlist/allowlist_test.py b/tests/providers/aws/lib/allowlist/allowlist_test.py index 573692a6..1261c266 100644 --- a/tests/providers/aws/lib/allowlist/allowlist_test.py +++ b/tests/providers/aws/lib/allowlist/allowlist_test.py @@ -305,6 +305,30 @@ class Test_Allowlist: ) ) + def test_is_allowlisted_single_account(self): + allowlist = { + "Accounts": { + AWS_ACCOUNT_NUMBER: { + "Checks": { + "check_test": { + "Regions": [AWS_REGION], + "Resources": ["prowler"], + } + } + } + } + } + + assert is_allowlisted( + allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", "" + ) + + assert not ( + is_allowlisted( + allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", "" + ) + ) + def test_is_allowlisted_in_region(self): # Allowlist example allowlisted_regions = [AWS_REGION, "eu-west-1"]