mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
chore(typos): Update check's status (#2629)
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
This commit is contained in:
Gabriel Pragin
@@ -15,10 +15,10 @@ class apigateway_authorizers_enabled(Check):
|
||||
report.resource_tags = rest_api.tags
|
||||
if rest_api.authorizer:
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"API Gateway {rest_api.name} ID {rest_api.id} has authorizer configured."
|
||||
report.status_extended = f"API Gateway {rest_api.name} ID {rest_api.id} has an authorizer configured."
|
||||
else:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"API Gateway {rest_api.name} ID {rest_api.id} has not authorizer configured."
|
||||
report.status_extended = f"API Gateway {rest_api.name} ID {rest_api.id} does not have an authorizer configured."
|
||||
findings.append(report)
|
||||
|
||||
return findings
|
||||
|
||||
@@ -19,7 +19,7 @@ class apigateway_client_certificate_enabled(Check):
|
||||
report.status_extended = f"API Gateway {rest_api.name} ID {rest_api.id} in stage {stage.name} has client certificate enabled."
|
||||
else:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"API Gateway {rest_api.name} ID {rest_api.id} in stage {stage.name} has not client certificate enabled."
|
||||
report.status_extended = f"API Gateway {rest_api.name} ID {rest_api.id} in stage {stage.name} does not have client certificate enabled."
|
||||
findings.append(report)
|
||||
|
||||
return findings
|
||||
|
||||
@@ -19,7 +19,7 @@ class apigateway_waf_acl_attached(Check):
|
||||
report.status_extended = f"API Gateway {rest_api.name} ID {rest_api.id} in stage {stage.name} has {stage.waf} WAF ACL attached."
|
||||
else:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"API Gateway {rest_api.name} ID {rest_api.id} in stage {stage.name} has not WAF ACL attached."
|
||||
report.status_extended = f"API Gateway {rest_api.name} ID {rest_api.id} in stage {stage.name} does not have WAF ACL attached."
|
||||
findings.append(report)
|
||||
|
||||
return findings
|
||||
|
||||
@@ -14,14 +14,10 @@ class apigatewayv2_authorizers_enabled(Check):
|
||||
report.resource_arn = api.arn
|
||||
report.resource_tags = api.tags
|
||||
report.status = "FAIL"
|
||||
report.status_extended = (
|
||||
f"API Gateway V2 {api.name} ID {api.id} has not authorizer configured."
|
||||
)
|
||||
report.status_extended = f"API Gateway V2 {api.name} ID {api.id} does not have an authorizer configured."
|
||||
if api.authorizer:
|
||||
report.status = "PASS"
|
||||
report.status_extended = (
|
||||
f"API Gateway V2 {api.name} ID {api.id} has authorizer configured."
|
||||
)
|
||||
report.status_extended = f"API Gateway V2 {api.name} ID {api.id} has an authorizer configured."
|
||||
findings.append(report)
|
||||
|
||||
return findings
|
||||
|
||||
@@ -14,10 +14,10 @@ class awslambda_function_url_cors_policy(Check):
|
||||
if function.url_config:
|
||||
if "*" in function.url_config.cors_config.allow_origins:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"Lambda function {function.name} URL has a wide CORS configuration"
|
||||
report.status_extended = f"Lambda function {function.name} URL has a wide CORS configuration."
|
||||
else:
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Lambda function {function.name} has not a wide CORS configuration"
|
||||
report.status_extended = f"Lambda function {function.name} does not have a wide CORS configuration."
|
||||
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -15,10 +15,10 @@ class awslambda_function_url_public(Check):
|
||||
if function.url_config:
|
||||
if function.url_config.auth_type == AuthType.AWS_IAM:
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Lambda function {function.name} has not a publicly accessible function URL"
|
||||
report.status_extended = f"Lambda function {function.name} does not have a publicly accessible function URL."
|
||||
else:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"Lambda function {function.name} has a publicly accessible function URL"
|
||||
report.status_extended = f"Lambda function {function.name} has a publicly accessible function URL."
|
||||
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -18,17 +18,17 @@ class cloudtrail_bucket_requires_mfa_delete(Check):
|
||||
report.resource_arn = trail.arn
|
||||
report.resource_tags = trail.tags
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) has not MFA delete enabled"
|
||||
report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) does not have MFA delete enabled."
|
||||
for bucket in s3_client.buckets:
|
||||
if trail_bucket == bucket.name:
|
||||
trail_bucket_is_in_account = True
|
||||
if bucket.mfa_delete:
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) has MFA delete enabled"
|
||||
report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) has MFA delete enabled."
|
||||
# check if trail bucket is a cross account bucket
|
||||
if not trail_bucket_is_in_account:
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually"
|
||||
report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually."
|
||||
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -15,13 +15,11 @@ class cloudtrail_insights_exist(Check):
|
||||
report.resource_arn = trail.arn
|
||||
report.resource_tags = trail.tags
|
||||
report.status = "FAIL"
|
||||
report.status_extended = (
|
||||
f"Trail {trail.name} has not insight selectors and it is logging"
|
||||
)
|
||||
report.status_extended = f"Trail {trail.name} does not have insight selectors and it is logging."
|
||||
if trail.has_insight_selectors:
|
||||
report.status = "PASS"
|
||||
report.status_extended = (
|
||||
f"Trail {trail.name} has insight selectors and it is logging"
|
||||
f"Trail {trail.name} has insight selectors and it is logging."
|
||||
)
|
||||
findings.append(report)
|
||||
return findings
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
"Terraform": "https://docs.bridgecrew.io/docs/logging_5-enable-aws-config-regions#terraform"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "It is recommended to enable AWS Config be enabled in all regions.",
|
||||
"Text": "It is recommended to enable AWS Config in all regions.",
|
||||
"Url": "https://aws.amazon.com/blogs/mt/aws-config-best-practices/"
|
||||
}
|
||||
},
|
||||
|
||||
@@ -18,7 +18,7 @@ class ec2_instance_public_ip(Check):
|
||||
else:
|
||||
report.status = "PASS"
|
||||
report.status_extended = (
|
||||
f"EC2 Instance {instance.id} has not a Public IP."
|
||||
f"EC2 Instance {instance.id} does not have a Public IP."
|
||||
)
|
||||
report.resource_id = instance.id
|
||||
findings.append(report)
|
||||
|
||||
@@ -17,7 +17,7 @@ class ec2_networkacl_allow_ingress_any_port(Check):
|
||||
# If some entry allows it, that ACL is not securely configured
|
||||
if not check_network_acl(network_acl.entries, tcp_protocol, check_port):
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Network ACL {network_acl.id} has not every port open to the Internet."
|
||||
report.status_extended = f"Network ACL {network_acl.id} does not have every port open to the Internet."
|
||||
else:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = (
|
||||
|
||||
@@ -16,7 +16,7 @@ class ec2_networkacl_allow_ingress_tcp_port_22(Check):
|
||||
# If some entry allows it, that ACL is not securely configured
|
||||
if not check_network_acl(network_acl.entries, tcp_protocol, check_port):
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Network ACL {network_acl.id} has not SSH port 22 open to the Internet."
|
||||
report.status_extended = f"Network ACL {network_acl.id} does not have SSH port 22 open to the Internet."
|
||||
report.resource_id = network_acl.id
|
||||
else:
|
||||
report.status = "FAIL"
|
||||
|
||||
@@ -16,7 +16,7 @@ class ec2_networkacl_allow_ingress_tcp_port_3389(Check):
|
||||
# If some entry allows it, that ACL is not securely configured
|
||||
if not check_network_acl(network_acl.entries, tcp_protocol, check_port):
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Network ACL {network_acl.id} has not Microsoft RDP port 3389 open to the Internet."
|
||||
report.status_extended = f"Network ACL {network_acl.id} does not have Microsoft RDP port 3389 open to the Internet."
|
||||
report.resource_id = network_acl.id
|
||||
else:
|
||||
report.status = "FAIL"
|
||||
|
||||
@@ -9,7 +9,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_any_port(Check):
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not all ports open to the Internet."
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have all ports open to the Internet."
|
||||
report.resource_details = security_group.name
|
||||
report.resource_id = security_group.id
|
||||
report.resource_arn = security_group.arn
|
||||
|
||||
@@ -15,7 +15,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018(
|
||||
report.resource_arn = security_group.arn
|
||||
report.resource_tags = security_group.tags
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not MongoDB ports 27017 and 27018 open to the Internet."
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have MongoDB ports 27017 and 27018 open to the Internet."
|
||||
if not security_group.public_ports:
|
||||
# Loop through every security group's ingress rule and check it
|
||||
for ingress_rule in security_group.ingress_rules:
|
||||
|
||||
@@ -11,7 +11,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21(Check)
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not FTP ports 20 and 21 open to the Internet."
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have FTP ports 20 and 21 open to the Internet."
|
||||
report.resource_details = security_group.name
|
||||
report.resource_id = security_group.id
|
||||
report.resource_arn = security_group.arn
|
||||
|
||||
@@ -11,7 +11,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22(Check):
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not SSH port 22 open to the Internet."
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have SSH port 22 open to the Internet."
|
||||
report.resource_details = security_group.name
|
||||
report.resource_id = security_group.id
|
||||
report.resource_arn = security_group.arn
|
||||
|
||||
@@ -11,7 +11,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389(Check):
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = security_group.region
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Microsoft RDP port 3389 open to the Internet."
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have Microsoft RDP port 3389 open to the Internet."
|
||||
report.resource_details = security_group.name
|
||||
report.resource_id = security_group.id
|
||||
report.resource_arn = security_group.arn
|
||||
|
||||
@@ -17,7 +17,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9
|
||||
report.resource_arn = security_group.arn
|
||||
report.resource_tags = security_group.tags
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Casandra ports 7199, 8888 and 9160 open to the Internet."
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have Casandra ports 7199, 8888 and 9160 open to the Internet."
|
||||
if not security_group.public_ports:
|
||||
# Loop through every security group's ingress rule and check it
|
||||
for ingress_rule in security_group.ingress_rules:
|
||||
|
||||
@@ -17,7 +17,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_ki
|
||||
report.resource_arn = security_group.arn
|
||||
report.resource_tags = security_group.tags
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Elasticsearch/Kibana ports 9200, 9300 and 5601 open to the Internet."
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have Elasticsearch/Kibana ports 9200, 9300 and 5601 open to the Internet."
|
||||
if not security_group.public_ports:
|
||||
# Loop through every security group's ingress rule and check it
|
||||
for ingress_rule in security_group.ingress_rules:
|
||||
|
||||
@@ -15,7 +15,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092(Check
|
||||
report.resource_arn = security_group.arn
|
||||
report.resource_tags = security_group.tags
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Kafka port 9092 open to the Internet."
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have Kafka port 9092 open to the Internet."
|
||||
if not security_group.public_ports:
|
||||
# Loop through every security group's ingress rule and check it
|
||||
for ingress_rule in security_group.ingress_rules:
|
||||
|
||||
@@ -15,7 +15,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211(
|
||||
report.resource_arn = security_group.arn
|
||||
report.resource_tags = security_group.tags
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Memcached port 11211 open to the Internet."
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have Memcached port 11211 open to the Internet."
|
||||
if not security_group.public_ports:
|
||||
# Loop through every security group's ingress rule and check it
|
||||
for ingress_rule in security_group.ingress_rules:
|
||||
|
||||
@@ -15,7 +15,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306(Check
|
||||
report.resource_arn = security_group.arn
|
||||
report.resource_tags = security_group.tags
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not MySQL port 3306 open to the Internet."
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have MySQL port 3306 open to the Internet."
|
||||
if not security_group.public_ports:
|
||||
# Loop through every security group's ingress rule and check it
|
||||
for ingress_rule in security_group.ingress_rules:
|
||||
|
||||
@@ -15,7 +15,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483
|
||||
report.resource_arn = security_group.arn
|
||||
report.resource_tags = security_group.tags
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Oracle ports 1521 and 2483 open to the Internet."
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have Oracle ports 1521 and 2483 open to the Internet."
|
||||
if not security_group.public_ports:
|
||||
# Loop through every security group's ingress rule and check it
|
||||
for ingress_rule in security_group.ingress_rules:
|
||||
|
||||
@@ -15,7 +15,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432(Ch
|
||||
report.resource_arn = security_group.arn
|
||||
report.resource_tags = security_group.tags
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Postgres port 5432 open to the Internet."
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have Postgres port 5432 open to the Internet."
|
||||
if not security_group.public_ports:
|
||||
# Loop through every security group's ingress rule and check it
|
||||
for ingress_rule in security_group.ingress_rules:
|
||||
|
||||
@@ -15,7 +15,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379(Check
|
||||
report.resource_arn = security_group.arn
|
||||
report.resource_tags = security_group.tags
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Redis port 6379 open to the Internet."
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have Redis port 6379 open to the Internet."
|
||||
if not security_group.public_ports:
|
||||
# Loop through every security group's ingress rule and check it
|
||||
for ingress_rule in security_group.ingress_rules:
|
||||
|
||||
@@ -17,7 +17,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_
|
||||
report.resource_arn = security_group.arn
|
||||
report.resource_tags = security_group.tags
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Microsoft SQL Server ports 1433 and 1434 open to the Internet."
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have Microsoft SQL Server ports 1433 and 1434 open to the Internet."
|
||||
if not security_group.public_ports:
|
||||
# Loop through every security group's ingress rule and check it
|
||||
for ingress_rule in security_group.ingress_rules:
|
||||
|
||||
@@ -15,7 +15,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23(Check)
|
||||
report.resource_arn = security_group.arn
|
||||
report.resource_tags = security_group.tags
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Telnet port 23 open to the Internet."
|
||||
report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have Telnet port 23 open to the Internet."
|
||||
if not security_group.public_ports:
|
||||
# Loop through every security group's ingress rule and check it
|
||||
for ingress_rule in security_group.ingress_rules:
|
||||
|
||||
@@ -13,10 +13,10 @@ class ecr_repositories_lifecycle_policy_enabled(Check):
|
||||
report.resource_arn = repository.arn
|
||||
report.resource_tags = repository.tags
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"Repository {repository.name} has not a lifecycle policy configured"
|
||||
report.status_extended = f"Repository {repository.name} does not have a lifecycle policy configured."
|
||||
if repository.lifecycle_policy:
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Repository {repository.name} has a lifecycle policy configured"
|
||||
report.status_extended = f"Repository {repository.name} has a lifecycle policy configured."
|
||||
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -12,9 +12,7 @@ class eks_cluster_kms_cmk_encryption_in_secrets_enabled(Check):
|
||||
report.resource_arn = cluster.arn
|
||||
report.resource_tags = cluster.tags
|
||||
report.status = "FAIL"
|
||||
report.status_extended = (
|
||||
f"EKS cluster {cluster.name} has not encryption for Kubernetes secrets."
|
||||
)
|
||||
report.status_extended = f"EKS cluster {cluster.name} does not have encryption for Kubernetes secrets."
|
||||
if cluster.encryptionConfig:
|
||||
report.status = "PASS"
|
||||
report.status_extended = (
|
||||
|
||||
@@ -15,7 +15,7 @@ class elb_insecure_ssl_ciphers(Check):
|
||||
report.resource_tags = lb.tags
|
||||
report.status = "PASS"
|
||||
report.status_extended = (
|
||||
f"ELB {lb.name} has not insecure SSL protocols or ciphers."
|
||||
f"ELB {lb.name} does not have insecure SSL protocols or ciphers."
|
||||
)
|
||||
for listener in lb.listeners:
|
||||
if listener.protocol == "HTTPS" and not any(
|
||||
|
||||
@@ -11,7 +11,9 @@ class elb_logging_enabled(Check):
|
||||
report.resource_id = lb.name
|
||||
report.resource_tags = lb.tags
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"ELB {lb.name} has not configured access logs."
|
||||
report.status_extended = (
|
||||
f"ELB {lb.name} does not have access logs configured."
|
||||
)
|
||||
if lb.access_logs:
|
||||
report.status = "PASS"
|
||||
report.status_extended = (
|
||||
|
||||
@@ -12,7 +12,9 @@ class elbv2_deletion_protection(Check):
|
||||
report.resource_arn = lb.arn
|
||||
report.resource_tags = lb.tags
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"ELBv2 {lb.name} has not deletion protection."
|
||||
report.status_extended = (
|
||||
f"ELBv2 {lb.name} does not have deletion protection enabled."
|
||||
)
|
||||
if lb.deletion_protection == "true":
|
||||
report.status = "PASS"
|
||||
report.status_extended = (
|
||||
|
||||
@@ -25,7 +25,7 @@ class elbv2_insecure_ssl_ciphers(Check):
|
||||
report.resource_tags = lb.tags
|
||||
report.status = "PASS"
|
||||
report.status_extended = (
|
||||
f"ELBv2 {lb.name} has not insecure SSL protocols or ciphers."
|
||||
f"ELBv2 {lb.name} does not have insecure SSL protocols or ciphers."
|
||||
)
|
||||
for listener in lb.listeners:
|
||||
if (
|
||||
|
||||
@@ -13,7 +13,7 @@ class elbv2_logging_enabled(Check):
|
||||
report.resource_tags = lb.tags
|
||||
report.status = "FAIL"
|
||||
report.status_extended = (
|
||||
f"ELBv2 ALB {lb.name} has not configured access logs."
|
||||
f"ELBv2 ALB {lb.name} does not have access logs configured."
|
||||
)
|
||||
if lb.access_logs == "true":
|
||||
report.status = "PASS"
|
||||
|
||||
@@ -18,11 +18,13 @@ class emr_cluster_master_nodes_no_public_ip(Check):
|
||||
report.resource_tags = cluster.tags
|
||||
if cluster.public:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"EMR Cluster {cluster.id} has a Public IP"
|
||||
report.status_extended = (
|
||||
f"EMR Cluster {cluster.id} has a Public IP."
|
||||
)
|
||||
else:
|
||||
report.status = "PASS"
|
||||
report.status_extended = (
|
||||
f"EMR Cluster {cluster.id} has not a Public IP"
|
||||
f"EMR Cluster {cluster.id} does not have a Public IP."
|
||||
)
|
||||
|
||||
findings.append(report)
|
||||
|
||||
@@ -16,11 +16,11 @@ class iam_role_cross_account_readonlyaccess_policy(Check):
|
||||
report.resource_tags = role.tags
|
||||
report.status = "PASS"
|
||||
report.status_extended = (
|
||||
f"IAM Role {role.name} has not ReadOnlyAccess policy"
|
||||
f"IAM Role {role.name} does not have ReadOnlyAccess policy."
|
||||
)
|
||||
for policy in role.attached_policies:
|
||||
if policy["PolicyName"] == "ReadOnlyAccess":
|
||||
report.status_extended = f"IAM Role {role.name} has read-only access but is not cross account"
|
||||
report.status_extended = f"IAM Role {role.name} has read-only access but is not cross account."
|
||||
cross_account_access = False
|
||||
if type(role.assume_role_policy["Statement"]) == list:
|
||||
for statement in role.assume_role_policy["Statement"]:
|
||||
@@ -72,7 +72,7 @@ class iam_role_cross_account_readonlyaccess_policy(Check):
|
||||
cross_account_access = True
|
||||
if cross_account_access:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"IAM Role {role.name} gives cross account read-only access!"
|
||||
report.status_extended = f"IAM Role {role.name} gives cross account read-only access."
|
||||
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -17,7 +17,7 @@ class rds_instance_backup_enabled(Check):
|
||||
else:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = (
|
||||
f"RDS Instance {db_instance.id} has not backup enabled."
|
||||
f"RDS Instance {db_instance.id} does not have backup enabled."
|
||||
)
|
||||
|
||||
findings.append(report)
|
||||
|
||||
@@ -15,7 +15,7 @@ class workspaces_vpc_2private_1public_subnets_nat(Check):
|
||||
report.resource_arn = workspace.arn
|
||||
report.resource_tags = workspace.tags
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Workspace {workspace.id} is in a private subnet within a VPC which has 1 public subnet 2 private subnets with a NAT Gateway attached"
|
||||
report.status_extended = f"Workspace {workspace.id} is in a private subnet within a VPC which has 1 public subnet 2 private subnets with a NAT Gateway attached."
|
||||
vpc_object = None
|
||||
is_in_private_subnet = False
|
||||
if workspace.subnet_id:
|
||||
@@ -45,7 +45,7 @@ class workspaces_vpc_2private_1public_subnets_nat(Check):
|
||||
or not is_in_private_subnet
|
||||
):
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"Workspace {workspace.id} is not in a private subnet or its VPC has not 1 public subnet and 2 private subnets with a NAT Gateway attached"
|
||||
report.status_extended = f"Workspace {workspace.id} is not in a private subnet or its VPC does not have 1 public subnet and 2 private subnets with a NAT Gateway attached."
|
||||
|
||||
findings.append(report)
|
||||
return findings
|
||||
|
||||
@@ -13,11 +13,11 @@ class cloudsql_instance_mysql_local_infile_flag(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.region
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"MySQL Instance {instance.name} has not 'local_infile' flag set to 'off'"
|
||||
report.status_extended = f"MySQL Instance {instance.name} does not have 'local_infile' flag set to 'off'."
|
||||
for flag in instance.flags:
|
||||
if flag["name"] == "local_infile" and flag["value"] == "off":
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"MySQL Instance {instance.name} has 'local_infile' flag set to 'off'"
|
||||
report.status_extended = f"MySQL Instance {instance.name} has 'local_infile' flag set to 'off'."
|
||||
break
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -13,11 +13,11 @@ class cloudsql_instance_mysql_skip_show_database_flag(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.region
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"MySQL Instance {instance.name} has not 'skip_show_database' flag set to 'on'"
|
||||
report.status_extended = f"MySQL Instance {instance.name} does not have 'skip_show_database' flag set to 'on'."
|
||||
for flag in instance.flags:
|
||||
if flag["name"] == "skip_show_database" and flag["value"] == "on":
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"MySQL Instance {instance.name} has 'skip_show_database' flag set to 'on'"
|
||||
report.status_extended = f"MySQL Instance {instance.name} has 'skip_show_database' flag set to 'on'."
|
||||
break
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -13,14 +13,14 @@ class cloudsql_instance_postgres_enable_pgaudit_flag(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.region
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has not 'cloudsql.enable_pgaudit' flag set to 'on'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} does not have 'cloudsql.enable_pgaudit' flag set to 'on'."
|
||||
for flag in instance.flags:
|
||||
if (
|
||||
flag["name"] == "cloudsql.enable_pgaudit"
|
||||
and flag["value"] == "on"
|
||||
):
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'cloudsql.enable_pgaudit' flag set to 'on'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'cloudsql.enable_pgaudit' flag set to 'on'."
|
||||
break
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -13,11 +13,11 @@ class cloudsql_instance_postgres_log_connections_flag(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.region
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has not 'log_connections' flag set to 'on'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} does not have 'log_connections' flag set to 'on'."
|
||||
for flag in instance.flags:
|
||||
if flag["name"] == "log_connections" and flag["value"] == "on":
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_connections' flag set to 'on'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_connections' flag set to 'on'."
|
||||
break
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -13,11 +13,11 @@ class cloudsql_instance_postgres_log_disconnections_flag(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.region
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has not 'log_disconnections' flag set to 'on'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} does not have 'log_disconnections' flag set to 'on'."
|
||||
for flag in instance.flags:
|
||||
if flag["name"] == "log_disconnections" and flag["value"] == "on":
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_disconnections' flag set to 'on'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_disconnections' flag set to 'on'."
|
||||
break
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -13,14 +13,14 @@ class cloudsql_instance_postgres_log_error_verbosity_flag(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.region
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has not 'log_error_verbosity' flag set to 'default'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} does not have 'log_error_verbosity' flag set to 'default'."
|
||||
for flag in instance.flags:
|
||||
if (
|
||||
flag["name"] == "log_error_verbosity"
|
||||
and flag["value"] == "default"
|
||||
):
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_error_verbosity' flag set to 'default'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_error_verbosity' flag set to 'default'."
|
||||
break
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -13,14 +13,14 @@ class cloudsql_instance_postgres_log_min_duration_statement_flag(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.region
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has not 'log_min_duration_statement' flag set to '-1'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} does not have 'log_min_duration_statement' flag set to '-1'."
|
||||
for flag in instance.flags:
|
||||
if (
|
||||
flag["name"] == "log_min_duration_statement"
|
||||
and flag["value"] == "-1"
|
||||
):
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_min_duration_statement' flag set to '-1'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_min_duration_statement' flag set to '-1'."
|
||||
break
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -14,14 +14,14 @@ class cloudsql_instance_postgres_log_min_error_statement_flag(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.region
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has not 'log_min_error_statement' flag set minimum to '{desired_log_min_error_statement}'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} does not have 'log_min_error_statement' flag set minimum to '{desired_log_min_error_statement}'."
|
||||
for flag in instance.flags:
|
||||
if (
|
||||
flag["name"] == "log_min_error_statement"
|
||||
and flag["value"] == desired_log_min_error_statement
|
||||
):
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_min_error_statement' flag set minimum to '{desired_log_min_error_statement}'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_min_error_statement' flag set minimum to '{desired_log_min_error_statement}'."
|
||||
break
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -14,14 +14,14 @@ class cloudsql_instance_postgres_log_min_messages_flag(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.region
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has not 'log_min_messages' flag set minimum to '{desired_log_min_messages}'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} does not have 'log_min_messages' flag set minimum to '{desired_log_min_messages}'."
|
||||
for flag in instance.flags:
|
||||
if (
|
||||
flag["name"] == "log_min_messages"
|
||||
and flag["value"] == desired_log_min_messages
|
||||
):
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_min_messages' flag set minimum to '{desired_log_min_messages}'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_min_messages' flag set minimum to '{desired_log_min_messages}'."
|
||||
break
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -14,14 +14,14 @@ class cloudsql_instance_postgres_log_statement_flag(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.region
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has not 'log_statement' flag set to '{desired_log_statement}'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} does not have 'log_statement' flag set to '{desired_log_statement}'."
|
||||
for flag in instance.flags:
|
||||
if (
|
||||
flag["name"] == "log_statement"
|
||||
and flag["value"] == desired_log_statement
|
||||
):
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_statement' flag set to '{desired_log_statement}'"
|
||||
report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_statement' flag set to '{desired_log_statement}'."
|
||||
break
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -13,12 +13,12 @@ class cloudsql_instance_public_ip(Check):
|
||||
report.location = instance.region
|
||||
report.status = "PASS"
|
||||
report.status_extended = (
|
||||
f"Database Instance {instance.name} has not a public IP"
|
||||
f"Database Instance {instance.name} does not have a public IP."
|
||||
)
|
||||
if instance.public_ip:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = (
|
||||
f"Database Instance {instance.name} has a public IP"
|
||||
f"Database Instance {instance.name} has a public IP."
|
||||
)
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -13,11 +13,11 @@ class cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.region
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} has 'cross db ownership' flag set to 'off'"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} has 'cross db ownership' flag set to 'off'."
|
||||
for flag in instance.flags:
|
||||
if flag["name"] == "cross db ownership" and flag["value"] == "on":
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} has not 'cross db ownership' flag set to 'off'"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} does not have 'cross db ownership' flag set to 'off'."
|
||||
break
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -13,14 +13,14 @@ class cloudsql_instance_sqlserver_external_scripts_enabled_flag(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.region
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} has 'external scripts enabled' flag set to 'off'"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} has 'external scripts enabled' flag set to 'off'."
|
||||
for flag in instance.flags:
|
||||
if (
|
||||
flag["name"] == "external scripts enabled"
|
||||
and flag["value"] == "on"
|
||||
):
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} has not 'external scripts enabled' flag set to 'off'"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} does not have 'external scripts enabled' flag set to 'off'."
|
||||
break
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -13,11 +13,11 @@ class cloudsql_instance_sqlserver_remote_access_flag(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.region
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} has not 'remote access' flag set to 'on'"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} does not have 'remote access' flag set to 'on'."
|
||||
for flag in instance.flags:
|
||||
if flag["name"] == "remote access" and flag["value"] == "on":
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} has 'remote access' flag set to 'on'"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} has 'remote access' flag set to 'on'."
|
||||
break
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -13,11 +13,11 @@ class cloudsql_instance_sqlserver_user_connections_flag(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.region
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} has 'user connections' flag set to '0'"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} has 'user connections' flag set to '0'."
|
||||
for flag in instance.flags:
|
||||
if flag["name"] == "user connections" and flag["value"] == "0":
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} has not 'user connections' flag set to '0'"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} does not have 'user connections' flag set to '0'."
|
||||
break
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -13,11 +13,11 @@ class cloudsql_instance_sqlserver_user_options_flag(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.region
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} has not 'user options' flag set"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} does not have 'user options' flag set."
|
||||
for flag in instance.flags:
|
||||
if flag["name"] == "user options" and flag["value"] != "":
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} has 'user options' flag set"
|
||||
report.status_extended = f"SQL Server Instance {instance.name} has 'user options' flag set."
|
||||
break
|
||||
findings.append(report)
|
||||
|
||||
|
||||
@@ -12,10 +12,12 @@ class compute_instance_public_ip(Check):
|
||||
report.resource_name = instance.name
|
||||
report.location = instance.zone
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"VM Instance {instance.name} has not a public IP"
|
||||
report.status_extended = (
|
||||
f"VM Instance {instance.name} does not have a public IP."
|
||||
)
|
||||
if instance.public_ip:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"VM Instance {instance.name} has a public IP"
|
||||
report.status_extended = f"VM Instance {instance.name} has a public IP."
|
||||
findings.append(report)
|
||||
|
||||
return findings
|
||||
|
||||
@@ -117,7 +117,7 @@ class Test_apigateway_authorizers_enabled:
|
||||
assert len(result) == 1
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"API Gateway test-rest-api ID {rest_api['id']} has authorizer configured."
|
||||
== f"API Gateway test-rest-api ID {rest_api['id']} has an authorizer configured."
|
||||
)
|
||||
assert result[0].resource_id == "test-rest-api"
|
||||
assert (
|
||||
@@ -158,7 +158,7 @@ class Test_apigateway_authorizers_enabled:
|
||||
assert len(result) == 1
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"API Gateway test-rest-api ID {rest_api['id']} has not authorizer configured."
|
||||
== f"API Gateway test-rest-api ID {rest_api['id']} does not have an authorizer configured."
|
||||
)
|
||||
assert result[0].resource_id == "test-rest-api"
|
||||
assert (
|
||||
|
||||
@@ -127,7 +127,7 @@ class Test_apigateway_client_certificate_enabled:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"API Gateway test-rest-api ID {rest_api['id']} in stage test has not client certificate enabled."
|
||||
== f"API Gateway test-rest-api ID {rest_api['id']} in stage test does not have client certificate enabled."
|
||||
)
|
||||
assert result[0].resource_id == "test-rest-api"
|
||||
assert (
|
||||
|
||||
@@ -205,7 +205,7 @@ class Test_apigateway_waf_acl_attached:
|
||||
assert len(result) == 1
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"API Gateway test-rest-api ID {rest_api['id']} in stage test has not WAF ACL attached."
|
||||
== f"API Gateway test-rest-api ID {rest_api['id']} in stage test does not have WAF ACL attached."
|
||||
)
|
||||
assert result[0].resource_id == "test-rest-api"
|
||||
assert (
|
||||
|
||||
@@ -127,6 +127,6 @@ class Test_apigatewayv2_authorizers_enabled:
|
||||
assert len(result) == 1
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"API Gateway V2 test-api ID {api['ApiId']} has authorizer configured."
|
||||
== f"API Gateway V2 test-api ID {api['ApiId']} has an authorizer configured."
|
||||
)
|
||||
assert result[0].resource_id == "test-api"
|
||||
|
||||
@@ -71,7 +71,7 @@ class Test_awslambda_function_url_cors_policy:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Lambda function {function_name} URL has a wide CORS configuration"
|
||||
== f"Lambda function {function_name} URL has a wide CORS configuration."
|
||||
)
|
||||
|
||||
def test_function_cors_not_wide(self):
|
||||
@@ -114,7 +114,7 @@ class Test_awslambda_function_url_cors_policy:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Lambda function {function_name} has not a wide CORS configuration"
|
||||
== f"Lambda function {function_name} does not have a wide CORS configuration."
|
||||
)
|
||||
|
||||
def test_function_cors_wide_with_two_origins(self):
|
||||
@@ -159,5 +159,5 @@ class Test_awslambda_function_url_cors_policy:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Lambda function {function_name} URL has a wide CORS configuration"
|
||||
== f"Lambda function {function_name} URL has a wide CORS configuration."
|
||||
)
|
||||
|
||||
@@ -71,7 +71,7 @@ class Test_awslambda_function_url_public:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Lambda function {function_name} has a publicly accessible function URL"
|
||||
== f"Lambda function {function_name} has a publicly accessible function URL."
|
||||
)
|
||||
|
||||
def test_function_private_url(self):
|
||||
@@ -114,5 +114,5 @@ class Test_awslambda_function_url_public:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Lambda function {function_name} has not a publicly accessible function URL"
|
||||
== f"Lambda function {function_name} does not have a publicly accessible function URL."
|
||||
)
|
||||
|
||||
@@ -97,7 +97,7 @@ class Test_cloudtrail_bucket_requires_mfa_delete:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Trail {trail_name_us} bucket ({bucket_name_us}) has not MFA delete enabled"
|
||||
== f"Trail {trail_name_us} bucket ({bucket_name_us}) does not have MFA delete enabled."
|
||||
)
|
||||
assert result[0].resource_id == trail_name_us
|
||||
assert result[0].region == "us-east-1"
|
||||
@@ -157,7 +157,7 @@ class Test_cloudtrail_bucket_requires_mfa_delete:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Trail {trail_name_us} bucket ({bucket_name_us}) has MFA delete enabled"
|
||||
== f"Trail {trail_name_us} bucket ({bucket_name_us}) has MFA delete enabled."
|
||||
)
|
||||
assert result[0].resource_id == trail_name_us
|
||||
assert result[0].region == "us-east-1"
|
||||
@@ -203,7 +203,7 @@ class Test_cloudtrail_bucket_requires_mfa_delete:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Trail {trail_name_us} bucket ({bucket_name_us}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually"
|
||||
== f"Trail {trail_name_us} bucket ({bucket_name_us}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually."
|
||||
)
|
||||
assert result[0].resource_id == trail_name_us
|
||||
assert result[0].region == "us-east-1"
|
||||
@@ -255,7 +255,7 @@ class Test_cloudtrail_bucket_requires_mfa_delete:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Trail {trail_name_us} bucket ({bucket_name_us}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually"
|
||||
== f"Trail {trail_name_us} bucket ({bucket_name_us}) is a cross-account bucket in another account out of Prowler's permissions scope, please check it manually."
|
||||
)
|
||||
assert result[0].resource_id == trail_name_us
|
||||
assert result[0].region == "us-east-1"
|
||||
|
||||
@@ -90,7 +90,7 @@ class Test_cloudtrail_insights_exist:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Trail {trail_name_us} has not insight selectors and it is logging"
|
||||
== f"Trail {trail_name_us} does not have insight selectors and it is logging."
|
||||
)
|
||||
assert result[0].resource_id == trail_name_us
|
||||
assert result[0].region == "us-east-1"
|
||||
@@ -135,7 +135,7 @@ class Test_cloudtrail_insights_exist:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Trail {trail_name_us} has insight selectors and it is logging"
|
||||
== f"Trail {trail_name_us} has insight selectors and it is logging."
|
||||
)
|
||||
assert result[0].resource_id == trail_name_us
|
||||
assert result[0].region == "us-east-1"
|
||||
|
||||
@@ -106,7 +106,7 @@ class Test_ec2_instance_public_ip:
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "PASS"
|
||||
assert search(
|
||||
f"EC2 Instance {instance.id} has not a Public IP",
|
||||
f"EC2 Instance {instance.id} does not have a Public IP.",
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_id == instance.id
|
||||
@@ -154,7 +154,8 @@ class Test_ec2_instance_public_ip:
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert search(
|
||||
f"EC2 Instance {instance.id} has a Public IP", result[0].status_extended
|
||||
f"EC2 Instance {instance.id} has a Public IP.",
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_id == instance.id
|
||||
assert (
|
||||
|
||||
@@ -192,7 +192,7 @@ class ec2_networkacl_allow_ingress_any_port:
|
||||
assert nacl.status == "PASS"
|
||||
assert (
|
||||
nacl.status_extended
|
||||
== f"Network ACL {nacl_id} has not every port open to the Internet."
|
||||
== f"Network ACL {nacl_id} does not have every port open to the Internet."
|
||||
)
|
||||
assert (
|
||||
nacl.resource_arn
|
||||
|
||||
@@ -194,7 +194,7 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_22:
|
||||
assert nacl.status == "PASS"
|
||||
assert (
|
||||
nacl.status_extended
|
||||
== f"Network ACL {nacl_id} has not SSH port 22 open to the Internet."
|
||||
== f"Network ACL {nacl_id} does not have SSH port 22 open to the Internet."
|
||||
)
|
||||
assert (
|
||||
nacl.resource_arn
|
||||
|
||||
@@ -194,7 +194,7 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_3389:
|
||||
assert nacl.status == "PASS"
|
||||
assert (
|
||||
nacl.status_extended
|
||||
== f"Network ACL {nacl_id} has not Microsoft RDP port 3389 open to the Internet."
|
||||
== f"Network ACL {nacl_id} does not have Microsoft RDP port 3389 open to the Internet."
|
||||
)
|
||||
assert (
|
||||
nacl.resource_arn
|
||||
|
||||
@@ -179,7 +179,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_any_port:
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not all ports open to the Internet",
|
||||
"does not have all ports open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
@@ -240,7 +240,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_any_port:
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not all ports open to the Internet",
|
||||
"does not have all ports open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
|
||||
@@ -187,7 +187,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_2
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not MongoDB ports 27017 and 27018 open to the Internet",
|
||||
"does not have MongoDB ports 27017 and 27018 open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
|
||||
@@ -187,7 +187,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21:
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not FTP ports 20 and 21 open to the Internet",
|
||||
"does not have FTP ports 20 and 21 open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
|
||||
@@ -181,7 +181,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22:
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not SSH port 22 open to the Internet",
|
||||
"does not have SSH port 22 open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
|
||||
@@ -181,7 +181,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389:
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not Microsoft RDP port 3389 open to the Internet",
|
||||
"does not have Microsoft RDP port 3389 open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
|
||||
@@ -187,7 +187,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not Casandra ports 7199, 8888 and 9160 open to the Internet",
|
||||
"does not have Casandra ports 7199, 8888 and 9160 open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
|
||||
@@ -187,7 +187,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsear
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not Elasticsearch/Kibana ports 9200, 9300 and 5601 open to the Internet",
|
||||
"does not have Elasticsearch/Kibana ports 9200, 9300 and 5601 open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
|
||||
@@ -186,7 +186,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092:
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not Kafka port 9092 open to the Internet",
|
||||
"does not have Kafka port 9092 open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
|
||||
@@ -187,7 +187,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_1
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not Memcached port 11211 open to the Internet",
|
||||
"does not have Memcached port 11211 open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
|
||||
@@ -187,7 +187,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306:
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not MySQL port 3306 open to the Internet",
|
||||
"does not have MySQL port 3306 open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
|
||||
@@ -187,7 +187,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not Oracle ports 1521 and 2483 open to the Internet",
|
||||
"does not have Oracle ports 1521 and 2483 open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
|
||||
@@ -187,7 +187,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_54
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not Postgres port 5432 open to the Internet",
|
||||
"does not have Postgres port 5432 open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
|
||||
@@ -186,7 +186,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379:
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not Redis port 6379 open to the Internet",
|
||||
"does not have Redis port 6379 open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
|
||||
@@ -187,7 +187,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not Microsoft SQL Server ports 1433 and 1434 open to the Internet",
|
||||
"does not have Microsoft SQL Server ports 1433 and 1434 open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
|
||||
@@ -186,7 +186,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23:
|
||||
if sg.resource_id == default_sg_id:
|
||||
assert sg.status == "PASS"
|
||||
assert search(
|
||||
"has not Telnet port 23 open to the Internet",
|
||||
"does not have Telnet port 23 open to the Internet",
|
||||
sg.status_extended,
|
||||
)
|
||||
assert (
|
||||
|
||||
@@ -97,7 +97,7 @@ class Test_ecr_repositories_lifecycle_policy_enabled:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Repository {repository_name} has a lifecycle policy configured"
|
||||
== f"Repository {repository_name} has a lifecycle policy configured."
|
||||
)
|
||||
assert result[0].resource_id == repository_name
|
||||
assert result[0].resource_arn == repository_arn
|
||||
@@ -138,7 +138,7 @@ class Test_ecr_repositories_lifecycle_policy_enabled:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Repository {repository_name} has not a lifecycle policy configured"
|
||||
== f"Repository {repository_name} does not have a lifecycle policy configured."
|
||||
)
|
||||
assert result[0].resource_id == repository_name
|
||||
assert result[0].resource_arn == repository_arn
|
||||
|
||||
@@ -51,7 +51,8 @@ class Test_eks_cluster_kms_cmk_encryption_in_secrets_enabled:
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert search(
|
||||
"has not encryption for Kubernetes secrets", result[0].status_extended
|
||||
"does not have encryption for Kubernetes secrets",
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_id == cluster_name
|
||||
assert result[0].resource_arn == cluster_arn
|
||||
|
||||
@@ -104,7 +104,7 @@ class Test_elb_insecure_ssl_ciphers:
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "PASS"
|
||||
assert search(
|
||||
"has not insecure SSL protocols or ciphers",
|
||||
"does not have insecure SSL protocols or ciphers",
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_id == "my-lb"
|
||||
|
||||
@@ -97,7 +97,7 @@ class Test_elb_logging_enabled:
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert search(
|
||||
"has not configured access logs",
|
||||
"does not have access logs configured",
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_id == "my-lb"
|
||||
|
||||
@@ -108,7 +108,7 @@ class Test_elbv2_deletion_protection:
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert search(
|
||||
"has not deletion protection",
|
||||
"does not have deletion protection",
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_id == "my-lb"
|
||||
|
||||
@@ -125,7 +125,7 @@ class Test_elbv2_insecure_ssl_ciphers:
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "PASS"
|
||||
assert search(
|
||||
"has not insecure SSL protocols or ciphers",
|
||||
"does not have insecure SSL protocols or ciphers",
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_id == "my-lb"
|
||||
|
||||
@@ -111,7 +111,7 @@ class Test_elbv2_logging_enabled:
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert search(
|
||||
"has not configured access logs",
|
||||
"does not have access logs configured",
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_id == "my-lb"
|
||||
|
||||
@@ -59,7 +59,8 @@ class Test_emr_cluster_master_nodes_no_public_ip:
|
||||
assert result[0].resource_arn == cluster_arn
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended == f"EMR Cluster {cluster_id} has a Public IP"
|
||||
result[0].status_extended
|
||||
== f"EMR Cluster {cluster_id} has a Public IP."
|
||||
)
|
||||
|
||||
def test_cluster_private_running(self):
|
||||
@@ -97,7 +98,7 @@ class Test_emr_cluster_master_nodes_no_public_ip:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"EMR Cluster {cluster_id} has not a Public IP"
|
||||
== f"EMR Cluster {cluster_id} does not have a Public IP."
|
||||
)
|
||||
|
||||
def test_cluster_public_terminated(self):
|
||||
@@ -165,5 +166,5 @@ class Test_emr_cluster_master_nodes_no_public_ip:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"EMR Cluster {cluster_id} has not a Public IP"
|
||||
== f"EMR Cluster {cluster_id} does not have a Public IP."
|
||||
)
|
||||
|
||||
@@ -97,7 +97,7 @@ class Test_iam_role_cross_account_readonlyaccess_policy:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== "IAM Role test has not ReadOnlyAccess policy"
|
||||
== "IAM Role test does not have ReadOnlyAccess policy."
|
||||
)
|
||||
assert result[0].resource_id == "test"
|
||||
assert result[0].resource_arn == response["Role"]["Arn"]
|
||||
@@ -146,7 +146,7 @@ class Test_iam_role_cross_account_readonlyaccess_policy:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== "IAM Role test has read-only access but is not cross account"
|
||||
== "IAM Role test has read-only access but is not cross account."
|
||||
)
|
||||
assert result[0].resource_id == "test"
|
||||
assert result[0].resource_arn == response["Role"]["Arn"]
|
||||
@@ -195,7 +195,7 @@ class Test_iam_role_cross_account_readonlyaccess_policy:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== "IAM Role test gives cross account read-only access!"
|
||||
== "IAM Role test gives cross account read-only access."
|
||||
)
|
||||
assert result[0].resource_id == "test"
|
||||
assert result[0].resource_arn == response["Role"]["Arn"]
|
||||
@@ -244,7 +244,7 @@ class Test_iam_role_cross_account_readonlyaccess_policy:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== "IAM Role test gives cross account read-only access!"
|
||||
== "IAM Role test gives cross account read-only access."
|
||||
)
|
||||
assert result[0].resource_id == "test"
|
||||
assert result[0].resource_arn == response["Role"]["Arn"]
|
||||
|
||||
@@ -117,7 +117,7 @@ class Test_rds_instance_backup_enabled:
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert search(
|
||||
"has not backup enabled",
|
||||
"does not have backup enabled",
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_id == "db-master-1"
|
||||
|
||||
@@ -97,7 +97,7 @@ class Test_workspaces_vpc_2private_1public_subnets_nat:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Workspace {workspace_id} is not in a private subnet or its VPC has not 1 public subnet and 2 private subnets with a NAT Gateway attached"
|
||||
== f"Workspace {workspace_id} is not in a private subnet or its VPC does not have 1 public subnet and 2 private subnets with a NAT Gateway attached."
|
||||
)
|
||||
assert result[0].resource_id == workspace_id
|
||||
assert result[0].resource_arn == ""
|
||||
@@ -163,7 +163,7 @@ class Test_workspaces_vpc_2private_1public_subnets_nat:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Workspace {workspace_id} is not in a private subnet or its VPC has not 1 public subnet and 2 private subnets with a NAT Gateway attached"
|
||||
== f"Workspace {workspace_id} is not in a private subnet or its VPC does not have 1 public subnet and 2 private subnets with a NAT Gateway attached."
|
||||
)
|
||||
assert result[0].resource_id == workspace_id
|
||||
assert result[0].resource_arn == ""
|
||||
@@ -246,7 +246,7 @@ class Test_workspaces_vpc_2private_1public_subnets_nat:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Workspace {workspace_id} is not in a private subnet or its VPC has not 1 public subnet and 2 private subnets with a NAT Gateway attached"
|
||||
== f"Workspace {workspace_id} is not in a private subnet or its VPC does not have 1 public subnet and 2 private subnets with a NAT Gateway attached."
|
||||
)
|
||||
assert result[0].resource_id == workspace_id
|
||||
assert result[0].resource_arn == ""
|
||||
@@ -348,7 +348,7 @@ class Test_workspaces_vpc_2private_1public_subnets_nat:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Workspace {workspace_id} is not in a private subnet or its VPC has not 1 public subnet and 2 private subnets with a NAT Gateway attached"
|
||||
== f"Workspace {workspace_id} is not in a private subnet or its VPC does not have 1 public subnet and 2 private subnets with a NAT Gateway attached."
|
||||
)
|
||||
assert result[0].resource_id == workspace_id
|
||||
assert result[0].resource_arn == ""
|
||||
@@ -458,7 +458,7 @@ class Test_workspaces_vpc_2private_1public_subnets_nat:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Workspace {workspace_id} is in a private subnet within a VPC which has 1 public subnet 2 private subnets with a NAT Gateway attached"
|
||||
== f"Workspace {workspace_id} is in a private subnet within a VPC which has 1 public subnet 2 private subnets with a NAT Gateway attached."
|
||||
)
|
||||
assert result[0].resource_id == workspace_id
|
||||
assert result[0].resource_arn == ""
|
||||
|
||||
Reference in New Issue
Block a user