feat(FMS): New Service FMS and Check fms_accounts_compliant (#2259)

Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Nacho Rivera <nacho@verica.io>

prowler/providers/aws/services/fms/fms_client.py

@@ -0,0 +1,4 @@
+from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
+from prowler.providers.aws.services.fms.fms_service import FMS
+
+fms_client = FMS(current_audit_info)

prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "aws",
+  "CheckID": "fms_policy_compliant",
+  "CheckTitle": "Ensure that all FMS policies inside an admin account are compliant",
+  "CheckType": [],
+  "ServiceName": "fms",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:aws:fms:region:account-id:policy/policy",
+  "Severity": "medium",
+  "ResourceType": "Other",
+  "Description": "This check ensures all FMS policies inside an admin account are compliant",
+  "Risk": "If FMS policies are not compliant, means there are resources unprotected by the policies",
+  "RelatedUrl": "https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-fms-intro.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws fms list-policies",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Ensure FMS is enabled and all the policies are compliant across your AWS accounts",
+      "Url": ""
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py

@@ -0,0 +1,29 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.fms.fms_client import fms_client
+
+
+class fms_policy_compliant(Check):
+    def execute(self):
+        findings = []
+        if fms_client.fms_admin_account:
+            report = Check_Report_AWS(self.metadata())
+            report.resource_id = "FMS"
+            report.resource_arn = ""
+            report.region = fms_client.region
+            report.status = "PASS"
+            report.status_extended = "FMS enabled with all compliant accounts"
+            non_compliant_policy = False
+            for policy in fms_client.fms_policies:
+                for policy_to_account in policy.compliance_status:
+                    if policy_to_account.status == "NON_COMPLIANT":
+                        report.status = "FAIL"
+                        report.status_extended = f"FMS with non-compliant policy {policy.name} for account {policy_to_account.account_id}"
+                        report.resource_id = policy.id
+                        report.resource_arn = policy.arn
+                        non_compliant_policy = True
+                        break
+                if non_compliant_policy:
+                    break
+
+            findings.append(report)
+        return findings

prowler/providers/aws/services/fms/fms_service.py

@@ -0,0 +1,108 @@
+from botocore.client import ClientError
+from pydantic import BaseModel
+
+from prowler.lib.logger import logger
+from prowler.lib.scan_filters.scan_filters import is_resource_filtered
+from prowler.providers.aws.aws_provider import generate_regional_clients
+
+
+################## FMS
+class FMS:
+    def __init__(self, audit_info):
+        self.service = "fms"
+        self.session = audit_info.audit_session
+        self.audited_account = audit_info.audited_account
+        self.audited_partition = audit_info.audited_partition
+        self.audit_resources = audit_info.audit_resources
+        global_client = generate_regional_clients(
+            self.service, audit_info, global_service=True
+        )
+        self.client = list(global_client.values())[0]
+        self.region = self.client.region
+        self.fms_admin_account = True
+        self.fms_policies = []
+        self.__list_policies__()
+        self.__list_compliance_status__()
+
+    def __list_policies__(self):
+        logger.info("FMS - Listing Policies...")
+        try:
+            list_policies_paginator = self.client.get_paginator("list_policies")
+            try:
+                for page in list_policies_paginator.paginate():
+                    for fms_policy in page["PolicyList"]:
+                        if not self.audit_resources or (
+                            is_resource_filtered(
+                                fms_policy["PolicyArn"], self.audit_resources
+                            )
+                        ):
+                            self.fms_policies.append(
+                                Policy(
+                                    arn=fms_policy.get("PolicyArn"),
+                                    id=fms_policy.get("PolicyId"),
+                                    name=fms_policy.get("PolicyName"),
+                                    resource_type=fms_policy.get("ResourceType"),
+                                    service_type=fms_policy.get("SecurityServiceType"),
+                                    remediation_enabled=fms_policy.get(
+                                        "RemediationEnabled"
+                                    ),
+                                    delete_unused_managed_resources=fms_policy.get(
+                                        "DeleteUnusedFMManagedResources"
+                                    ),
+                                )
+                            )
+            except ClientError as error:
+                if error.response["Error"]["Code"] == "AccessDeniedException":
+                    if (
+                        "No default admin could be found for account"
+                        in error.response["Error"]["Message"]
+                    ):
+                        # FMS is not enabled in this account
+                        self.fms_admin_account = False
+        except Exception as error:
+            logger.error(
+                f"{error.__class__.__name__}:{error.__traceback__.tb_lineno} -- {error}"
+            )
+
+    def __list_compliance_status__(self):
+        logger.info("FMS - Listing Policies...")
+        try:
+            for fms_policy in self.fms_policies:
+                list_compliance_status_paginator = self.client.get_paginator(
+                    "list_compliance_status"
+                )
+                for page in list_compliance_status_paginator.paginate(
+                    PolicyId=fms_policy.id
+                ):
+                    for fms_compliance_status in page["PolicyComplianceStatusList"]:
+                        fms_policy.compliance_status.append(
+                            PolicyAccountComplianceStatus(
+                                account_id=fms_compliance_status.get("MemberAccount"),
+                                policy_id=fms_compliance_status.get("PolicyId"),
+                                status=fms_compliance_status.get("EvaluationResults")[
+                                    0
+                                ].get("ComplianceStatus"),
+                            )
+                        )
+
+        except Exception as error:
+            logger.error(
+                f"{error.__class__.__name__}:{error.__traceback__.tb_lineno} -- {error}"
+            )
+
+
+class PolicyAccountComplianceStatus(BaseModel):
+    account_id: str
+    policy_id: str
+    status: str
+
+
+class Policy(BaseModel):
+    arn: str
+    id: str
+    name: str
+    resource_type: str
+    service_type: str
+    remediation_enabled: bool
+    delete_unused_managed_resources: bool
+    compliance_status: list[PolicyAccountComplianceStatus] = []