fix(acm): add certificate id (#2903)

2026-02-10 06:45:08 +00:00 · 2023-10-03 13:03:46 +02:00
parent 436166c255
commit a4d3e78eb1
5 changed files with 37 additions and 24 deletions
--- a/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py
+++ b/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py
@@ -12,14 +12,16 @@ class acm_certificates_expiration_check(Check):
            report.region = certificate.region
            if certificate.expiration_days > DAYS_TO_EXPIRE_THRESHOLD:
                report.status = "PASS"
-                report.status_extended = f"ACM Certificate for {certificate.name} expires in {certificate.expiration_days} days."
-                report.resource_id = certificate.name
+                report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} expires in {certificate.expiration_days} days."
+                report.resource_id = certificate.id
+                report.resource_details = certificate.name
                report.resource_arn = certificate.arn
                report.resource_tags = certificate.tags
            else:
                report.status = "FAIL"
-                report.status_extended = f"ACM Certificate for {certificate.name} is about to expire in {DAYS_TO_EXPIRE_THRESHOLD} days."
-                report.resource_id = certificate.name
+                report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is about to expire in {DAYS_TO_EXPIRE_THRESHOLD} days."
+                report.resource_id = certificate.id
+                report.resource_details = certificate.name
                report.resource_arn = certificate.arn
                report.resource_tags = certificate.tags

--- a/prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.py
+++ b/prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.py
@@ -10,23 +10,24 @@ class acm_certificates_transparency_logs_enabled(Check):
            report.region = certificate.region
            if certificate.type == "IMPORTED":
                report.status = "PASS"
-                report.status_extended = (
-                    f"ACM Certificate for {certificate.name} is imported."
-                )
-                report.resource_id = certificate.name
+                report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is imported."
+                report.resource_id = certificate.id
+                report.resource_details = certificate.name
                report.resource_arn = certificate.arn
                report.resource_tags = certificate.tags
            else:
                if not certificate.transparency_logging:
                    report.status = "FAIL"
-                    report.status_extended = f"ACM Certificate for {certificate.name} has Certificate Transparency logging disabled."
-                    report.resource_id = certificate.name
+                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has Certificate Transparency logging disabled."
+                    report.resource_id = certificate.id
+                    report.resource_details = certificate.name
                    report.resource_arn = certificate.arn
                    report.resource_tags = certificate.tags
                else:
                    report.status = "PASS"
-                    report.status_extended = f"ACM Certificate for {certificate.name} has Certificate Transparency logging enabled."
-                    report.resource_id = certificate.name
+                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has Certificate Transparency logging enabled."
+                    report.resource_id = certificate.id
+                    report.resource_details = certificate.name
                    report.resource_arn = certificate.arn
                    report.resource_tags = certificate.tags
            findings.append(report)
--- a/prowler/providers/aws/services/acm/acm_service.py
+++ b/prowler/providers/aws/services/acm/acm_service.py
@@ -47,6 +47,7 @@ class ACM(AWSService):
                            Certificate(
                                arn=certificate["CertificateArn"],
                                name=certificate["DomainName"],
+                                id=certificate["CertificateArn"].split("/")[-1],
                                type=certificate["Type"],
                                expiration_days=certificate_expiration_time,
                                transparency_logging=False,
@@ -94,6 +95,7 @@ class ACM(AWSService):
 class Certificate(BaseModel):
    arn: str
    name: str
+    id: str
    type: str
    tags: Optional[list] = []
    expiration_days: int
--- a/tests/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check_test.py
+++ b/tests/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check_test.py
@@ -28,7 +28,8 @@ class Test_acm_certificates_expiration_check:
            assert len(result) == 0

    def test_acm_certificate_expirated(self):
-        certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{str(uuid.uuid4())}"
+        certificate_id = str(uuid.uuid4())
+        certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}"
        certificate_name = "test-certificate.com"
        certificate_type = "AMAZON_ISSUED"

@@ -36,6 +37,7 @@ class Test_acm_certificates_expiration_check:
        acm_client.certificates = [
            Certificate(
                arn=certificate_arn,
+                id=certificate_id,
                name=certificate_name,
                type=certificate_type,
                expiration_days=5,
@@ -60,15 +62,16 @@ class Test_acm_certificates_expiration_check:
            assert result[0].status == "FAIL"
            assert (
                result[0].status_extended
-                == f"ACM Certificate for {certificate_name} is about to expire in {DAYS_TO_EXPIRE_THRESHOLD} days."
+                == f"ACM Certificate {certificate_id} for {certificate_name} is about to expire in {DAYS_TO_EXPIRE_THRESHOLD} days."
            )
-            assert result[0].resource_id == certificate_name
+            assert result[0].resource_id == certificate_id
            assert result[0].resource_arn == certificate_arn
            assert result[0].region == AWS_REGION
            assert result[0].resource_tags == []

    def test_acm_certificate_not_expirated(self):
-        certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{str(uuid.uuid4())}"
+        certificate_id = str(uuid.uuid4())
+        certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}"
        certificate_name = "test-certificate.com"
        certificate_type = "AMAZON_ISSUED"
        expiration_days = 365
@@ -77,6 +80,7 @@ class Test_acm_certificates_expiration_check:
        acm_client.certificates = [
            Certificate(
                arn=certificate_arn,
+                id=certificate_id,
                name=certificate_name,
                type=certificate_type,
                expiration_days=expiration_days,
@@ -101,9 +105,9 @@ class Test_acm_certificates_expiration_check:
            assert result[0].status == "PASS"
            assert (
                result[0].status_extended
-                == f"ACM Certificate for {certificate_name} expires in {expiration_days} days."
+                == f"ACM Certificate {certificate_id} for {certificate_name} expires in {expiration_days} days."
            )
-            assert result[0].resource_id == certificate_name
+            assert result[0].resource_id == certificate_id
            assert result[0].resource_arn == certificate_arn
            assert result[0].region == AWS_REGION
            assert result[0].resource_tags == []
--- a/tests/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled_test.py
+++ b/tests/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled_test.py
@@ -27,7 +27,8 @@ class Test_acm_certificates_transparency_logs_enabled:
            assert len(result) == 0

    def test_acm_certificate_with_logging(self):
-        certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{str(uuid.uuid4())}"
+        certificate_id = str(uuid.uuid4())
+        certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}"
        certificate_name = "test-certificate.com"
        certificate_type = "AMAZON_ISSUED"

@@ -35,6 +36,7 @@ class Test_acm_certificates_transparency_logs_enabled:
        acm_client.certificates = [
            Certificate(
                arn=certificate_arn,
+                id=certificate_id,
                name=certificate_name,
                type=certificate_type,
                expiration_days=365,
@@ -59,15 +61,16 @@ class Test_acm_certificates_transparency_logs_enabled:
            assert result[0].status == "PASS"
            assert (
                result[0].status_extended
-                == f"ACM Certificate for {certificate_name} has Certificate Transparency logging enabled."
+                == f"ACM Certificate {certificate_id} for {certificate_name} has Certificate Transparency logging enabled."
            )
-            assert result[0].resource_id == certificate_name
+            assert result[0].resource_id == certificate_id
            assert result[0].resource_arn == certificate_arn
            assert result[0].region == AWS_REGION
            assert result[0].resource_tags == []

    def test_acm_certificate_without_logging(self):
-        certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{str(uuid.uuid4())}"
+        certificate_id = str(uuid.uuid4())
+        certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}"
        certificate_name = "test-certificate.com"
        certificate_type = "AMAZON_ISSUED"

@@ -75,6 +78,7 @@ class Test_acm_certificates_transparency_logs_enabled:
        acm_client.certificates = [
            Certificate(
                arn=certificate_arn,
+                id=certificate_id,
                name=certificate_name,
                type=certificate_type,
                expiration_days=365,
@@ -99,9 +103,9 @@ class Test_acm_certificates_transparency_logs_enabled:
            assert result[0].status == "FAIL"
            assert (
                result[0].status_extended
-                == f"ACM Certificate for {certificate_name} has Certificate Transparency logging disabled."
+                == f"ACM Certificate {certificate_id} for {certificate_name} has Certificate Transparency logging disabled."
            )
-            assert result[0].resource_id == certificate_name
+            assert result[0].resource_id == certificate_id
            assert result[0].resource_arn == certificate_arn
            assert result[0].region == AWS_REGION
            assert result[0].resource_tags == []