diff --git a/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py b/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py index 97acecb2..f8af3ead 100644 --- a/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py +++ b/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py @@ -12,14 +12,16 @@ class acm_certificates_expiration_check(Check): report.region = certificate.region if certificate.expiration_days > DAYS_TO_EXPIRE_THRESHOLD: report.status = "PASS" - report.status_extended = f"ACM Certificate for {certificate.name} expires in {certificate.expiration_days} days." - report.resource_id = certificate.name + report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} expires in {certificate.expiration_days} days." + report.resource_id = certificate.id + report.resource_details = certificate.name report.resource_arn = certificate.arn report.resource_tags = certificate.tags else: report.status = "FAIL" - report.status_extended = f"ACM Certificate for {certificate.name} is about to expire in {DAYS_TO_EXPIRE_THRESHOLD} days." - report.resource_id = certificate.name + report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is about to expire in {DAYS_TO_EXPIRE_THRESHOLD} days." + report.resource_id = certificate.id + report.resource_details = certificate.name report.resource_arn = certificate.arn report.resource_tags = certificate.tags diff --git a/prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.py b/prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.py index 69c0a13a..9ef750a4 100644 --- a/prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.py +++ b/prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.py @@ -10,23 +10,24 @@ class acm_certificates_transparency_logs_enabled(Check): report.region = certificate.region if certificate.type == "IMPORTED": report.status = "PASS" - report.status_extended = ( - f"ACM Certificate for {certificate.name} is imported." - ) - report.resource_id = certificate.name + report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is imported." + report.resource_id = certificate.id + report.resource_details = certificate.name report.resource_arn = certificate.arn report.resource_tags = certificate.tags else: if not certificate.transparency_logging: report.status = "FAIL" - report.status_extended = f"ACM Certificate for {certificate.name} has Certificate Transparency logging disabled." - report.resource_id = certificate.name + report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has Certificate Transparency logging disabled." + report.resource_id = certificate.id + report.resource_details = certificate.name report.resource_arn = certificate.arn report.resource_tags = certificate.tags else: report.status = "PASS" - report.status_extended = f"ACM Certificate for {certificate.name} has Certificate Transparency logging enabled." - report.resource_id = certificate.name + report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has Certificate Transparency logging enabled." + report.resource_id = certificate.id + report.resource_details = certificate.name report.resource_arn = certificate.arn report.resource_tags = certificate.tags findings.append(report) diff --git a/prowler/providers/aws/services/acm/acm_service.py b/prowler/providers/aws/services/acm/acm_service.py index 9926a0ab..4f0e5de4 100644 --- a/prowler/providers/aws/services/acm/acm_service.py +++ b/prowler/providers/aws/services/acm/acm_service.py @@ -47,6 +47,7 @@ class ACM(AWSService): Certificate( arn=certificate["CertificateArn"], name=certificate["DomainName"], + id=certificate["CertificateArn"].split("/")[-1], type=certificate["Type"], expiration_days=certificate_expiration_time, transparency_logging=False, @@ -94,6 +95,7 @@ class ACM(AWSService): class Certificate(BaseModel): arn: str name: str + id: str type: str tags: Optional[list] = [] expiration_days: int diff --git a/tests/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check_test.py b/tests/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check_test.py index c680d5d8..dee88196 100644 --- a/tests/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check_test.py +++ b/tests/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check_test.py @@ -28,7 +28,8 @@ class Test_acm_certificates_expiration_check: assert len(result) == 0 def test_acm_certificate_expirated(self): - certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{str(uuid.uuid4())}" + certificate_id = str(uuid.uuid4()) + certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}" certificate_name = "test-certificate.com" certificate_type = "AMAZON_ISSUED" @@ -36,6 +37,7 @@ class Test_acm_certificates_expiration_check: acm_client.certificates = [ Certificate( arn=certificate_arn, + id=certificate_id, name=certificate_name, type=certificate_type, expiration_days=5, @@ -60,15 +62,16 @@ class Test_acm_certificates_expiration_check: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"ACM Certificate for {certificate_name} is about to expire in {DAYS_TO_EXPIRE_THRESHOLD} days." + == f"ACM Certificate {certificate_id} for {certificate_name} is about to expire in {DAYS_TO_EXPIRE_THRESHOLD} days." ) - assert result[0].resource_id == certificate_name + assert result[0].resource_id == certificate_id assert result[0].resource_arn == certificate_arn assert result[0].region == AWS_REGION assert result[0].resource_tags == [] def test_acm_certificate_not_expirated(self): - certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{str(uuid.uuid4())}" + certificate_id = str(uuid.uuid4()) + certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}" certificate_name = "test-certificate.com" certificate_type = "AMAZON_ISSUED" expiration_days = 365 @@ -77,6 +80,7 @@ class Test_acm_certificates_expiration_check: acm_client.certificates = [ Certificate( arn=certificate_arn, + id=certificate_id, name=certificate_name, type=certificate_type, expiration_days=expiration_days, @@ -101,9 +105,9 @@ class Test_acm_certificates_expiration_check: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"ACM Certificate for {certificate_name} expires in {expiration_days} days." + == f"ACM Certificate {certificate_id} for {certificate_name} expires in {expiration_days} days." ) - assert result[0].resource_id == certificate_name + assert result[0].resource_id == certificate_id assert result[0].resource_arn == certificate_arn assert result[0].region == AWS_REGION assert result[0].resource_tags == [] diff --git a/tests/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled_test.py b/tests/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled_test.py index becdb1ce..11ff3581 100644 --- a/tests/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled_test.py +++ b/tests/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled_test.py @@ -27,7 +27,8 @@ class Test_acm_certificates_transparency_logs_enabled: assert len(result) == 0 def test_acm_certificate_with_logging(self): - certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{str(uuid.uuid4())}" + certificate_id = str(uuid.uuid4()) + certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}" certificate_name = "test-certificate.com" certificate_type = "AMAZON_ISSUED" @@ -35,6 +36,7 @@ class Test_acm_certificates_transparency_logs_enabled: acm_client.certificates = [ Certificate( arn=certificate_arn, + id=certificate_id, name=certificate_name, type=certificate_type, expiration_days=365, @@ -59,15 +61,16 @@ class Test_acm_certificates_transparency_logs_enabled: assert result[0].status == "PASS" assert ( result[0].status_extended - == f"ACM Certificate for {certificate_name} has Certificate Transparency logging enabled." + == f"ACM Certificate {certificate_id} for {certificate_name} has Certificate Transparency logging enabled." ) - assert result[0].resource_id == certificate_name + assert result[0].resource_id == certificate_id assert result[0].resource_arn == certificate_arn assert result[0].region == AWS_REGION assert result[0].resource_tags == [] def test_acm_certificate_without_logging(self): - certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{str(uuid.uuid4())}" + certificate_id = str(uuid.uuid4()) + certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}" certificate_name = "test-certificate.com" certificate_type = "AMAZON_ISSUED" @@ -75,6 +78,7 @@ class Test_acm_certificates_transparency_logs_enabled: acm_client.certificates = [ Certificate( arn=certificate_arn, + id=certificate_id, name=certificate_name, type=certificate_type, expiration_days=365, @@ -99,9 +103,9 @@ class Test_acm_certificates_transparency_logs_enabled: assert result[0].status == "FAIL" assert ( result[0].status_extended - == f"ACM Certificate for {certificate_name} has Certificate Transparency logging disabled." + == f"ACM Certificate {certificate_id} for {certificate_name} has Certificate Transparency logging disabled." ) - assert result[0].resource_id == certificate_name + assert result[0].resource_id == certificate_id assert result[0].resource_arn == certificate_arn assert result[0].region == AWS_REGION assert result[0].resource_tags == []