From a5c63845b49ac2c3f1289d3c8123430da9ae0e7a Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Wed, 26 Jul 2023 16:29:27 +0200 Subject: [PATCH] test: security groups (#2627) --- ..._ingress_from_internet_to_any_port_test.py | 26 ++++++++++++++----- ...ternet_to_port_mongodb_27017_27018_test.py | 18 ++++++++++--- ...rom_internet_to_tcp_ftp_port_20_21_test.py | 18 ++++++++++--- ...gress_from_internet_to_tcp_port_22_test.py | 18 ++++++++++--- ...ess_from_internet_to_tcp_port_3389_test.py | 18 ++++++++++--- ..._tcp_port_cassandra_7199_9160_8888_test.py | 18 ++++++++++--- ...lasticsearch_kibana_9200_9300_5601_test.py | 18 ++++++++++--- ...om_internet_to_tcp_port_kafka_9092_test.py | 18 ++++++++++--- ...ternet_to_tcp_port_memcached_11211_test.py | 18 ++++++++++--- ...om_internet_to_tcp_port_mysql_3306_test.py | 18 ++++++++++--- ...ernet_to_tcp_port_oracle_1521_2483_test.py | 18 ++++++++++--- ...internet_to_tcp_port_postgres_5432_test.py | 18 ++++++++++--- ...om_internet_to_tcp_port_redis_6379_test.py | 18 ++++++++++--- ...t_to_tcp_port_sql_server_1433_1434_test.py | 18 ++++++++++--- ...rom_internet_to_tcp_port_telnet_23_test.py | 18 ++++++++++--- ...ygroup_allow_wide_open_public_ipv4_test.py | 18 ++++++++++--- ...ritygroup_default_restrict_traffic_test.py | 18 ++++++++++--- ...2_securitygroup_from_launch_wizard_test.py | 19 ++++++++++---- .../ec2_securitygroup_not_used_test.py | 12 +++++++-- ...oup_with_many_ingress_egress_rules_test.py | 18 ++++++++++--- 20 files changed, 282 insertions(+), 81 deletions(-) diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port_test.py index 4f4806f2..1f3b4d50 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port_test.py @@ -74,15 +74,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_any_port: assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -126,15 +130,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_any_port: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -178,15 +186,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_any_port: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg_only_open_to_one_port(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -235,3 +247,5 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_any_port: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018_test.py index e211afaf..62521d80 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018_test.py @@ -74,15 +74,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_2 assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -130,15 +134,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_2 sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -186,3 +194,5 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_2 sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21_test.py index f48d9061..445f3731 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21_test.py @@ -74,15 +74,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21: assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -130,15 +134,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -186,3 +194,5 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22_test.py index c8398cd7..80251a48 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22_test.py @@ -72,15 +72,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22: assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -126,15 +130,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -180,3 +188,5 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389_test.py index 608578b5..0c7fe106 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389_test.py @@ -72,15 +72,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389: assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -126,15 +130,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -180,3 +188,5 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888_test.py index 676f754e..f194d329 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888_test.py @@ -74,15 +74,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7 assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -130,15 +134,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7 sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -186,3 +194,5 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7 sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601_test.py index b48da35c..4c3324a1 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601_test.py @@ -74,15 +74,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsear assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -130,15 +134,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsear sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -186,3 +194,5 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsear sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092_test.py index 6b927980..208a3e73 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092_test.py @@ -74,15 +74,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092: assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -129,15 +133,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -185,3 +193,5 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211_test.py index 1dd19b86..913ae25d 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211_test.py @@ -74,15 +74,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_1 assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -130,15 +134,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_1 sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -186,3 +194,5 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_1 sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306_test.py index 2d5f0e49..61ae819c 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306_test.py @@ -74,15 +74,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306: assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -130,15 +134,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -186,3 +194,5 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483_test.py index 53368ead..f5f5b61b 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483_test.py @@ -74,15 +74,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521 assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -130,15 +134,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521 sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -186,3 +194,5 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521 sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432_test.py index 1609a76f..452ff7f2 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432_test.py @@ -74,15 +74,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_54 assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -130,15 +134,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_54 sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -186,3 +194,5 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_54 sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py index b10e9580..850e6751 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py @@ -74,15 +74,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -129,15 +133,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -185,3 +193,5 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434_test.py index 8f7a6cf1..e2640d52 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434_test.py @@ -74,15 +74,19 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_ assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -130,15 +134,19 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_ sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -186,3 +194,5 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_ sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23_test.py index 19ae1b73..feb21094 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23_test.py @@ -74,15 +74,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23: assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -129,15 +133,19 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -185,3 +193,5 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4_test.py index 39a94740..2fd80748 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4_test.py @@ -72,15 +72,19 @@ class Test_ec2_securitygroup_allow_wide_open_public_ipv4: assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_default_sg_with_RFC1918_address(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -124,15 +128,19 @@ class Test_ec2_securitygroup_allow_wide_open_public_ipv4: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_default_sg_with_non_RFC1918_address(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -176,3 +184,5 @@ class Test_ec2_securitygroup_allow_wide_open_public_ipv4: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_default_restrict_traffic/ec2_securitygroup_default_restrict_traffic_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_default_restrict_traffic/ec2_securitygroup_default_restrict_traffic_test.py index 82613610..cff4d1a1 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_default_restrict_traffic/ec2_securitygroup_default_restrict_traffic_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_default_restrict_traffic/ec2_securitygroup_default_restrict_traffic_test.py @@ -71,15 +71,19 @@ class Test_ec2_securitygroup_default_restrict_traffic: assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[{"IpProtocol": "-1", "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}], @@ -118,15 +122,19 @@ class Test_ec2_securitygroup_default_restrict_traffic: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -167,3 +175,5 @@ class Test_ec2_securitygroup_default_restrict_traffic: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_from_launch_wizard/ec2_securitygroup_from_launch_wizard_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_from_launch_wizard/ec2_securitygroup_from_launch_wizard_test.py index f1d0b833..3dd76dc6 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_from_launch_wizard/ec2_securitygroup_from_launch_wizard_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_from_launch_wizard/ec2_securitygroup_from_launch_wizard_test.py @@ -73,15 +73,19 @@ class Test_ec2_securitygroup_from_launch_wizard: assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_launch_wizard_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - sg_id = ec2_client.create_security_group( - GroupName="launch-wizard-1", Description="launch wizard sg" - )["GroupId"] + sg_name = "launch-wizard-1" + sg = ec2_client.create_security_group( + GroupName=sg_name, Description="launch wizard sg" + ) + sg_id = sg["GroupId"] from prowler.providers.aws.services.ec2.ec2_service import EC2 @@ -116,15 +120,18 @@ class Test_ec2_securitygroup_from_launch_wizard: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{sg_id}" ) + assert sg.resource_details == sg_name @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2 = resource("ec2", region_name=AWS_REGION) ec2.create_instances( @@ -169,3 +176,5 @@ class Test_ec2_securitygroup_from_launch_wizard: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used_test.py index b14f7a92..1885d4d5 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used_test.py @@ -78,8 +78,9 @@ class Test_ec2_securitygroup_not_used: ec2 = resource("ec2", AWS_REGION) ec2_client = client("ec2", region_name=AWS_REGION) vpc_id = ec2_client.create_vpc(CidrBlock="10.0.0.0/16")["Vpc"]["VpcId"] + sg_name = "test-sg" sg = ec2.create_security_group( - GroupName="test-sg", Description="test", VpcId=vpc_id + GroupName=sg_name, Description="test", VpcId=vpc_id ) from prowler.providers.aws.services.ec2.ec2_service import EC2 @@ -112,6 +113,9 @@ class Test_ec2_securitygroup_not_used: result[0].resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{sg.id}" ) + assert result[0].resource_id == sg.id + assert result[0].resource_details == sg_name + assert result[0].resource_tags == [] @mock_ec2 def test_ec2_used_default_sg(self): @@ -119,8 +123,9 @@ class Test_ec2_securitygroup_not_used: ec2 = resource("ec2", AWS_REGION) ec2_client = client("ec2", region_name=AWS_REGION) vpc_id = ec2_client.create_vpc(CidrBlock="10.0.0.0/16")["Vpc"]["VpcId"] + sg_name = "test-sg" sg = ec2.create_security_group( - GroupName="test-sg", Description="test", VpcId=vpc_id + GroupName=sg_name, Description="test", VpcId=vpc_id ) subnet = ec2.create_subnet(VpcId=vpc_id, CidrBlock="10.0.0.0/18") subnet.create_network_interface(Groups=[sg.id]) @@ -155,3 +160,6 @@ class Test_ec2_securitygroup_not_used: result[0].resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{sg.id}" ) + assert result[0].resource_id == sg.id + assert result[0].resource_details == sg_name + assert result[0].resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules_test.py index ed906de1..b2ab55ab 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules_test.py @@ -72,15 +72,19 @@ class Test_ec2_securitygroup_with_many_ingress_egress_rules: assert len(result) == 3 # All are compliant by default assert result[0].status == "PASS" + assert result[1].status == "PASS" + assert result[2].status == "PASS" @mock_ec2 def test_ec2_non_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] for i in range(60): ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, @@ -126,15 +130,19 @@ class Test_ec2_securitygroup_with_many_ingress_egress_rules: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == [] @mock_ec2 def test_ec2_compliant_default_sg(self): # Create EC2 Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) ec2_client.create_vpc(CidrBlock="10.0.0.0/16") - default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[ + default_sg = ec2_client.describe_security_groups(GroupNames=["default"])[ "SecurityGroups" - ][0]["GroupId"] + ][0] + default_sg_id = default_sg["GroupId"] + default_sg_name = default_sg["GroupName"] ec2_client.authorize_security_group_ingress( GroupId=default_sg_id, IpPermissions=[ @@ -180,3 +188,5 @@ class Test_ec2_securitygroup_with_many_ingress_egress_rules: sg.resource_arn == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}" ) + assert sg.resource_details == default_sg_name + assert sg.resource_tags == []