ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

test(audit_info): refactor iam (#3163)

Browse Source
This commit is contained in:
Nacho Rivera
2023-12-05 15:59:53 +01:00
committed by GitHub
parent 3962c9d816
commit a81cbbc325
37 changed files with 551 additions and 1554 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
tests/providers/aws/services/iam/iam_administrator_access_with_mfa/iam_administrator_access_with_mfa_test.py
View File

@@ -2,49 +2,16 @@ from json import dumps
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_administrator_access_with_mfa_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_group_with_no_policies(self):
iam = client("iam")
@@ -54,7 +21,7 @@ class Test_iam_administrator_access_with_mfa_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -97,7 +64,7 @@ class Test_iam_administrator_access_with_mfa_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -135,7 +102,7 @@ class Test_iam_administrator_access_with_mfa_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -175,7 +142,7 @@ class Test_iam_administrator_access_with_mfa_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -239,7 +206,7 @@ class Test_iam_administrator_access_with_mfa_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

56
tests/providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage_test.py
View File

@@ -3,49 +3,15 @@ from csv import DictReader
from re import search
from unittest import mock
from boto3 import session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_avoid_root_usage:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_root_not_used(self):
raw_credential_report = r"""user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated
@@ -56,7 +22,7 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -96,7 +62,7 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -136,7 +102,7 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -176,7 +142,7 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -216,7 +182,7 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -256,7 +222,7 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -296,7 +262,7 @@ class Test_iam_avoid_root_usage:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

47
tests/providers/aws/services/iam/iam_aws_attached_policy_no_administrative_privileges/iam_aws_attached_policy_no_administrative_privileges_test.py
View File

@@ -1,47 +1,16 @@
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_aws_attached_policy_no_administrative_privileges_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_policy_with_administrative_privileges(self):
iam_client = client("iam")
@@ -52,7 +21,7 @@ class Test_iam_aws_attached_policy_no_administrative_privileges_test:
iam_client.attach_role_policy(
PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess", RoleName="my-role"
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -91,7 +60,7 @@ class Test_iam_aws_attached_policy_no_administrative_privileges_test:
PolicyArn="arn:aws:iam::aws:policy/IAMUserChangePassword",
RoleName="my-role",
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -133,7 +102,7 @@ class Test_iam_aws_attached_policy_no_administrative_privileges_test:
PolicyArn="arn:aws:iam::aws:policy/IAMUserChangePassword",
RoleName="my-role",
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(

45
tests/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts_test.py
View File

@@ -1,48 +1,15 @@
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_check_saml_providers_sts:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_iam_check_saml_providers_sts(self):
iam_client = client("iam")
@@ -81,7 +48,7 @@ nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

47
tests/providers/aws/services/iam/iam_customer_attached_policy_no_administrative_privileges/iam_customer_attached_policy_no_administrative_privileges_test.py
View File

@@ -2,47 +2,16 @@ from json import dumps
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_customer_attached_policy_no_administrative_privileges_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_policy_administrative(self):
iam_client = client("iam")
@@ -60,7 +29,7 @@ class Test_iam_customer_attached_policy_no_administrative_privileges_test:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
iam_client.attach_role_policy(PolicyArn=arn, RoleName="my-role")
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -102,7 +71,7 @@ class Test_iam_customer_attached_policy_no_administrative_privileges_test:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
iam_client.attach_role_policy(PolicyArn=arn, RoleName="my-role")
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -159,7 +128,7 @@ class Test_iam_customer_attached_policy_no_administrative_privileges_test:
PolicyArn=arn_non_administrative, RoleName="my-role"
)
iam_client.attach_role_policy(PolicyArn=arn_administrative, RoleName="my-role")
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(

47
tests/providers/aws/services/iam/iam_customer_unattached_policy_no_administrative_privileges/iam_customer_unattached_policy_no_administrative_privileges_test.py
View File

@@ -2,47 +2,16 @@ from json import dumps
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_customer_unattached_policy_no_administrative_privileges_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_policy_administrative(self):
iam_client = client("iam")
@@ -57,7 +26,7 @@ class Test_iam_customer_unattached_policy_no_administrative_privileges_test:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -96,7 +65,7 @@ class Test_iam_customer_unattached_policy_no_administrative_privileges_test:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -147,7 +116,7 @@ class Test_iam_customer_unattached_policy_no_administrative_privileges_test:
PolicyDocument=dumps(policy_document_administrative),
)["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(

90
tests/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges_test.py
View File

@@ -1,14 +1,14 @@
from json import dumps
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
INLINE_POLICY_ADMIN = {
"Version": "2012-10-17",
@@ -32,36 +32,6 @@ ASSUME_ROLE_POLICY_DOCUMENT = {
class Test_iam_inline_policy_no_administrative_privileges:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=[AWS_REGION],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
# Groups
@mock_iam
@@ -73,7 +43,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
_ = iam_client.create_group(GroupName=group_name)
# Audit Info
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
@@ -108,7 +78,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_ADMIN),
)
# Audit Info
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
@@ -126,7 +96,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
check = iam_inline_policy_no_administrative_privileges()
results = check.execute()
assert len(results) == 1
assert results[0].region == AWS_REGION
assert results[0].region == AWS_REGION_US_EAST_1
assert results[0].resource_arn == group_arn
assert results[0].resource_id == f"{group_name}/{policy_name}"
assert results[0].resource_tags == []
@@ -152,7 +122,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_NOT_ADMIN),
)
# Audit Info
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
@@ -170,7 +140,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
check = iam_inline_policy_no_administrative_privileges()
results = check.execute()
assert len(results) == 1
assert results[0].region == AWS_REGION
assert results[0].region == AWS_REGION_US_EAST_1
assert results[0].resource_arn == group_arn
assert results[0].resource_id == f"{group_name}/{policy_name}"
assert results[0].resource_tags == []
@@ -204,7 +174,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_ADMIN),
)
# Audit Info
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
@@ -224,7 +194,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
assert len(results) == 2
for result in results:
if result.resource_id == policy_name_admin:
assert result.region == AWS_REGION
assert result.region == AWS_REGION_US_EAST_1
assert result.resource_arn == group_arn
assert result.resource_id == policy_name_admin
assert result.resource_tags == []
@@ -235,7 +205,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
)
elif result.resource_id == policy_name_not_admin:
assert result.region == AWS_REGION
assert result.region == AWS_REGION_US_EAST_1
assert result.resource_arn == group_arn
assert result.resource_id == policy_name_not_admin
assert result.resource_tags == []
@@ -258,7 +228,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
)
# Audit Info
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
@@ -296,7 +266,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_ADMIN),
)
# Audit Info
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
@@ -314,7 +284,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
check = iam_inline_policy_no_administrative_privileges()
results = check.execute()
assert len(results) == 1
assert results[0].region == AWS_REGION
assert results[0].region == AWS_REGION_US_EAST_1
assert results[0].resource_arn == role_arn
assert results[0].resource_id == f"{role_name}/{policy_name}"
assert results[0].resource_tags == []
@@ -343,7 +313,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_NOT_ADMIN),
)
# Audit Info
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
@@ -361,7 +331,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
check = iam_inline_policy_no_administrative_privileges()
results = check.execute()
assert len(results) == 1
assert results[0].region == AWS_REGION
assert results[0].region == AWS_REGION_US_EAST_1
assert results[0].resource_arn == role_arn
assert results[0].resource_id == f"{role_name}/{policy_name}"
assert results[0].resource_tags == []
@@ -397,7 +367,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_ADMIN),
)
# Audit Info
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
@@ -417,7 +387,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
assert len(results) == 2
for result in results:
if result.resource_id == policy_name_admin:
assert result.region == AWS_REGION
assert result.region == AWS_REGION_US_EAST_1
assert result.resource_arn == role_arn
assert result.resource_id == policy_name_admin
assert result.resource_tags == []
@@ -428,7 +398,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
)
elif result.resource_id == policy_name_not_admin:
assert result.region == AWS_REGION
assert result.region == AWS_REGION_US_EAST_1
assert result.resource_arn == role_arn
assert result.resource_id == policy_name_not_admin
assert result.resource_tags == []
@@ -450,7 +420,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
)
# Audit Info
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
@@ -487,7 +457,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_ADMIN),
)
# Audit Info
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
@@ -505,7 +475,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
check = iam_inline_policy_no_administrative_privileges()
results = check.execute()
assert len(results) == 1
assert results[0].region == AWS_REGION
assert results[0].region == AWS_REGION_US_EAST_1
assert results[0].resource_arn == user_arn
assert results[0].resource_id == f"{user_name}/{policy_name}"
assert results[0].resource_tags == []
@@ -533,7 +503,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_NOT_ADMIN),
)
# Audit Info
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
@@ -551,7 +521,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
check = iam_inline_policy_no_administrative_privileges()
results = check.execute()
assert len(results) == 1
assert results[0].region == AWS_REGION
assert results[0].region == AWS_REGION_US_EAST_1
assert results[0].resource_arn == user_arn
assert results[0].resource_id == f"{user_name}/{policy_name}"
assert results[0].resource_tags == []
@@ -586,7 +556,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
PolicyDocument=dumps(INLINE_POLICY_ADMIN),
)
# Audit Info
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
@@ -606,7 +576,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
assert len(results) == 2
for result in results:
if result.resource_id == policy_name_admin:
assert result.region == AWS_REGION
assert result.region == AWS_REGION_US_EAST_1
assert result.resource_arn == user_arn
assert result.resource_id == policy_name_admin
assert result.resource_tags == []
@@ -617,7 +587,7 @@ class Test_iam_inline_policy_no_administrative_privileges:
)
elif result.resource_id == policy_name_not_admin:
assert result.region == AWS_REGION
assert result.region == AWS_REGION_US_EAST_1
assert result.resource_arn == user_arn
assert result.resource_id == policy_name_not_admin
assert result.resource_tags == []

53
tests/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption_test.py
View File

@@ -2,49 +2,16 @@ from json import dumps
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_no_custom_policy_permissive_role_assumption:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_policy_allows_permissive_role_assumption_wildcard(self):
iam_client = client("iam")
@@ -61,7 +28,7 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -101,7 +68,7 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -145,7 +112,7 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -185,7 +152,7 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -237,7 +204,7 @@ class Test_iam_no_custom_policy_permissive_role_assumption:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

47
tests/providers/aws/services/iam/iam_no_expired_server_certificates_stored/iam_no_expired_server_certificates_stored_test.py
View File

@@ -1,54 +1,21 @@
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_no_expired_server_certificates_stored_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_no_certificates(self):
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -79,7 +46,7 @@ class Test_iam_no_expired_server_certificates_stored_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

51
tests/providers/aws/services/iam/iam_no_root_access_key/iam_no_root_access_key_test.py
View File

@@ -1,49 +1,16 @@
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_no_root_access_key_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_iam_root_no_access_keys(self):
iam_client = client("iam")
@@ -52,7 +19,7 @@ class Test_iam_no_root_access_key_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -95,7 +62,7 @@ class Test_iam_no_root_access_key_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -138,7 +105,7 @@ class Test_iam_no_root_access_key_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -181,7 +148,7 @@ class Test_iam_no_root_access_key_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

57
tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py
View File

@@ -1,55 +1,22 @@
from re import search
from unittest import mock
from boto3 import session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=AWS_ACCOUNT_ARN,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_password_expiration_lower_90(self):
from prowler.providers.aws.services.iam.iam_service import IAM, PasswordPolicy
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -81,7 +48,7 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
assert result[0].status == "PASS"
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert search(
"Password expiration is set lower than 90 days",
result[0].status_extended,
@@ -91,7 +58,7 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
def test_password_expiration_greater_90(self):
from prowler.providers.aws.services.iam.iam_service import IAM, PasswordPolicy
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -123,7 +90,7 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
assert result[0].status == "FAIL"
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert search(
"Password expiration is set greater than 90 days",
result[0].status_extended,
@@ -133,7 +100,7 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
def test_password_expiration_just_90(self):
from prowler.providers.aws.services.iam.iam_service import IAM, PasswordPolicy
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -165,7 +132,7 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
assert result[0].status == "PASS"
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert search(
"Password expiration is set lower than 90 days",
result[0].status_extended,

53
tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py
View File

@@ -1,49 +1,18 @@
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_password_policy_lowercase:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_iam_password_policy_no_lowercase_flag(self):
iam_client = client("iam")
@@ -52,7 +21,7 @@ class Test_iam_password_policy_lowercase:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -76,7 +45,7 @@ class Test_iam_password_policy_lowercase:
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam
def test_iam_password_policy_lowercase_flag(self):
@@ -86,7 +55,7 @@ class Test_iam_password_policy_lowercase:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -110,4 +79,4 @@ class Test_iam_password_policy_lowercase:
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1

62
tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py
View File

@@ -1,48 +1,24 @@
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_password_policy_minimum_length_14:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
@mock_iam
def test_iam_password_policy_minimum_length_equal_14(self):
@@ -52,7 +28,7 @@ class Test_iam_password_policy_minimum_length_14:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -76,7 +52,7 @@ class Test_iam_password_policy_minimum_length_14:
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam
def test_iam_password_policy_minimum_length_greater_14(self):
@@ -86,7 +62,7 @@ class Test_iam_password_policy_minimum_length_14:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -110,7 +86,7 @@ class Test_iam_password_policy_minimum_length_14:
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam
def test_iam_password_policy_minimum_length_less_14(self):
@@ -120,7 +96,7 @@ class Test_iam_password_policy_minimum_length_14:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -144,4 +120,4 @@ class Test_iam_password_policy_minimum_length_14:
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1

58
tests/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_test.py
View File

@@ -1,48 +1,24 @@
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_password_policy_number:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
@mock_iam
def test_iam_password_policy_no_number_flag(self):
@@ -52,7 +28,7 @@ class Test_iam_password_policy_number:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -76,7 +52,7 @@ class Test_iam_password_policy_number:
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam
def test_iam_password_policy_number_flag(self):
@@ -86,7 +62,7 @@ class Test_iam_password_policy_number:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -110,4 +86,4 @@ class Test_iam_password_policy_number:
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1

58
tests/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_test.py
View File

@@ -1,47 +1,23 @@
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_password_policy_reuse_24:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
@mock_iam
def test_iam_password_policy_reuse_prevention_equal_24(self):
@@ -49,7 +25,7 @@ class Test_iam_password_policy_reuse_24:
# update password policy
iam_client.update_account_password_policy(PasswordReusePrevention=24)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -74,7 +50,7 @@ class Test_iam_password_policy_reuse_24:
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam
def test_iam_password_policy_reuse_prevention_less_24(self):
@@ -82,7 +58,7 @@ class Test_iam_password_policy_reuse_24:
# update password policy
iam_client.update_account_password_policy(PasswordReusePrevention=20)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -107,4 +83,4 @@ class Test_iam_password_policy_reuse_24:
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1

58
tests/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_test.py
View File

@@ -1,48 +1,24 @@
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_password_policy_symbol:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
@mock_iam
def test_iam_password_policy_no_symbol_flag(self):
@@ -52,7 +28,7 @@ class Test_iam_password_policy_symbol:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -76,7 +52,7 @@ class Test_iam_password_policy_symbol:
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam
def test_iam_password_policy_symbol_flag(self):
@@ -86,7 +62,7 @@ class Test_iam_password_policy_symbol:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -110,4 +86,4 @@ class Test_iam_password_policy_symbol:
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1

58
tests/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_test.py
View File

@@ -1,47 +1,23 @@
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_password_policy_uppercase:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
@mock_iam
def test_iam_password_policy_no_uppercase_flag(self):
@@ -49,7 +25,7 @@ class Test_iam_password_policy_uppercase:
# update password policy
iam_client.update_account_password_policy(RequireUppercaseCharacters=False)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -74,7 +50,7 @@ class Test_iam_password_policy_uppercase:
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam
def test_iam_password_policy_uppercase_flag(self):
@@ -82,7 +58,7 @@ class Test_iam_password_policy_uppercase:
# update password policy
iam_client.update_account_password_policy(RequireUppercaseCharacters=True)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -107,4 +83,4 @@ class Test_iam_password_policy_uppercase:
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1

151
tests/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation_test.py
View File

@@ -2,14 +2,14 @@ from json import dumps
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_REGION = "us-east-1"
AWS_ACCOUNT_NUMBER = "123456789012"
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
# Keep this up-to-date with the check's actions that allows for privilege escalation
privilege_escalation_policies_combination = {
@@ -84,40 +84,16 @@ privilege_escalation_policies_combination = {
class Test_iam_policy_allows_privilege_escalation:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
# @mock_iam
# def test_iam_policy_allows_privilege_escalation_sts(self):
# iam_client = client("iam", region_name=AWS_REGION)
# iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
# policy_name = "policy1"
# policy_document = {
# "Version": "2012-10-17",
@@ -128,10 +104,8 @@ class Test_iam_policy_allows_privilege_escalation:
# policy_arn = iam_client.create_policy(
# PolicyName=policy_name, PolicyDocument=dumps(policy_document)
# )["Policy"]["Arn"]
# current_audit_info = self.set_mocked_audit_info()
# set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
# from prowler.providers.aws.services.iam.iam_service import IAM
# with mock.patch(
# "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
# new=current_audit_info,
@@ -143,7 +117,6 @@ class Test_iam_policy_allows_privilege_escalation:
# from prowler.providers.aws.services.iam.iam_policy_allows_privilege_escalation.iam_policy_allows_privilege_escalation import (
# iam_policy_allows_privilege_escalation,
# )
# check = iam_policy_allows_privilege_escalation()
# result = check.execute()
# assert len(result) == 1
@@ -157,7 +130,7 @@ class Test_iam_policy_allows_privilege_escalation:
@mock_iam
def test_iam_policy_not_allows_privilege_escalation(self):
iam_client = client("iam", region_name=AWS_REGION)
iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "policy1"
policy_document = {
"Version": "2012-10-17",
@@ -171,7 +144,7 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -196,12 +169,12 @@ class Test_iam_policy_allows_privilege_escalation:
)
assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == []
@mock_iam
def test_iam_policy_not_allows_privilege_escalation_glue_GetDevEndpoints(self):
iam_client = client("iam", region_name=AWS_REGION)
iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "policy1"
policy_document = {
"Version": "2012-10-17",
@@ -219,7 +192,7 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -244,12 +217,12 @@ class Test_iam_policy_allows_privilege_escalation:
)
assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == []
@mock_iam
def test_iam_policy_not_allows_privilege_escalation_dynamodb_PutItem(self):
iam_client = client("iam", region_name=AWS_REGION)
iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "policy1"
policy_document = {
"Version": "2012-10-17",
@@ -278,7 +251,7 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -303,14 +276,14 @@ class Test_iam_policy_allows_privilege_escalation:
)
assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == []
@mock_iam
def test_iam_policy_allows_privilege_escalation_iam_all_and_ec2_RunInstances(
self,
):
iam_client = client("iam", region_name=AWS_REGION)
iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "policy1"
policy_document = {
"Version": "2012-10-17",
@@ -333,7 +306,7 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -354,7 +327,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert result[0].status == "FAIL"
assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == []
assert search(
@@ -368,7 +341,7 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_iam_PassRole(
self,
):
iam_client = client("iam", region_name=AWS_REGION)
iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "policy1"
policy_document = {
"Version": "2012-10-17",
@@ -384,7 +357,7 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -405,7 +378,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert result[0].status == "FAIL"
assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == []
assert search(
@@ -418,7 +391,7 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_two_combinations(
self,
):
iam_client = client("iam", region_name=AWS_REGION)
iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "policy1"
policy_document = {
"Version": "2012-10-17",
@@ -453,7 +426,7 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -474,7 +447,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert result[0].status == "FAIL"
assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == []
assert search(
@@ -490,7 +463,7 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_iam_PassRole_and_other_actions(
self,
):
iam_client = client("iam", region_name=AWS_REGION)
iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "policy1"
policy_document = {
"Version": "2012-10-17",
@@ -511,7 +484,7 @@ class Test_iam_policy_allows_privilege_escalation:
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)["Policy"]["Arn"]
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -532,7 +505,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert result[0].status == "FAIL"
assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == []
assert search(
@@ -545,8 +518,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_policies_combination(
self,
):
current_audit_info = self.set_mocked_audit_info()
iam_client = client("iam", region_name=AWS_REGION)
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name = "privileged_policy"
for values in privilege_escalation_policies_combination.values():
print(list(values))
@@ -585,7 +558,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert result[0].status == "FAIL"
assert result[0].resource_id == policy_name
assert result[0].resource_arn == policy_arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == []
assert search(
@@ -604,8 +577,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_two_policies_one_good_one_bad(
self,
):
current_audit_info = self.set_mocked_audit_info()
iam_client = client("iam", region_name=AWS_REGION)
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name_1 = "privileged_policy_1"
policy_document_1 = {
"Version": "2012-10-17",
@@ -672,7 +645,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "PASS"
assert finding.resource_id == policy_name_1
assert finding.resource_arn == policy_arn_1
assert finding.region == AWS_REGION
assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == []
assert (
finding.status_extended
@@ -683,7 +656,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "FAIL"
assert finding.resource_id == policy_name_2
assert finding.resource_arn == policy_arn_2
assert finding.region == AWS_REGION
assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == []
assert search(
f"Custom Policy {policy_arn_2} allows privilege escalation using the following actions: ",
@@ -697,8 +670,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_two_bad_policies(
self,
):
current_audit_info = self.set_mocked_audit_info()
iam_client = client("iam", region_name=AWS_REGION)
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name_1 = "privileged_policy_1"
policy_document_1 = {
"Version": "2012-10-17",
@@ -772,7 +745,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "FAIL"
assert finding.resource_id == policy_name_1
assert finding.resource_arn == policy_arn_1
assert finding.region == AWS_REGION
assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == []
assert search(
@@ -787,7 +760,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "FAIL"
assert finding.resource_id == policy_name_2
assert finding.resource_arn == policy_arn_2
assert finding.region == AWS_REGION
assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == []
assert search(
@@ -802,8 +775,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_over_permissive_policy(
self,
):
current_audit_info = self.set_mocked_audit_info()
iam_client = client("iam", region_name=AWS_REGION)
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name_1 = "privileged_policy_1"
policy_document_1 = {
"Version": "2012-10-17",
@@ -853,7 +826,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "FAIL"
assert finding.resource_id == policy_name_1
assert finding.resource_arn == policy_arn_1
assert finding.region == AWS_REGION
assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == []
assert search(
@@ -868,8 +841,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_administrator_policy(
self,
):
current_audit_info = self.set_mocked_audit_info()
iam_client = client("iam", region_name=AWS_REGION)
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name_1 = "privileged_policy_1"
policy_document_1 = {
"Version": "2012-10-17",
@@ -909,7 +882,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "FAIL"
assert finding.resource_id == policy_name_1
assert finding.resource_arn == policy_arn_1
assert finding.region == AWS_REGION
assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == []
assert search(
f"Custom Policy {policy_arn_1} allows privilege escalation using the following actions:",
@@ -926,8 +899,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_iam_put(
self,
):
current_audit_info = self.set_mocked_audit_info()
iam_client = client("iam", region_name=AWS_REGION)
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name_1 = "privileged_policy_1"
policy_document_1 = {
"Version": "2012-10-17",
@@ -967,7 +940,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "FAIL"
assert finding.resource_id == policy_name_1
assert finding.resource_arn == policy_arn_1
assert finding.region == AWS_REGION
assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == []
assert search(
f"Custom Policy {policy_arn_1} allows privilege escalation using the following actions:",
@@ -979,8 +952,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_allows_privilege_escalation_iam_wildcard(
self,
):
current_audit_info = self.set_mocked_audit_info()
iam_client = client("iam", region_name=AWS_REGION)
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name_1 = "privileged_policy_1"
policy_document_1 = {
"Version": "2012-10-17",
@@ -1020,7 +993,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "FAIL"
assert finding.resource_id == policy_name_1
assert finding.resource_arn == policy_arn_1
assert finding.region == AWS_REGION
assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == []
assert search(
f"Custom Policy {policy_arn_1} allows privilege escalation using the following actions:",
@@ -1032,8 +1005,8 @@ class Test_iam_policy_allows_privilege_escalation:
def test_iam_policy_not_allows_privilege_escalation_custom_policy(
self,
):
current_audit_info = self.set_mocked_audit_info()
iam_client = client("iam", region_name=AWS_REGION)
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam", region_name=AWS_REGION_US_EAST_1)
policy_name_1 = "privileged_policy_1"
policy_document_1 = {
"Version": "2012-10-17",
@@ -1048,7 +1021,7 @@ class Test_iam_policy_allows_privilege_escalation:
"Sid": "",
"Effect": "Allow",
"Action": "es:*",
"Resource": f"arn:aws:es:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:domain/test/*",
"Resource": f"arn:aws:es:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:domain/test/*",
},
],
}
@@ -1079,7 +1052,7 @@ class Test_iam_policy_allows_privilege_escalation:
assert finding.status == "PASS"
assert finding.resource_id == policy_name_1
assert finding.resource_arn == policy_arn_1
assert finding.region == AWS_REGION
assert finding.region == AWS_REGION_US_EAST_1
assert finding.resource_tags == []
assert (
finding.status_extended

61
tests/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles_test.py
View File

@@ -1,48 +1,17 @@
from json import dumps
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "eu-west-1"
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_policy_attached_only_to_group_or_roles:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=[AWS_REGION],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_iam_user_attached_policy(self):
result = []
@@ -61,7 +30,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
)["Policy"]["Arn"]
iam_client.attach_user_policy(UserName=user, PolicyArn=policyArn)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -82,7 +51,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
result[0].status_extended
== f"User {user} has the policy {policy_name} attached."
)
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == f"{user}/{policy_name}"
assert (
result[0].resource_arn
@@ -110,7 +79,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
)["Policy"]["Arn"]
iam_client.attach_user_policy(UserName=user, PolicyArn=policyArn)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -132,7 +101,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
result[0].status_extended
== f"User {user} has the policy {policyName} attached."
)
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == f"{user}/{policyName}"
assert result[0].status == "FAIL"
@@ -140,7 +109,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
result[0].status_extended
== f"User {user} has the policy {policyName} attached."
)
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == f"{user}/{policyName}"
assert (
result[0].resource_arn
@@ -164,7 +133,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
UserName=user, PolicyName=policyName, PolicyDocument=dumps(policyDocument)
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -185,7 +154,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
result[0].status_extended
== f"User {user} has the inline policy {policyName} attached."
)
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == f"{user}/{policyName}"
assert (
result[0].resource_arn
@@ -199,7 +168,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
user = "test_no_policies"
iam_client.create_user(UserName=user)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -220,7 +189,7 @@ class Test_iam_policy_attached_only_to_group_or_roles:
result[0].status_extended
== f"User {user} has no inline or attached policies."
)
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_id == user
assert (
result[0].resource_arn

45
tests/providers/aws/services/iam/iam_policy_no_full_access_to_cloudtrail/iam_policy_no_full_access_to_cloudtrail_test.py
View File

@@ -1,49 +1,20 @@
from json import dumps
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.audit_info import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import IAM
from prowler.providers.common.models import Audit_Metadata
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_policy_no_full_access_to_cloudtrail:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=None,
audited_account_arn=None,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region="us-east-1",
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_policy_full_access_to_cloudtrail(self):
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam")
policy_name = "policy_cloudtrail_full"
policy_document_full_access = {
@@ -82,7 +53,7 @@ class Test_iam_policy_no_full_access_to_cloudtrail:
@mock_iam
def test_policy_no_full_access_to_cloudtrail(self):
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam")
policy_name = "policy_no_cloudtrail_full"
policy_document_full_access = {
@@ -121,7 +92,7 @@ class Test_iam_policy_no_full_access_to_cloudtrail:
@mock_iam
def test_policy_mixed(self):
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam")
policy_name = "policy_mixed"
policy_document_full_access = {

45
tests/providers/aws/services/iam/iam_policy_no_full_access_to_kms/iam_policy_no_full_access_to_kms_test.py
View File

@@ -1,49 +1,20 @@
from json import dumps
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.audit_info import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import IAM
from prowler.providers.common.models import Audit_Metadata
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_policy_no_full_access_to_kms:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=None,
audited_account_arn=None,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region="us-east-1",
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_policy_full_access_to_kms(self):
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam")
policy_name = "policy_kms_full"
policy_document_full_access = {
@@ -82,7 +53,7 @@ class Test_iam_policy_no_full_access_to_kms:
@mock_iam
def test_policy_no_full_access_to_kms(self):
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam")
policy_name = "policy_no_kms_full"
policy_document_full_access = {
@@ -121,7 +92,7 @@ class Test_iam_policy_no_full_access_to_kms:
@mock_iam
def test_policy_mixed(self):
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam_client = client("iam")
policy_name = "policy_mixed"
policy_document_full_access = {

51
tests/providers/aws/services/iam/iam_role_administratoraccess_policy/iam_role_administratoraccess_policy_test.py
View File

@@ -1,54 +1,25 @@
from json import dumps
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import Role
from prowler.providers.common.models import Audit_Metadata
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_REGION = "us-east-1"
AWS_ACCOUNT_ID = "123456789012"
class Test_iam_role_administratoraccess_policy:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_ID,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_no_roles(self):
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
@@ -83,7 +54,7 @@ class Test_iam_role_administratoraccess_policy:
AssumeRolePolicyDocument=dumps(assume_role_policy_document),
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -132,7 +103,7 @@ class Test_iam_role_administratoraccess_policy:
PolicyArn="arn:aws:iam::aws:policy/SecurityAudit",
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -181,7 +152,7 @@ class Test_iam_role_administratoraccess_policy:
PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess",
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -230,7 +201,7 @@ class Test_iam_role_administratoraccess_policy:
PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess",
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -279,7 +250,7 @@ class Test_iam_role_administratoraccess_policy:
)
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

51
tests/providers/aws/services/iam/iam_role_cross_account_readonlyaccess_policy/iam_role_cross_account_readonlyaccess_policy_test.py
View File

@@ -1,54 +1,25 @@
from json import dumps
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import Role
from prowler.providers.common.models import Audit_Metadata
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_REGION = "us-east-1"
AWS_ACCOUNT_ID = "123456789012"
class Test_iam_role_cross_account_readonlyaccess_policy:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_ID,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_no_roles(self):
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
@@ -83,7 +54,7 @@ class Test_iam_role_cross_account_readonlyaccess_policy:
AssumeRolePolicyDocument=dumps(assume_role_policy_document),
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -132,7 +103,7 @@ class Test_iam_role_cross_account_readonlyaccess_policy:
PolicyArn="arn:aws:iam::aws:policy/ReadOnlyAccess",
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -181,7 +152,7 @@ class Test_iam_role_cross_account_readonlyaccess_policy:
PolicyArn="arn:aws:iam::aws:policy/ReadOnlyAccess",
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -230,7 +201,7 @@ class Test_iam_role_cross_account_readonlyaccess_policy:
PolicyArn="arn:aws:iam::aws:policy/ReadOnlyAccess",
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -279,7 +250,7 @@ class Test_iam_role_cross_account_readonlyaccess_policy:
)
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

53
tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py
View File

@@ -1,54 +1,25 @@
from json import dumps
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import Role
from prowler.providers.common.models import Audit_Metadata
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_REGION = "us-east-1"
AWS_ACCOUNT_ID = "123456789012"
class Test_iam_role_cross_service_confused_deputy_prevention:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_ID,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_no_roles(self):
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -88,7 +59,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention:
)
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch(
@@ -127,7 +98,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -175,7 +146,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -225,7 +196,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -275,7 +246,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -325,7 +296,7 @@ class Test_iam_role_cross_service_confused_deputy_prevention:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
current_audit_info.audited_account = AWS_ACCOUNT_ID
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

50
tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py
View File

@@ -1,46 +1,22 @@
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_root_hardware_mfa_enabled_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
@mock_iam
def test_root_hardware_virtual_mfa_enabled(self):
@@ -50,7 +26,7 @@ class Test_iam_root_hardware_mfa_enabled_test:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -83,7 +59,7 @@ class Test_iam_root_hardware_mfa_enabled_test:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

48
tests/providers/aws/services/iam/iam_root_mfa_enabled/iam_root_mfa_enabled_test.py
View File

@@ -1,46 +1,24 @@
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_root_mfa_enabled_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
@mock_iam
def test_root_mfa_not_enabled(self):
@@ -48,7 +26,7 @@ class Test_iam_root_mfa_enabled_test:
user = "test-user"
iam_client.create_user(UserName=user)["User"]["Arn"]
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -83,7 +61,7 @@ class Test_iam_root_mfa_enabled_test:
user = "test-user"
iam_client.create_user(UserName=user)["User"]["Arn"]
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(

64
tests/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days_test.py
View File

@@ -1,48 +1,16 @@
import datetime
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_rotate_access_key_90_days_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_user_no_access_keys(self):
iam_client = client("iam")
@@ -51,7 +19,7 @@ class Test_iam_rotate_access_key_90_days_test:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -76,7 +44,7 @@ class Test_iam_rotate_access_key_90_days_test:
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam
def test_user_access_key_1_not_rotated(self):
@@ -89,7 +57,7 @@ class Test_iam_rotate_access_key_90_days_test:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -117,7 +85,7 @@ class Test_iam_rotate_access_key_90_days_test:
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam
def test_user_access_key_2_not_rotated(self):
@@ -130,7 +98,7 @@ class Test_iam_rotate_access_key_90_days_test:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -158,7 +126,7 @@ class Test_iam_rotate_access_key_90_days_test:
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam
def test_user_both_access_keys_not_rotated(self):
@@ -171,7 +139,7 @@ class Test_iam_rotate_access_key_90_days_test:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -204,7 +172,7 @@ class Test_iam_rotate_access_key_90_days_test:
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert result[1].status == "FAIL"
assert (
result[1].status_extended
@@ -212,7 +180,7 @@ class Test_iam_rotate_access_key_90_days_test:
)
assert result[1].resource_id == user
assert result[1].resource_arn == arn
assert result[1].region == AWS_REGION
assert result[1].region == AWS_REGION_US_EAST_1
@mock_iam
def test_user_both_access_keys_rotated(self):
@@ -225,7 +193,7 @@ class Test_iam_rotate_access_key_90_days_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -259,4 +227,4 @@ class Test_iam_rotate_access_key_90_days_test:
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1

45
tests/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created_test.py
View File

@@ -2,51 +2,20 @@ from json import dumps
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.audit_info import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import IAM
from prowler.providers.common.models import Audit_Metadata
AWS_ACCOUNT_NUMBER = "123456789012"
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
class Test_iam_securityaudit_role_created:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region="us-east-1",
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
@mock_iam
def test_securityaudit_role_created(self):
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = client("iam")
role_name = "test_securityaudit_role_created"
assume_role_policy_document = {
@@ -93,7 +62,7 @@ class Test_iam_securityaudit_role_created:
@mock_iam
def test_no_securityaudit_role_created(self):
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

88
tests/providers/aws/services/iam/iam_service_test.py
View File

@@ -2,16 +2,18 @@ from json import dumps
from uuid import uuid4
import botocore
from boto3 import client, session
from boto3 import client
from freezegun import freeze_time
from mock import patch
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.aws.services.iam.iam_service import IAM, Policy, is_service_role
from prowler.providers.common.models import Audit_Metadata
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012"
TEST_DATETIME = "2023-01-01T12:01:01+00:00"
INLINE_POLICY_NOT_ADMIN = {
@@ -77,42 +79,12 @@ def mock_make_api_call(self, operation_name, kwargs):
# Patch every AWS call using Boto3
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
class Test_IAM_Service:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=None,
audited_account_arn=None,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region="us-east-1",
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
# Test IAM Client
@mock_iam
def test__get_client__(self):
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert iam.client.__class__.__name__ == "IAM"
@@ -120,7 +92,7 @@ class Test_IAM_Service:
@mock_iam
def test__get_session__(self):
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert iam.session.__class__.__name__ == "Session"
@@ -162,7 +134,7 @@ class Test_IAM_Service:
}
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.credential_report) == 1
assert iam.credential_report[0].get("user")
@@ -333,7 +305,7 @@ class Test_IAM_Service:
)["Role"]
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.roles) == len(iam_client.list_roles()["Roles"])
@@ -360,7 +332,7 @@ class Test_IAM_Service:
)
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.groups) == len(iam_client.list_groups()["Groups"])
@@ -384,7 +356,7 @@ class Test_IAM_Service:
)
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.users) == len(iam_client.list_users()["Users"])
assert iam.users[0].tags == [
@@ -402,7 +374,7 @@ class Test_IAM_Service:
account_summary = iam_client.get_account_summary()["SummaryMap"]
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert iam.account_summary["SummaryMap"] == account_summary
@@ -436,7 +408,7 @@ class Test_IAM_Service:
)
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert iam.password_policy.length == min_password_length
@@ -472,7 +444,7 @@ class Test_IAM_Service:
)
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.users) == 1
@@ -506,7 +478,7 @@ class Test_IAM_Service:
)
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.virtual_mfa_devices) == 1
@@ -533,7 +505,7 @@ class Test_IAM_Service:
iam_client.add_user_to_group(GroupName=group, UserName=username)
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.groups) == 1
@@ -580,7 +552,7 @@ class Test_IAM_Service:
)
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.groups) == 1
@@ -615,7 +587,7 @@ class Test_IAM_Service:
)
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.roles) == 1
@@ -636,7 +608,7 @@ class Test_IAM_Service:
EntityFilter="Role",
)["PolicyRoles"]
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.entities_role_attached_to_support_policy) == 0
@@ -667,7 +639,7 @@ class Test_IAM_Service:
EntityFilter="Role",
)["PolicyRoles"]
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.entities_role_attached_to_support_policy) == 1
assert iam.entities_role_attached_to_support_policy[0]["RoleName"] == role_name
@@ -680,7 +652,7 @@ class Test_IAM_Service:
EntityFilter="Role",
)["PolicyRoles"]
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.entities_role_attached_to_securityaudit_policy) == 0
@@ -711,7 +683,7 @@ class Test_IAM_Service:
EntityFilter="Role",
)["PolicyRoles"]
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.entities_role_attached_to_securityaudit_policy) == 1
assert (
@@ -736,7 +708,7 @@ class Test_IAM_Service:
{"Key": "string", "Value": "string"},
],
)
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
custom_policies = 0
for policy in iam.policies:
@@ -761,7 +733,7 @@ class Test_IAM_Service:
iam_client.create_policy(
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
)
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
custom_policies = 0
@@ -812,7 +784,7 @@ nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
)
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.saml_providers) == 1
@@ -836,7 +808,7 @@ nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
)
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.users) == 1
@@ -880,7 +852,7 @@ nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
iam_client.delete_policy
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.groups) == 1
@@ -924,7 +896,7 @@ nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
)
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.roles) == 1
@@ -964,7 +936,7 @@ nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
access_key = iam_client.create_access_key(UserName="test-user")
access_key_id = access_key["AccessKey"]["AccessKeyId"]
# IAM client for this test class
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
iam = IAM(audit_info)
assert len(iam.users) == 1

48
tests/providers/aws/services/iam/iam_support_role_created/iam_support_role_created_test.py
View File

@@ -2,46 +2,24 @@ from json import dumps
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_support_role_created:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
@mock_iam
def test_support_role_created(self):
@@ -65,7 +43,7 @@ class Test_iam_support_role_created:
PolicyArn="arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy",
)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -94,7 +72,7 @@ class Test_iam_support_role_created:
@mock_iam
def test_no_support_role_created(self):
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(

71
tests/providers/aws/services/iam/iam_user_accesskey_unused/iam_user_accesskey_unused_test.py
View File

@@ -1,50 +1,19 @@
import datetime
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_user_accesskey_unused_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
audit_config={"max_unused_access_keys_days": 45},
)
return audit_info
@mock_iam
def test_user_no_access_keys(self):
iam_client = client("iam")
@@ -53,7 +22,9 @@ class Test_iam_user_accesskey_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -84,7 +55,7 @@ class Test_iam_user_accesskey_unused_test:
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam
def test_user_access_key_1_not_used(self):
@@ -97,7 +68,9 @@ class Test_iam_user_accesskey_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -126,7 +99,7 @@ class Test_iam_user_accesskey_unused_test:
)
assert result[0].resource_id == user + "/AccessKey1"
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam
def test_user_access_key_2_not_used(self):
@@ -139,7 +112,9 @@ class Test_iam_user_accesskey_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -168,7 +143,7 @@ class Test_iam_user_accesskey_unused_test:
)
assert result[0].resource_id == user + "/AccessKey2"
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam
def test_user_both_access_keys_not_used(self):
@@ -181,7 +156,9 @@ class Test_iam_user_accesskey_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -215,7 +192,7 @@ class Test_iam_user_accesskey_unused_test:
)
assert result[0].resource_id == user + "/AccessKey1"
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
assert result[1].status == "FAIL"
assert (
@@ -237,7 +214,9 @@ class Test_iam_user_accesskey_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -271,4 +250,4 @@ class Test_iam_user_accesskey_unused_test:
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1

59
tests/providers/aws/services/iam/iam_user_console_access_unused/iam_user_console_access_unused_test.py
View File

@@ -1,50 +1,19 @@
import datetime
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
class Test_iam_user_console_access_unused_test:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
region_name=AWS_REGION,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=AWS_REGION,
credentials=None,
assumed_role_info=None,
audited_regions=None,
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
audit_config={"max_console_access_days": 45},
)
return audit_info
@mock_iam
def test_iam_user_logged_45_days(self):
password_last_used = (
@@ -56,7 +25,9 @@ class Test_iam_user_console_access_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -81,7 +52,7 @@ class Test_iam_user_console_access_unused_test:
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam
def test_iam_user_not_logged_45_days(self):
@@ -94,7 +65,9 @@ class Test_iam_user_console_access_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -119,7 +92,7 @@ class Test_iam_user_console_access_unused_test:
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
@mock_iam
def test_iam_user_not_logged(self):
@@ -129,7 +102,9 @@ class Test_iam_user_console_access_unused_test:
from prowler.providers.aws.services.iam.iam_service import IAM
audit_info = self.set_mocked_audit_info()
audit_info = set_mocked_aws_audit_info(
[AWS_REGION_US_EAST_1], audit_config={"max_unused_access_keys_days": 45}
)
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -155,4 +130,4 @@ class Test_iam_user_console_access_unused_test:
)
assert result[0].resource_id == user
assert result[0].resource_arn == arn
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1

50
tests/providers/aws/services/iam/iam_user_hardware_mfa_enabled/iam_user_hardware_mfa_enabled_test.py
View File

@@ -1,46 +1,24 @@
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_user_hardware_mfa_enabled_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
@mock_iam
def test_user_no_mfa_devices(self):
@@ -50,7 +28,7 @@ class Test_iam_user_hardware_mfa_enabled_test:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -83,7 +61,7 @@ class Test_iam_user_hardware_mfa_enabled_test:
from prowler.providers.aws.services.iam.iam_service import IAM, MFADevice
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -122,7 +100,7 @@ class Test_iam_user_hardware_mfa_enabled_test:
from prowler.providers.aws.services.iam.iam_service import IAM, MFADevice
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

53
tests/providers/aws/services/iam/iam_user_mfa_enabled_console_access/iam_user_mfa_enabled_console_access_test.py
View File

@@ -1,45 +1,23 @@
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_user_mfa_enabled_console_access_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
@mock_iam
def test_root_user_not_password_console_enabled(self):
@@ -47,10 +25,9 @@ class Test_iam_user_mfa_enabled_console_access_test:
user = "test-user"
arn = iam_client.create_user(UserName=user)["User"]["Arn"]
current_audit_info = self.set_mocked_audit_info()
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
@@ -83,7 +60,7 @@ class Test_iam_user_mfa_enabled_console_access_test:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
@@ -116,7 +93,7 @@ class Test_iam_user_mfa_enabled_console_access_test:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,
@@ -150,7 +127,7 @@ class Test_iam_user_mfa_enabled_console_access_test:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
new=current_audit_info,

51
tests/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key_test.py
View File

@@ -2,46 +2,23 @@ from csv import DictReader
from re import search
from unittest import mock
from boto3 import session
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_user_no_setup_initial_access_key_test:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
@mock_iam
def test_setup_access_key_1_fail(self):
@@ -51,7 +28,7 @@ test_false_access_key_1,arn:aws:iam::123456789012:test_false_access_key_1,2022-0
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -80,7 +57,7 @@ test_false_access_key_2,arn:aws:iam::123456789012:test_false_access_key_2,2022-0
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -109,7 +86,7 @@ test_false_both_access_keys,arn:aws:iam::123456789012:test_false_both_access_key
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(
@@ -140,7 +117,7 @@ test_pass,arn:aws:iam::123456789012:test_pass,2022-02-17T14:59:38+00:00,not_supp
csv_reader = DictReader(credential_lines, delimiter=",")
credential_list = list(csv_reader)
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
from prowler.providers.aws.services.iam.iam_service import IAM
with mock.patch(

52
tests/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key_test.py
View File

@@ -1,46 +1,24 @@
from re import search
from unittest import mock
from boto3 import client, session
from boto3 import client
from moto import mock_iam
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from prowler.providers.common.models import Audit_Metadata
from tests.providers.aws.audit_info_utils import (
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
AWS_ACCOUNT_NUMBER = "123456789012"
class Test_iam_user_two_active_access_key:
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=session.Session(
profile_name=None,
botocore_session=None,
),
audited_account=AWS_ACCOUNT_NUMBER,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root",
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
)
return audit_info
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
)
@mock_iam
def test_iam_user_two_active_access_key(self):
@@ -55,7 +33,7 @@ class Test_iam_user_two_active_access_key:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -94,7 +72,7 @@ class Test_iam_user_two_active_access_key:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -129,7 +107,7 @@ class Test_iam_user_two_active_access_key:
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
@@ -159,7 +137,7 @@ class Test_iam_user_two_active_access_key:
def test_iam_no_users(self):
from prowler.providers.aws.services.iam.iam_service import IAM
current_audit_info = self.set_mocked_audit_info()
current_audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",

29
tests/providers/aws/services/iam/iam_user_with_temporary_credentials/iam_user_with_temporary_credentials_test.py
View File

@@ -1,9 +1,10 @@
from unittest import mock
from prowler.providers.aws.services.iam.iam_service import IAM
AWS_REGION = "us-east-1"
AWS_ACCOUNT_NUMBER = "123456789012"
from tests.providers.aws.audit_info_utils import (
AWS_ACCOUNT_NUMBER,
AWS_REGION_US_EAST_1,
)
IAM_USER_NAME = "test-user"
IAM_USER_ARN = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:user/{IAM_USER_NAME}"
@@ -13,7 +14,7 @@ USER_DATA = (IAM_USER_NAME, IAM_USER_ARN)
class Test_iam_user_with_temporary_credentials:
def test_no_users(self):
iam_client = mock.MagicMock
iam_client.region = AWS_REGION
iam_client.region = AWS_REGION_US_EAST_1
iam_client.access_keys_metadata = {}
iam_client.last_accessed_services = {}
@@ -42,7 +43,7 @@ class Test_iam_user_with_temporary_credentials:
def test_user_no_access_keys_no_accesed_services(self):
iam_client = mock.MagicMock
iam_client.region = AWS_REGION
iam_client.region = AWS_REGION_US_EAST_1
iam_client.access_keys_metadata = {USER_DATA: []}
iam_client.last_accessed_services = {USER_DATA: []}
@@ -75,11 +76,11 @@ class Test_iam_user_with_temporary_credentials:
)
assert result[0].resource_id == IAM_USER_NAME
assert result[0].resource_arn == IAM_USER_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
def test_user_access_keys_no_accesed_services(self):
iam_client = mock.MagicMock
iam_client.region = AWS_REGION
iam_client.region = AWS_REGION_US_EAST_1
iam_client.access_keys_metadata = {USER_DATA: [{"AccessKeyId": 1}]}
iam_client.last_accessed_services = {USER_DATA: []}
@@ -112,11 +113,11 @@ class Test_iam_user_with_temporary_credentials:
)
assert result[0].resource_id == IAM_USER_NAME
assert result[0].resource_arn == IAM_USER_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
def test_user_access_keys_accesed_services_sts(self):
iam_client = mock.MagicMock
iam_client.region = AWS_REGION
iam_client.region = AWS_REGION_US_EAST_1
iam_client.access_keys_metadata = {USER_DATA: [{"AccessKeyId": 1}]}
iam_client.last_accessed_services = {USER_DATA: [{"ServiceNamespace": "sts"}]}
@@ -149,11 +150,11 @@ class Test_iam_user_with_temporary_credentials:
)
assert result[0].resource_id == IAM_USER_NAME
assert result[0].resource_arn == IAM_USER_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
def test_access_keys_with_iam_and_sts(self):
iam_client = mock.MagicMock
iam_client.region = AWS_REGION
iam_client.region = AWS_REGION_US_EAST_1
iam_client.access_keys_metadata = {USER_DATA: [{"AccessKeyId": 1}]}
iam_client.last_accessed_services = {
@@ -188,11 +189,11 @@ class Test_iam_user_with_temporary_credentials:
)
assert result[0].resource_id == IAM_USER_NAME
assert result[0].resource_arn == IAM_USER_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1
def test_access_keys_with_iam_and_ec2(self):
iam_client = mock.MagicMock
iam_client.region = AWS_REGION
iam_client.region = AWS_REGION_US_EAST_1
iam_client.access_keys_metadata = {USER_DATA: [{"AccessKeyId": 1}]}
iam_client.last_accessed_services = {
@@ -227,4 +228,4 @@ class Test_iam_user_with_temporary_credentials:
)
assert result[0].resource_id == IAM_USER_NAME
assert result[0].resource_arn == IAM_USER_ARN
assert result[0].region == AWS_REGION
assert result[0].region == AWS_REGION_US_EAST_1