feat(regions): Filter Audited Regions (-f) (#1202)

* feat(filter-regions): Added -f and ebs encryption check. * feat(filter-regions): Added -f and ebs encryption check. * feat(regional_clients): add regional_clients. * fix(global variables): created global variables * chore(role option): Mixed -A/-R option including error handling * fix(arn): import errors from error.py file * fix(review_comments): Review PR comments. Co-authored-by: sergargar <sergio@verica.io> Co-authored-by: n4ch04 <nachor1992@gmail.com>
2026-02-13 00:05:04 +00:00 · 2022-06-20 11:25:26 +02:00
parent f694a6d12a
commit b89b883741
16 changed files with 30264 additions and 96 deletions
--- a/lib/arn/arn.py
+++ b/lib/arn/arn.py
@@ -0,0 +1,45 @@
+from arnparse import arnparse
+
+from lib.arn.error import (
+    RoleArnParsingEmptyResource,
+    RoleArnParsingFailedMissingFields,
+    RoleArnParsingIAMRegionNotEmpty,
+    RoleArnParsingInvalidAccountID,
+    RoleArnParsingInvalidResourceType,
+    RoleArnParsingPartitionEmpty,
+    RoleArnParsingServiceNotIAM,
+)
+
+
+def arn_parsing(arn):
+    # check for number of fields, must be six
+    if len(arn.split(":")) != 6:
+        raise RoleArnParsingFailedMissingFields
+    else:
+        arn_parsed = arnparse(arn)
+        # First check if region is empty (in IAM arns region is always empty)
+        if arn_parsed.region != None:
+            raise RoleArnParsingIAMRegionNotEmpty
+        else:
+            # check if needed fields are filled:
+            # - partition
+            # - service
+            # - account_id
+            # - resource_type
+            # - resource
+            if arn_parsed.partition == None:
+                raise RoleArnParsingPartitionEmpty
+            elif arn_parsed.service != "iam":
+                raise RoleArnParsingServiceNotIAM
+            elif (
+                arn_parsed.account_id == None
+                or len(arn_parsed.account_id) != 12
+                or not arn_parsed.account_id.isnumeric()
+            ):
+                raise RoleArnParsingInvalidAccountID
+            elif arn_parsed.resource_type != "role":
+                raise RoleArnParsingInvalidResourceType
+            elif arn_parsed.resource == "":
+                raise RoleArnParsingEmptyResource
+            else:
+                return arn_parsed
--- a/lib/arn/error.py
+++ b/lib/arn/error.py
@@ -0,0 +1,43 @@
+class RoleArnParsingFailedMissingFields(Exception):
+    # The arn contains a numberof fields different than six separated by :"
+    def __init__(self):
+        self.message = "The assumed role arn contains a number of fields different than six separated by :, please input a valid arn"
+        super().__init__(self.message)
+
+
+class RoleArnParsingIAMRegionNotEmpty(Exception):
+    # The arn contains a non-empty value for region, since it is an IAM arn is not valid
+    def __init__(self):
+        self.message = "The assumed role arn contains a non-empty value for region, since it is an IAM arn is not valid, please input a valid arn"
+        super().__init__(self.message)
+
+
+class RoleArnParsingPartitionEmpty(Exception):
+    # The arn contains an empty value for partition
+    def __init__(self):
+        self.message = "The assumed role arn does not contain a value for partition, please input a valid arn"
+        super().__init__(self.message)
+
+
+class RoleArnParsingServiceNotIAM(Exception):
+    def __init__(self):
+        self.message = "The assumed role arn contains a value for service distinct than iam, please input a valid arn"
+        super().__init__(self.message)
+
+
+class RoleArnParsingInvalidAccountID(Exception):
+    def __init__(self):
+        self.message = "The assumed role arn contains a value for account id empty or invalid, a valid account id must be composed of 12 numbers, please input a valid arn"
+        super().__init__(self.message)
+
+
+class RoleArnParsingInvalidResourceType(Exception):
+    def __init__(self):
+        self.message = "The assumed role arn contains a value for resource type different than role, please input a valid arn"
+        super().__init__(self.message)
+
+
+class RoleArnParsingEmptyResource(Exception):
+    def __init__(self):
+        self.message = "The assumed role arn does not contain a value for resource, please input a valid arn"
+        super().__init__(self.message)
--- a/lib/check/check.py
+++ b/lib/check/check.py
@@ -3,6 +3,7 @@ import pkgutil
 from abc import ABC, abstractmethod
 from dataclasses import dataclass
 from types import ModuleType
+from colorama import Fore, Style

 from config.config import groups_file
 from lib.logger import logger
@@ -126,7 +127,7 @@ def recover_modules_from_provider(provider: str, service: str = None) -> list:


 def run_check(check):
-    print(f"\nCheck Name: {check.CheckName}")
+    print(f"\nCheck Name: {check.CheckName} - {Fore.MAGENTA}{check.ServiceName}{Fore.YELLOW}[{check.Severity}]{Style.RESET_ALL}")
    logger.debug(f"Executing check: {check.CheckName}")
    findings = check.execute()
    report(findings)
--- a/lib/outputs.py
+++ b/lib/outputs.py
@@ -2,6 +2,7 @@ from colorama import Fore, Style


 def report(check_findings):
+    check_findings.sort(key=lambda x: x.region)
    for finding in check_findings:
        color = set_report_color(finding.status)
        print(