ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(fms): handle list compliance status error (#3259)

Browse Source
This commit is contained in:
Nacho Rivera
2024-01-12 11:00:07 +01:00
committed by GitHub
parent f127d4a8b1
commit b9a24e0338
3 changed files with 56 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py
View File

@@ -16,7 +16,10 @@ class fms_policy_compliant(Check):
if fms_client.fms_policies: if fms_client.fms_policies:
for policy in fms_client.fms_policies: for policy in fms_client.fms_policies:
for policy_to_account in policy.compliance_status: for policy_to_account in policy.compliance_status:
if policy_to_account.status == "NON_COMPLIANT": if (
policy_to_account.status == "NON_COMPLIANT"
or not policy_to_account.status
):
report.status = "FAIL" report.status = "FAIL"
report.status_extended = f"FMS with non-compliant policy {policy.name} for account {policy_to_account.account_id}." report.status_extended = f"FMS with non-compliant policy {policy.name} for account {policy_to_account.account_id}."
report.resource_id = policy.id report.resource_id = policy.id

9
prowler/providers/aws/services/fms/fms_service.py
View File

@@ -69,13 +69,16 @@ class FMS(AWSService):
for fms_compliance_status in page.get( for fms_compliance_status in page.get(
"PolicyComplianceStatusList", [] "PolicyComplianceStatusList", []
): ):
compliance_status = ""
if fms_compliance_status.get("EvaluationResults"):
compliance_status = fms_compliance_status.get(
"EvaluationResults"
)[0].get("ComplianceStatus", "")
fms_policy.compliance_status.append( fms_policy.compliance_status.append(
PolicyAccountComplianceStatus( PolicyAccountComplianceStatus(
account_id=fms_compliance_status.get("MemberAccount"), account_id=fms_compliance_status.get("MemberAccount"),
policy_id=fms_compliance_status.get("PolicyId"), policy_id=fms_compliance_status.get("PolicyId"),
status=fms_compliance_status.get("EvaluationResults")[ status=compliance_status,
0
].get("ComplianceStatus"),
) )
) )

46
tests/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant_test.py
View File

@@ -199,3 +199,49 @@ class Test_fms_policy_compliant:
assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == fms_client.audited_account_arn assert result[0].resource_arn == fms_client.audited_account_arn
assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].region == AWS_REGION_US_EAST_1
def test_fms_admin_with_policy_with_null_status(self):
fms_client = mock.MagicMock
fms_client.audited_account = AWS_ACCOUNT_NUMBER
fms_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
fms_client.region = AWS_REGION_US_EAST_1
fms_client.fms_admin_account = True
fms_client.fms_policies = [
Policy(
arn="arn:aws:fms:us-east-1:12345678901",
id="12345678901",
name="test",
resource_type="AWS::EC2::Instance",
service_type="WAF",
remediation_enabled=True,
delete_unused_managed_resources=True,
compliance_status=[
PolicyAccountComplianceStatus(
account_id="12345678901",
policy_id="12345678901",
status="",
),
],
)
]
with mock.patch(
"prowler.providers.aws.services.fms.fms_service.FMS",
new=fms_client,
):
# Test Check
from prowler.providers.aws.services.fms.fms_policy_compliant.fms_policy_compliant import (
fms_policy_compliant,
)
check = fms_policy_compliant()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"FMS with non-compliant policy {fms_client.fms_policies[0].name} for account {fms_client.fms_policies[0].compliance_status[0].account_id}."
)
assert result[0].resource_id == "12345678901"
assert result[0].resource_arn == "arn:aws:fms:us-east-1:12345678901"
assert result[0].region == AWS_REGION_US_EAST_1