From bbc9e11205d2d3f379dc28da1cb911986ee25cec Mon Sep 17 00:00:00 2001
From: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
Date: Mon, 30 Jan 2023 16:51:07 +0100
Subject: [PATCH] fix(ec2_securitygroup_not_used): ignore default security
 groups (#1800)

Co-authored-by: sergargar <sergio@verica.io>
---
 .../ec2_securitygroup_not_used.py             | 22 ++---
 .../ec2_securitygroup_not_used_test.py        | 87 ++++++++-----------
 2 files changed, 49 insertions(+), 60 deletions(-)

diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used.py
index 92883bb7..209d9b9f 100644
--- a/prowler/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used.py
+++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used.py
@@ -6,16 +6,18 @@ class ec2_securitygroup_not_used(Check):
     def execute(self):
         findings = []
         for security_group in ec2_client.security_groups:
-            report = Check_Report_AWS(self.metadata())
-            report.region = security_group.region
-            report.resource_id = security_group.id
-            report.resource_arn = security_group.arn
-            report.status = "PASS"
-            report.status_extended = f"Security group {security_group.name} ({security_group.id}) it is being used."
-            if len(security_group.network_interfaces) == 0:
-                report.status = "FAIL"
-                report.status_extended = f"Security group {security_group.name} ({security_group.id}) it is not being used."
+            # Default security groups can not be deleted, so ignore them
+            if security_group.name != "default":
+                report = Check_Report_AWS(self.metadata())
+                report.region = security_group.region
+                report.resource_id = security_group.id
+                report.resource_arn = security_group.arn
+                report.status = "PASS"
+                report.status_extended = f"Security group {security_group.name} ({security_group.id}) it is being used."
+                if len(security_group.network_interfaces) == 0:
+                    report.status = "FAIL"
+                    report.status_extended = f"Security group {security_group.name} ({security_group.id}) it is not being used."
 
-            findings.append(report)
+                findings.append(report)
 
         return findings
diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used_test.py
index 8c12130d..8fd5dfdd 100644
--- a/tests/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used_test.py
+++ b/tests/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used_test.py
@@ -33,19 +33,18 @@ class Test_ec2_securitygroup_not_used:
             check = ec2_securitygroup_not_used()
             result = check.execute()
 
-            # One default sg per region
-            assert len(result) == 3
-            # All are unused by default
-            assert result[0].status == "FAIL"
+            # Default sg per region are excluded
+            assert len(result) == 0
 
     @mock_ec2
-    def test_ec2_unused_default_sg(self):
+    def test_ec2_unused_sg(self):
         # Create EC2 Mocked Resources
+        ec2 = resource("ec2", AWS_REGION)
         ec2_client = client("ec2", region_name=AWS_REGION)
-        ec2_client.create_vpc(CidrBlock="10.0.0.0/16")
-        default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[
-            "SecurityGroups"
-        ][0]["GroupId"]
+        vpc_id = ec2_client.create_vpc(CidrBlock="10.0.0.0/16")["Vpc"]["VpcId"]
+        sg = ec2.create_security_group(
+            GroupName="test-sg", Description="test", VpcId=vpc_id
+        )
 
         from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
         from prowler.providers.aws.services.ec2.ec2_service import EC2
@@ -65,39 +64,30 @@ class Test_ec2_securitygroup_not_used:
             check = ec2_securitygroup_not_used()
             result = check.execute()
 
-            # One default sg per region
-            assert len(result) == 3
-            # Search changed sg
-            for sg in result:
-                if sg.resource_id == default_sg_id:
-                    assert sg.status == "FAIL"
-                    assert search(
-                        "it is not being used",
-                        sg.status_extended,
-                    )
-                    assert (
-                        sg.resource_arn
-                        == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}"
-                    )
+            # One custom sg
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert search(
+                "it is not being used",
+                result[0].status_extended,
+            )
+            assert (
+                result[0].resource_arn
+                == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{sg.id}"
+            )
 
     @mock_ec2
     def test_ec2_used_default_sg(self):
         # Create EC2 Mocked Resources
+        ec2 = resource("ec2", AWS_REGION)
         ec2_client = client("ec2", region_name=AWS_REGION)
-        ec2_client.create_vpc(CidrBlock="10.0.0.0/16")
-        default_sg_id = ec2_client.describe_security_groups(GroupNames=["default"])[
-            "SecurityGroups"
-        ][0]["GroupId"]
-
-        ec2 = resource("ec2", region_name=AWS_REGION)
-        ec2.create_instances(
-            ImageId=EXAMPLE_AMI_ID,
-            MinCount=1,
-            MaxCount=1,
-            SecurityGroupIds=[
-                default_sg_id,
-            ],
+        vpc_id = ec2_client.create_vpc(CidrBlock="10.0.0.0/16")["Vpc"]["VpcId"]
+        sg = ec2.create_security_group(
+            GroupName="test-sg", Description="test", VpcId=vpc_id
         )
+        subnet = ec2.create_subnet(VpcId=vpc_id, CidrBlock="10.0.0.0/18")
+        subnet.create_network_interface(Groups=[sg.id])
+
         from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
         from prowler.providers.aws.services.ec2.ec2_service import EC2
 
@@ -116,17 +106,14 @@ class Test_ec2_securitygroup_not_used:
             check = ec2_securitygroup_not_used()
             result = check.execute()
 
-            # One default sg per region
-            assert len(result) == 3
-            # Search changed sg
-            for sg in result:
-                if sg.resource_id == default_sg_id:
-                    assert sg.status == "PASS"
-                    assert search(
-                        "it is being used",
-                        sg.status_extended,
-                    )
-                    assert (
-                        sg.resource_arn
-                        == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{default_sg_id}"
-                    )
+            # One custom sg
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert search(
+                "it is being used",
+                result[0].status_extended,
+            )
+            assert (
+                result[0].resource_arn
+                == f"arn:{current_audit_info.audited_partition}:ec2:{AWS_REGION}:{current_audit_info.audited_account}:security-group/{sg.id}"
+            )