diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py index 448e37ac..789f49e6 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py @@ -1,6 +1,5 @@ from prowler.lib.check.models import Check, Check_Report_AWS from prowler.providers.aws.services.ec2.ec2_client import ec2_client -from prowler.providers.aws.services.ec2.lib.security_groups import check_security_group class ec2_securitygroup_allow_ingress_from_internet_to_any_port(Check): @@ -14,12 +13,9 @@ class ec2_securitygroup_allow_ingress_from_internet_to_any_port(Check): report.resource_id = security_group.id report.resource_arn = security_group.arn report.resource_tags = security_group.tags - # Loop through every security group's ingress rule and check it - for ingress_rule in security_group.ingress_rules: - if check_security_group(ingress_rule, "-1", any_address=True): - report.status = "FAIL" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has all ports open to the Internet." - break + if security_group.public_ports: + report.status = "FAIL" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has all ports open to the Internet." findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018.py index 169a76d6..e38491ba 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018.py @@ -15,14 +15,15 @@ class ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018( report.resource_tags = security_group.tags report.status = "PASS" report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not MongoDB ports 27017 and 27018 open to the Internet." - # Loop through every security group's ingress rule and check it - for ingress_rule in security_group.ingress_rules: - if check_security_group( - ingress_rule, "tcp", check_ports, any_address=True - ): - report.status = "FAIL" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has MongoDB ports 27017 and 27018 open to the Internet." - break + if not security_group.public_ports: + # Loop through every security group's ingress rule and check it + for ingress_rule in security_group.ingress_rules: + if check_security_group( + ingress_rule, "tcp", check_ports, any_address=True + ): + report.status = "FAIL" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has MongoDB ports 27017 and 27018 open to the Internet." + break findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py index cd00b33e..146e65bf 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py @@ -15,14 +15,15 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21(Check) report.resource_id = security_group.id report.resource_arn = security_group.arn report.resource_tags = security_group.tags - # Loop through every security group's ingress rule and check it - for ingress_rule in security_group.ingress_rules: - if check_security_group( - ingress_rule, "tcp", check_ports, any_address=True - ): - report.status = "FAIL" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has FTP ports 20 and 21 open to the Internet." - break + if not security_group.public_ports: + # Loop through every security group's ingress rule and check it + for ingress_rule in security_group.ingress_rules: + if check_security_group( + ingress_rule, "tcp", check_ports, any_address=True + ): + report.status = "FAIL" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has FTP ports 20 and 21 open to the Internet." + break findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22.py index dc9a0fc5..126bdfe8 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22.py @@ -15,14 +15,15 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22(Check): report.resource_id = security_group.id report.resource_arn = security_group.arn report.resource_tags = security_group.tags - # Loop through every security group's ingress rule and check it - for ingress_rule in security_group.ingress_rules: - if check_security_group( - ingress_rule, "tcp", check_ports, any_address=True - ): - report.status = "FAIL" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has SSH port 22 open to the Internet." - break + if not security_group.public_ports: + # Loop through every security group's ingress rule and check it + for ingress_rule in security_group.ingress_rules: + if check_security_group( + ingress_rule, "tcp", check_ports, any_address=True + ): + report.status = "FAIL" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has SSH port 22 open to the Internet." + break findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389.py index 9fb2d8ee..4e31ba84 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389.py @@ -15,14 +15,15 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389(Check): report.resource_id = security_group.id report.resource_arn = security_group.arn report.resource_tags = security_group.tags - # Loop through every security group's ingress rule and check it - for ingress_rule in security_group.ingress_rules: - if check_security_group( - ingress_rule, "tcp", check_ports, any_address=True - ): - report.status = "FAIL" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Microsoft RDP port 3389 open to the Internet." - break + if not security_group.public_ports: + # Loop through every security group's ingress rule and check it + for ingress_rule in security_group.ingress_rules: + if check_security_group( + ingress_rule, "tcp", check_ports, any_address=True + ): + report.status = "FAIL" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Microsoft RDP port 3389 open to the Internet." + break findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888.py index c5e63622..50228d2a 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888.py @@ -17,14 +17,15 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9 report.resource_tags = security_group.tags report.status = "PASS" report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Casandra ports 7199, 8888 and 9160 open to the Internet." - # Loop through every security group's ingress rule and check it - for ingress_rule in security_group.ingress_rules: - if check_security_group( - ingress_rule, "tcp", check_ports, any_address=True - ): - report.status = "FAIL" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Casandra ports 7199, 8888 and 9160 open to the Internet." - break + if not security_group.public_ports: + # Loop through every security group's ingress rule and check it + for ingress_rule in security_group.ingress_rules: + if check_security_group( + ingress_rule, "tcp", check_ports, any_address=True + ): + report.status = "FAIL" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Casandra ports 7199, 8888 and 9160 open to the Internet." + break findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601.py index 53c90b41..6e297323 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601.py @@ -17,14 +17,15 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_ki report.resource_tags = security_group.tags report.status = "PASS" report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Elasticsearch/Kibana ports 9200, 9300 and 5601 open to the Internet." - # Loop through every security group's ingress rule and check it - for ingress_rule in security_group.ingress_rules: - if check_security_group( - ingress_rule, "tcp", check_ports, any_address=True - ): - report.status = "FAIL" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Elasticsearch/Kibana ports 9200, 9300 and 5601 open to the Internet." - break + if not security_group.public_ports: + # Loop through every security group's ingress rule and check it + for ingress_rule in security_group.ingress_rules: + if check_security_group( + ingress_rule, "tcp", check_ports, any_address=True + ): + report.status = "FAIL" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Elasticsearch/Kibana ports 9200, 9300 and 5601 open to the Internet." + break findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092.py index 7b0aa892..14be7003 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092.py @@ -15,14 +15,15 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092(Check report.resource_tags = security_group.tags report.status = "PASS" report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Kafka port 9092 open to the Internet." - # Loop through every security group's ingress rule and check it - for ingress_rule in security_group.ingress_rules: - if check_security_group( - ingress_rule, "tcp", check_ports, any_address=True - ): - report.status = "FAIL" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Kafka port 9092 open to the Internet." - break + if not security_group.public_ports: + # Loop through every security group's ingress rule and check it + for ingress_rule in security_group.ingress_rules: + if check_security_group( + ingress_rule, "tcp", check_ports, any_address=True + ): + report.status = "FAIL" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Kafka port 9092 open to the Internet." + break findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211.py index b63c6d39..1a49204a 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211.py @@ -15,14 +15,15 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211( report.resource_tags = security_group.tags report.status = "PASS" report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Memcached port 11211 open to the Internet." - # Loop through every security group's ingress rule and check it - for ingress_rule in security_group.ingress_rules: - if check_security_group( - ingress_rule, "tcp", check_ports, any_address=True - ): - report.status = "FAIL" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Memcached port 11211 open to the Internet." - break + if not security_group.public_ports: + # Loop through every security group's ingress rule and check it + for ingress_rule in security_group.ingress_rules: + if check_security_group( + ingress_rule, "tcp", check_ports, any_address=True + ): + report.status = "FAIL" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Memcached port 11211 open to the Internet." + break findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306.py index 85a6f6c5..ad2ddbef 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306.py @@ -15,15 +15,16 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306(Check report.resource_tags = security_group.tags report.status = "PASS" report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not MySQL port 3306 open to the Internet." - # Loop through every security group's ingress rule and check it - for ingress_rule in security_group.ingress_rules: - if check_security_group( - ingress_rule, "tcp", check_ports, any_address=True - ): - report.status = "FAIL" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has MySQL port 3306 open to the Internet." - report.resource_id = security_group.id - break + if not security_group.public_ports: + # Loop through every security group's ingress rule and check it + for ingress_rule in security_group.ingress_rules: + if check_security_group( + ingress_rule, "tcp", check_ports, any_address=True + ): + report.status = "FAIL" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has MySQL port 3306 open to the Internet." + report.resource_id = security_group.id + break findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483.py index 75bb4713..db1acd40 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483.py @@ -15,14 +15,15 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483 report.resource_tags = security_group.tags report.status = "PASS" report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Oracle ports 1521 and 2483 open to the Internet." - # Loop through every security group's ingress rule and check it - for ingress_rule in security_group.ingress_rules: - if check_security_group( - ingress_rule, "tcp", check_ports, any_address=True - ): - report.status = "FAIL" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Oracle ports 1521 and 2483 open to the Internet." - break + if not security_group.public_ports: + # Loop through every security group's ingress rule and check it + for ingress_rule in security_group.ingress_rules: + if check_security_group( + ingress_rule, "tcp", check_ports, any_address=True + ): + report.status = "FAIL" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Oracle ports 1521 and 2483 open to the Internet." + break findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432.py index 112febdd..ecbb4c71 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432.py @@ -15,14 +15,15 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432(Ch report.resource_tags = security_group.tags report.status = "PASS" report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Postgres port 5432 open to the Internet." - # Loop through every security group's ingress rule and check it - for ingress_rule in security_group.ingress_rules: - if check_security_group( - ingress_rule, "tcp", check_ports, any_address=True - ): - report.status = "FAIL" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Postgres port 5432 open to the Internet." - break + if not security_group.public_ports: + # Loop through every security group's ingress rule and check it + for ingress_rule in security_group.ingress_rules: + if check_security_group( + ingress_rule, "tcp", check_ports, any_address=True + ): + report.status = "FAIL" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Postgres port 5432 open to the Internet." + break findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.py index 023063c8..b091a605 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.py @@ -15,14 +15,15 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379(Check report.resource_tags = security_group.tags report.status = "PASS" report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Redis port 6379 open to the Internet." - # Loop through every security group's ingress rule and check it - for ingress_rule in security_group.ingress_rules: - if check_security_group( - ingress_rule, "tcp", check_ports, any_address=True - ): - report.status = "FAIL" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Redis port 6379 open to the Internet." - break + if not security_group.public_ports: + # Loop through every security group's ingress rule and check it + for ingress_rule in security_group.ingress_rules: + if check_security_group( + ingress_rule, "tcp", check_ports, any_address=True + ): + report.status = "FAIL" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Redis port 6379 open to the Internet." + break findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434.py index 12a34c60..9031c49d 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434.py @@ -17,14 +17,15 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_ report.resource_tags = security_group.tags report.status = "PASS" report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Microsoft SQL Server ports 1433 and 1434 open to the Internet." - # Loop through every security group's ingress rule and check it - for ingress_rule in security_group.ingress_rules: - if check_security_group( - ingress_rule, "tcp", check_ports, any_address=True - ): - report.status = "FAIL" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Microsoft SQL Server ports 1433 and 1434 open to the Internet." - break + if not security_group.public_ports: + # Loop through every security group's ingress rule and check it + for ingress_rule in security_group.ingress_rules: + if check_security_group( + ingress_rule, "tcp", check_ports, any_address=True + ): + report.status = "FAIL" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Microsoft SQL Server ports 1433 and 1434 open to the Internet." + break findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23.py index 699f8ef9..f70f08e8 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23.py @@ -15,14 +15,15 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23(Check) report.resource_tags = security_group.tags report.status = "PASS" report.status_extended = f"Security group {security_group.name} ({security_group.id}) has not Telnet port 23 open to the Internet." - # Loop through every security group's ingress rule and check it - for ingress_rule in security_group.ingress_rules: - if check_security_group( - ingress_rule, "tcp", check_ports, any_address=True - ): - report.status = "FAIL" - report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Telnet port 23 open to the Internet." - break + if not security_group.public_ports: + # Loop through every security group's ingress rule and check it + for ingress_rule in security_group.ingress_rules: + if check_security_group( + ingress_rule, "tcp", check_ports, any_address=True + ): + report.status = "FAIL" + report.status_extended = f"Security group {security_group.name} ({security_group.id}) has Telnet port 23 open to the Internet." + break findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_service.py b/prowler/providers/aws/services/ec2/ec2_service.py index a98c0347..0136c5a7 100644 --- a/prowler/providers/aws/services/ec2/ec2_service.py +++ b/prowler/providers/aws/services/ec2/ec2_service.py @@ -8,6 +8,7 @@ from pydantic import BaseModel from prowler.lib.logger import logger from prowler.lib.scan_filters.scan_filters import is_resource_filtered from prowler.providers.aws.aws_provider import generate_regional_clients +from prowler.providers.aws.services.ec2.lib.security_groups import check_security_group ################## EC2 @@ -19,6 +20,7 @@ class EC2: self.audited_account = audit_info.audited_account self.audited_account_arn = audit_info.audited_account_arn self.audit_resources = audit_info.audit_resources + self.audited_checks = audit_info.audit_metadata.expected_checks self.regional_clients = generate_regional_clients(self.service, audit_info) self.instances = [] self.__threading_call__(self.__describe_instances__) @@ -125,6 +127,18 @@ class EC2: if not self.audit_resources or ( is_resource_filtered(arn, self.audit_resources) ): + # check if sg has public access to all ports to reduce noise + all_public_ports = False + for ingress_rule in sg["IpPermissions"]: + if ( + check_security_group( + ingress_rule, "-1", any_address=True + ) + and "ec2_securitygroup_allow_ingress_from_internet_to_any_port" + in self.audited_checks + ): + all_public_ports = True + break self.security_groups.append( SecurityGroup( name=sg["GroupName"], @@ -133,6 +147,7 @@ class EC2: id=sg["GroupId"], ingress_rules=sg["IpPermissions"], egress_rules=sg["IpPermissionsEgress"], + public_ports=all_public_ports, tags=sg.get("Tags"), ) ) @@ -440,6 +455,7 @@ class SecurityGroup(BaseModel): arn: str region: str id: str + public_ports: bool network_interfaces: list[str] = [] ingress_rules: list[dict] egress_rules: list[dict] diff --git a/tests/providers/aws/services/awslambda/awslambda_service_test.py b/tests/providers/aws/services/awslambda/awslambda_service_test.py index 78471528..91eeb91f 100644 --- a/tests/providers/aws/services/awslambda/awslambda_service_test.py +++ b/tests/providers/aws/services/awslambda/awslambda_service_test.py @@ -90,7 +90,6 @@ class Test_Lambda_Service: mfa_enabled=False, audit_metadata=Audit_Metadata( services_scanned=0, - # We need to set this check to call __list_functions__ expected_checks=["awslambda_function_no_secrets_in_code"], completed_checks=0, audit_progress=0, diff --git a/tests/providers/aws/services/ec2/ec2_ami_public/ec2_ami_public_test.py b/tests/providers/aws/services/ec2/ec2_ami_public/ec2_ami_public_test.py index d780f7b1..27511aea 100644 --- a/tests/providers/aws/services/ec2/ec2_ami_public/ec2_ami_public_test.py +++ b/tests/providers/aws/services/ec2/ec2_ami_public/ec2_ami_public_test.py @@ -4,6 +4,7 @@ from boto3 import client, resource, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" EXAMPLE_AMI_ID = "ami-12c6146b" @@ -32,6 +33,12 @@ class Test_ec2_ami_public: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_test.py b/tests/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_test.py index 95b95978..ef7256e9 100644 --- a/tests/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_test.py +++ b/tests/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" EXAMPLE_AMI_ID = "ami-12c6146b" @@ -33,6 +34,12 @@ class Test_ec2_ebs_default_encryption: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot_test.py b/tests/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot_test.py index e49c78ee..14d36150 100644 --- a/tests/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot_test.py +++ b/tests/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot_test.py @@ -5,6 +5,7 @@ from mock import patch from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -42,6 +43,12 @@ class Test_ec2_ebs_public_snapshot: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted_test.py b/tests/providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted_test.py index 08232137..c4f86548 100644 --- a/tests/providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted_test.py +++ b/tests/providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted_test.py @@ -5,6 +5,7 @@ from mock import patch from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -42,6 +43,12 @@ class Test_ec2_ebs_snapshots_encrypted: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_ebs_volume_encryption/ec2_ebs_volume_encryption_test.py b/tests/providers/aws/services/ec2/ec2_ebs_volume_encryption/ec2_ebs_volume_encryption_test.py index 812d7209..c04593f2 100644 --- a/tests/providers/aws/services/ec2/ec2_ebs_volume_encryption/ec2_ebs_volume_encryption_test.py +++ b/tests/providers/aws/services/ec2/ec2_ebs_volume_encryption/ec2_ebs_volume_encryption_test.py @@ -4,6 +4,7 @@ from boto3 import resource, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -31,6 +32,12 @@ class Test_ec2_ebs_volume_encryption: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan_test.py b/tests/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan_test.py index 7f44cd58..9645ff03 100644 --- a/tests/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan_test.py +++ b/tests/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan_test.py @@ -5,6 +5,7 @@ from moto import mock_ec2 from prowler.config.config import get_config_var from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata EXAMPLE_AMI_ID = "ami-12c6146b" shodan_api_key = get_config_var("shodan_api_key") @@ -33,6 +34,12 @@ class Test_ec2_elastic_ip_shodan: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_elastic_ip_unassgined/ec2_elastic_ip_unassgined_test.py b/tests/providers/aws/services/ec2/ec2_elastic_ip_unassgined/ec2_elastic_ip_unassgined_test.py index 0ba6095f..03843483 100644 --- a/tests/providers/aws/services/ec2/ec2_elastic_ip_unassgined/ec2_elastic_ip_unassgined_test.py +++ b/tests/providers/aws/services/ec2/ec2_elastic_ip_unassgined/ec2_elastic_ip_unassgined_test.py @@ -5,6 +5,7 @@ from boto3 import client, resource, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" EXAMPLE_AMI_ID = "ami-12c6146b" @@ -33,6 +34,12 @@ class Test_ec2_elastic_ip_unassgined: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled_test.py b/tests/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled_test.py index ad791fb7..695df8af 100644 --- a/tests/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled_test.py +++ b/tests/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled_test.py @@ -5,6 +5,7 @@ from boto3 import resource, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" EXAMPLE_AMI_ID = "ami-12c6146b" @@ -33,6 +34,12 @@ class Test_ec2_instance_imdsv2_enabled: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_instance_internet_facing_with_instance_profile/ec2_instance_internet_facing_with_instance_profile_test.py b/tests/providers/aws/services/ec2/ec2_instance_internet_facing_with_instance_profile/ec2_instance_internet_facing_with_instance_profile_test.py index b21aedd5..812ae11c 100644 --- a/tests/providers/aws/services/ec2/ec2_instance_internet_facing_with_instance_profile/ec2_instance_internet_facing_with_instance_profile_test.py +++ b/tests/providers/aws/services/ec2/ec2_instance_internet_facing_with_instance_profile/ec2_instance_internet_facing_with_instance_profile_test.py @@ -5,6 +5,7 @@ from boto3 import client, resource, session from moto import mock_ec2, mock_iam from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" EXAMPLE_AMI_ID = "ami-12c6146b" @@ -33,6 +34,12 @@ class Test_ec2_instance_internet_facing_with_instance_profile: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_instance_older_than_specific_days/ec2_instance_older_than_specific_days_test.py b/tests/providers/aws/services/ec2/ec2_instance_older_than_specific_days/ec2_instance_older_than_specific_days_test.py index 154bcd1e..6c7d3571 100644 --- a/tests/providers/aws/services/ec2/ec2_instance_older_than_specific_days/ec2_instance_older_than_specific_days_test.py +++ b/tests/providers/aws/services/ec2/ec2_instance_older_than_specific_days/ec2_instance_older_than_specific_days_test.py @@ -7,6 +7,7 @@ from dateutil.tz import tzutc from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" EXAMPLE_AMI_ID = "ami-12c6146b" @@ -35,6 +36,12 @@ class Test_ec2_instance_older_than_specific_days: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_instance_profile_attached/ec2_instance_profile_attached_test.py b/tests/providers/aws/services/ec2/ec2_instance_profile_attached/ec2_instance_profile_attached_test.py index c2fb81fa..60bf9036 100644 --- a/tests/providers/aws/services/ec2/ec2_instance_profile_attached/ec2_instance_profile_attached_test.py +++ b/tests/providers/aws/services/ec2/ec2_instance_profile_attached/ec2_instance_profile_attached_test.py @@ -5,6 +5,7 @@ from boto3 import client, resource, session from moto import mock_ec2, mock_iam from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" EXAMPLE_AMI_ID = "ami-12c6146b" @@ -33,6 +34,12 @@ class Test_ec2_instance_profile_attached: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_instance_public_ip/ec2_instance_public_ip_test.py b/tests/providers/aws/services/ec2/ec2_instance_public_ip/ec2_instance_public_ip_test.py index 54498a5b..bd1c4609 100644 --- a/tests/providers/aws/services/ec2/ec2_instance_public_ip/ec2_instance_public_ip_test.py +++ b/tests/providers/aws/services/ec2/ec2_instance_public_ip/ec2_instance_public_ip_test.py @@ -5,6 +5,7 @@ from boto3 import resource, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" EXAMPLE_AMI_ID = "ami-12c6146b" @@ -33,6 +34,12 @@ class Test_ec2_instance_public_ip: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_instance_secrets_user_data/ec2_instance_secrets_user_data_test.py b/tests/providers/aws/services/ec2/ec2_instance_secrets_user_data/ec2_instance_secrets_user_data_test.py index a1290f13..6e0c1728 100644 --- a/tests/providers/aws/services/ec2/ec2_instance_secrets_user_data/ec2_instance_secrets_user_data_test.py +++ b/tests/providers/aws/services/ec2/ec2_instance_secrets_user_data/ec2_instance_secrets_user_data_test.py @@ -4,6 +4,7 @@ from boto3 import resource, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" EXAMPLE_AMI_ID = "ami-12c6146b" @@ -32,6 +33,12 @@ class Test_ec2_instance_secrets_user_data: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port_test.py b/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port_test.py index 115a2874..d3aac6d3 100644 --- a/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port_test.py +++ b/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port_test.py @@ -4,6 +4,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -31,6 +32,12 @@ class ec2_networkacl_allow_ingress_any_port: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22_test.py b/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22_test.py index 3cb2240d..c5183c22 100644 --- a/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22_test.py +++ b/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22_test.py @@ -4,6 +4,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -31,6 +32,12 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_22: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389_test.py b/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389_test.py index e97b429e..05e79ff3 100644 --- a/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389_test.py +++ b/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389_test.py @@ -4,6 +4,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -31,6 +32,12 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_3389: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port_test.py index 2a2b660c..4f4806f2 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,14 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_any_port: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[ + "ec2_securitygroup_allow_ingress_from_internet_to_any_port" + ], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018_test.py index 8651457d..e211afaf 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_2 organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21_test.py index e995c633..f48d9061 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22_test.py index cd0c1e86..c8398cd7 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389_test.py index c9dafa84..608578b5 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888_test.py index 3453805c..676f754e 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7 organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601_test.py index fa3ec82f..b48da35c 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsear organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092_test.py index 9dfbaaf2..6b927980 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211_test.py index 70d0243f..1dd19b86 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_1 organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306_test.py index 687446e6..2d5f0e49 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483_test.py index 36adfc08..53368ead 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521 organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432_test.py index 55760f63..1609a76f 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_54 organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py index 0b60b853..b10e9580 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434_test.py index 6f0c231b..8f7a6cf1 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_ organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23_test.py index 47f3beeb..19ae1b73 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4_test.py index cbc1ee7d..39a94740 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class Test_ec2_securitygroup_allow_wide_open_public_ipv4: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_default_restrict_traffic/ec2_securitygroup_default_restrict_traffic_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_default_restrict_traffic/ec2_securitygroup_default_restrict_traffic_test.py index 105d062a..82613610 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_default_restrict_traffic/ec2_securitygroup_default_restrict_traffic_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_default_restrict_traffic/ec2_securitygroup_default_restrict_traffic_test.py @@ -4,6 +4,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -31,6 +32,12 @@ class Test_ec2_securitygroup_default_restrict_traffic: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_from_launch_wizard/ec2_securitygroup_from_launch_wizard_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_from_launch_wizard/ec2_securitygroup_from_launch_wizard_test.py index 6331fcfb..f1d0b833 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_from_launch_wizard/ec2_securitygroup_from_launch_wizard_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_from_launch_wizard/ec2_securitygroup_from_launch_wizard_test.py @@ -5,6 +5,7 @@ from boto3 import client, resource, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" EXAMPLE_AMI_ID = "ami-12c6146b" @@ -33,6 +34,12 @@ class Test_ec2_securitygroup_from_launch_wizard: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used_test.py index d5b430fb..b14f7a92 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used_test.py @@ -5,6 +5,7 @@ from boto3 import client, resource, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" EXAMPLE_AMI_ID = "ami-12c6146b" @@ -33,6 +34,12 @@ class Test_ec2_securitygroup_not_used: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules_test.py index 29178d79..ed906de1 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules_test.py @@ -5,6 +5,7 @@ from boto3 import client, session from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" AWS_ACCOUNT_NUMBER = "123456789012" @@ -32,6 +33,12 @@ class Test_ec2_securitygroup_with_many_ingress_egress_rules: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/ec2/ec2_service_test.py b/tests/providers/aws/services/ec2/ec2_service_test.py index 8041ffe7..ac6c8414 100644 --- a/tests/providers/aws/services/ec2/ec2_service_test.py +++ b/tests/providers/aws/services/ec2/ec2_service_test.py @@ -10,6 +10,7 @@ from moto import mock_ec2 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from prowler.providers.aws.services.ec2.ec2_service import EC2 +from prowler.providers.common.models import Audit_Metadata AWS_ACCOUNT_NUMBER = "123456789012" AWS_REGION = "us-east-1" @@ -40,6 +41,14 @@ class Test_EC2_Service: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[ + "ec2_securitygroup_allow_ingress_from_internet_to_any_port" + ], + completed_checks=0, + audit_progress=0, + ), ) return audit_info @@ -138,6 +147,15 @@ class Test_EC2_Service: }, ], )["GroupId"] + ec2_client.authorize_security_group_ingress( + GroupId=sg_id, + IpPermissions=[ + { + "IpProtocol": "-1", + "IpRanges": [{"CidrIp": "0.0.0.0/0"}], + } + ], + ) # EC2 client for this test class audit_info = self.set_mocked_audit_info() ec2 = EC2(audit_info) @@ -153,7 +171,15 @@ class Test_EC2_Service: assert re.match(r"sg-[0-9a-z]{17}", security_group.id) assert security_group.region == AWS_REGION assert security_group.network_interfaces == [] - assert security_group.ingress_rules == [] + assert security_group.ingress_rules == [ + { + "IpProtocol": "-1", + "IpRanges": [{"CidrIp": "0.0.0.0/0"}], + "Ipv6Ranges": [], + "PrefixListIds": [], + "UserIdGroupPairs": [], + } + ] assert security_group.egress_rules == [ { "IpProtocol": "-1", @@ -163,6 +189,7 @@ class Test_EC2_Service: "UserIdGroupPairs": [], } ] + assert security_group.public_ports assert security_group.tags == [ {"Key": "test", "Value": "test"}, ] diff --git a/tests/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible_test.py b/tests/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible_test.py index 60fcadf3..c52f06a4 100644 --- a/tests/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible_test.py +++ b/tests/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible_test.py @@ -7,6 +7,7 @@ from moto.core import DEFAULT_ACCOUNT_ID from prowler.providers.aws.lib.audit_info.audit_info import AWS_Audit_Info from prowler.providers.aws.services.emr.emr_service import Cluster, ClusterStatus, Node +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "eu-west-1" @@ -34,6 +35,12 @@ class Test_emr_cluster_publicly_accesible: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover_test.py b/tests/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover_test.py index 90cd86f5..79d47d3e 100644 --- a/tests/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover_test.py +++ b/tests/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover_test.py @@ -6,6 +6,7 @@ from moto import mock_ec2, mock_route53 from moto.core import DEFAULT_ACCOUNT_ID from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "us-east-1" @@ -34,6 +35,12 @@ class Test_route53_dangling_ip_subdomain_takeover: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info diff --git a/tests/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips_test.py b/tests/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips_test.py index 6fcefe25..e9fd4cee 100644 --- a/tests/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips_test.py +++ b/tests/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips_test.py @@ -7,6 +7,7 @@ from moto.core import DEFAULT_ACCOUNT_ID from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info from prowler.providers.aws.services.shield.shield_service import Protection +from prowler.providers.common.models import Audit_Metadata AWS_REGION = "eu-west-1" @@ -46,6 +47,12 @@ class Test_shield_advanced_protection_in_associated_elastic_ips: organizations_metadata=None, audit_resources=None, mfa_enabled=False, + audit_metadata=Audit_Metadata( + services_scanned=0, + expected_checks=[], + completed_checks=0, + audit_progress=0, + ), ) return audit_info