From f21dcd8122d23006d40da4b62e7eb3a2ea4cf4a5 Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Tue, 6 Feb 2024 10:32:19 +0100 Subject: [PATCH] chore(inspector): refactor `inspector2_findings_exist` check into two (#3338) --- docs/tutorials/ignore-unused-services.md | 2 +- prowler/compliance/aws/ens_rd2022_aws.json | 9 +- prowler/compliance/aws/mitre_attack_aws.json | 12 +- .../__init__.py | 0 ...ctor2_active_findings_exist.metadata.json} | 6 +- .../inspector2_active_findings_exist.py | 33 ++ .../inspector2_is_enabled/__init__.py | 0 .../inspector2_is_enabled.metadata.json | 30 + .../inspector2_is_enabled.py} | 24 +- .../services/inspector2/inspector2_service.py | 4 +- .../inspector2_active_findings_exist_test.py | 303 ++++++++++ .../inspector2_findings_exist_test.py | 538 ------------------ .../inspector2_is_enabled_test.py | 112 ++++ .../inspector2/inspector2_service_test.py | 2 +- 14 files changed, 505 insertions(+), 570 deletions(-) rename prowler/providers/aws/services/inspector2/{inspector2_findings_exist => inspector2_active_findings_exist}/__init__.py (100%) rename prowler/providers/aws/services/inspector2/{inspector2_findings_exist/inspector2_findings_exist.metadata.json => inspector2_active_findings_exist/inspector2_active_findings_exist.metadata.json} (89%) create mode 100644 prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist.py create mode 100644 prowler/providers/aws/services/inspector2/inspector2_is_enabled/__init__.py create mode 100644 prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.metadata.json rename prowler/providers/aws/services/inspector2/{inspector2_findings_exist/inspector2_findings_exist.py => inspector2_is_enabled/inspector2_is_enabled.py} (62%) create mode 100644 tests/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist_test.py delete mode 100644 tests/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist_test.py create mode 100644 tests/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled_test.py diff --git a/docs/tutorials/ignore-unused-services.md b/docs/tutorials/ignore-unused-services.md index c6921e55..37668575 100644 --- a/docs/tutorials/ignore-unused-services.md +++ b/docs/tutorials/ignore-unused-services.md @@ -47,7 +47,7 @@ It is a best practice to encrypt both metadata and connection passwords in AWS G #### Inspector Amazon Inspector is a vulnerability discovery service that automates continuous scanning for security vulnerabilities within your Amazon EC2, Amazon ECR, and AWS Lambda environments. Prowler recommends to enable it and resolve all the Inspector's findings. Ignoring the unused services, Prowler will only notify you if there are any Lambda functions, EC2 instances or ECR repositories in the region where Amazon inspector should be enabled. - - `inspector2_findings_exist` + - `inspector2_is_enabled` #### Macie Amazon Macie is a security service that uses machine learning to automatically discover, classify and protect sensitive data in S3 buckets. Prowler will only create a finding when Macie is not enabled if there are S3 buckets in your account. diff --git a/prowler/compliance/aws/ens_rd2022_aws.json b/prowler/compliance/aws/ens_rd2022_aws.json index a9452c3a..5d6a847c 100644 --- a/prowler/compliance/aws/ens_rd2022_aws.json +++ b/prowler/compliance/aws/ens_rd2022_aws.json @@ -814,7 +814,8 @@ } ], "Checks": [ - "inspector2_findings_exist" + "inspector2_is_enabled", + "inspector2_active_findings_exist" ] }, { @@ -1935,7 +1936,8 @@ } ], "Checks": [ - "inspector2_findings_exist" + "inspector2_is_enabled", + "inspector2_active_findings_exist" ] }, { @@ -2010,7 +2012,8 @@ } ], "Checks": [ - "inspector2_findings_exist" + "inspector2_is_enabled", + "inspector2_active_findings_exist" ] }, { diff --git a/prowler/compliance/aws/mitre_attack_aws.json b/prowler/compliance/aws/mitre_attack_aws.json index 06551f03..d21edb96 100644 --- a/prowler/compliance/aws/mitre_attack_aws.json +++ b/prowler/compliance/aws/mitre_attack_aws.json @@ -29,7 +29,8 @@ "securityhub_enabled", "elbv2_waf_acl_attached", "guardduty_is_enabled", - "inspector2_findings_exist", + "inspector2_is_enabled", + "inspector2_active_findings_exist", "awslambda_function_not_publicly_accessible", "ec2_instance_public_ip" ], @@ -576,7 +577,8 @@ "config_recorder_all_regions_enabled", "securityhub_enabled", "guardduty_is_enabled", - "inspector2_findings_exist" + "inspector2_is_enabled", + "inspector2_active_findings_exist" ], "Attributes": [ { @@ -737,7 +739,8 @@ "iam_user_hardware_mfa_enabled", "iam_user_mfa_enabled_console_access", "securityhub_enabled", - "inspector2_findings_exist" + "inspector2_is_enabled", + "inspector2_active_findings_exist" ], "Attributes": [ { @@ -1892,7 +1895,8 @@ "networkfirewall_in_all_vpc", "elbv2_waf_acl_attached", "guardduty_is_enabled", - "inspector2_findings_exist", + "inspector2_is_enabled", + "inspector2_active_findings_exist", "ec2_networkacl_allow_ingress_any_port", "ec2_networkacl_allow_ingress_tcp_port_22", "ec2_networkacl_allow_ingress_tcp_port_3389", diff --git a/prowler/providers/aws/services/inspector2/inspector2_findings_exist/__init__.py b/prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/__init__.py similarity index 100% rename from prowler/providers/aws/services/inspector2/inspector2_findings_exist/__init__.py rename to prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/__init__.py diff --git a/prowler/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist.metadata.json b/prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist.metadata.json similarity index 89% rename from prowler/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist.metadata.json rename to prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist.metadata.json index b788370d..cc3e35a4 100644 --- a/prowler/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist.metadata.json +++ b/prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist.metadata.json @@ -1,6 +1,6 @@ { "Provider": "aws", - "CheckID": "inspector2_findings_exist", + "CheckID": "inspector2_active_findings_exist", "CheckTitle": "Check if Inspector2 findings exist", "CheckType": [], "ServiceName": "inspector2", @@ -13,13 +13,13 @@ "RelatedUrl": "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", "Remediation": { "Code": { - "CLI": "aws inspector2 enable", + "CLI": "", "NativeIaC": "", "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Inspector/amazon-inspector-findings.html", "Terraform": "" }, "Recommendation": { - "Text": "Enable Inspector2", + "Text": "Review the active findings from Inspector2", "Url": "https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html" } }, diff --git a/prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist.py b/prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist.py new file mode 100644 index 00000000..071b92c8 --- /dev/null +++ b/prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist.py @@ -0,0 +1,33 @@ +from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.providers.aws.services.inspector2.inspector2_client import ( + inspector2_client, +) + + +class inspector2_active_findings_exist(Check): + def execute(self): + findings = [] + for inspector in inspector2_client.inspectors: + report = Check_Report_AWS(self.metadata()) + report.resource_id = inspector.id + report.resource_arn = inspector.arn + report.region = inspector.region + if inspector.status == "ENABLED": + active_findings = 0 + report.status = "PASS" + report.status_extended = "Inspector2 is enabled with no findings." + for finding in inspector.findings: + if finding.status == "ACTIVE": + active_findings += 1 + if len(inspector.findings) > 0: + report.status_extended = ( + "Inspector2 is enabled with no active findings." + ) + if active_findings > 0: + report.status = "FAIL" + report.status_extended = ( + f"There are {active_findings} ACTIVE Inspector2 findings." + ) + findings.append(report) + + return findings diff --git a/prowler/providers/aws/services/inspector2/inspector2_is_enabled/__init__.py b/prowler/providers/aws/services/inspector2/inspector2_is_enabled/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.metadata.json b/prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.metadata.json new file mode 100644 index 00000000..20941c76 --- /dev/null +++ b/prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.metadata.json @@ -0,0 +1,30 @@ +{ + "Provider": "aws", + "CheckID": "inspector2_is_enabled", + "CheckTitle": "Check if Inspector2 is enabled", + "CheckType": [], + "ServiceName": "inspector2", + "SubServiceName": "", + "ResourceIdTemplate": "arn:aws:inspector2:region:account-id/detector-id", + "Severity": "medium", + "ResourceType": "Other", + "Description": "Check if Inspector2 is enabled", + "Risk": "Without using AWS Inspector, you may not be aware of all the security vulnerabilities in your AWS resources, which could lead to unauthorized access, data breaches, or other security incidents.", + "RelatedUrl": "https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html", + "Remediation": { + "Code": { + "CLI": "aws inspector2 enable", + "NativeIaC": "", + "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Inspector/amazon-inspector-findings.html", + "Terraform": "" + }, + "Recommendation": { + "Text": "Enable Inspector2", + "Url": "https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html" + } + }, + "Categories": [], + "DependsOn": [], + "RelatedTo": [], + "Notes": "" +} diff --git a/prowler/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist.py b/prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.py similarity index 62% rename from prowler/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist.py rename to prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.py index e8fd5d2f..570fcb5d 100644 --- a/prowler/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist.py +++ b/prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.py @@ -7,31 +7,17 @@ from prowler.providers.aws.services.inspector2.inspector2_client import ( ) -class inspector2_findings_exist(Check): +class inspector2_is_enabled(Check): def execute(self): findings = [] for inspector in inspector2_client.inspectors: report = Check_Report_AWS(self.metadata()) - report.resource_id = inspector2_client.audited_account - report.resource_arn = inspector2_client.audited_account_arn + report.resource_id = inspector.id + report.resource_arn = inspector.arn report.region = inspector.region if inspector.status == "ENABLED": - active_findings = 0 report.status = "PASS" - report.status_extended = "Inspector2 is enabled with no findings." - for finding in inspector.findings: - if finding.status == "ACTIVE": - active_findings += 1 - if len(inspector.findings) > 0: - report.status_extended = ( - "Inspector2 is enabled with no active findings." - ) - if active_findings > 0: - report.status = "FAIL" - report.status_extended = ( - f"There are {active_findings} ACTIVE Inspector2 findings." - ) - findings.append(report) + report.status_extended = "Inspector2 is enabled." else: if inspector2_client.audit_info.ignore_unused_services: funtions_in_region = False @@ -49,6 +35,6 @@ class inspector2_findings_exist(Check): ): report.status = "FAIL" report.status_extended = "Inspector2 is not enabled." - findings.append(report) + findings.append(report) return findings diff --git a/prowler/providers/aws/services/inspector2/inspector2_service.py b/prowler/providers/aws/services/inspector2/inspector2_service.py index b984e40f..1de8f313 100644 --- a/prowler/providers/aws/services/inspector2/inspector2_service.py +++ b/prowler/providers/aws/services/inspector2/inspector2_service.py @@ -23,7 +23,8 @@ class Inspector2(AWSService): ][0] self.inspectors.append( Inspector( - id=self.audited_account, + id="Inspector2", + arn=f"arn:{self.audited_partition}:inspector2:{regional_client.region}:{self.audited_account}:inspector2", status=batch_get_account_status.get("state").get("status"), region=regional_client.region, ) @@ -80,6 +81,7 @@ class InspectorFinding(BaseModel): class Inspector(BaseModel): id: str + arn: str region: str status: str findings: list[InspectorFinding] = [] diff --git a/tests/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist_test.py b/tests/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist_test.py new file mode 100644 index 00000000..787ee70d --- /dev/null +++ b/tests/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist_test.py @@ -0,0 +1,303 @@ +from unittest import mock + +from prowler.providers.aws.services.inspector2.inspector2_service import ( + Inspector, + InspectorFinding, +) +from tests.providers.aws.audit_info_utils import ( + AWS_ACCOUNT_NUMBER, + AWS_REGION_EU_WEST_1, + set_mocked_aws_audit_info, +) + +FINDING_ARN = ( + "arn:aws:inspector2:us-east-1:123456789012:finding/0e436649379db5f327e3cf5bb4421d76" +) + + +class Test_inspector2_active_findings_exist: + def test_enabled_no_finding(self): + # Mock the inspector2 client + inspector2_client = mock.MagicMock + + inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + inspector2_client.audited_account = AWS_ACCOUNT_NUMBER + inspector2_client.audited_account_arn = ( + f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + ) + inspector2_client.region = AWS_REGION_EU_WEST_1 + inspector2_client.inspectors = [ + Inspector( + id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2", + status="ENABLED", + region=AWS_REGION_EU_WEST_1, + findings=[], + ) + ] + current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist.inspector2_client", + new=inspector2_client, + ): + + # Test Check + from prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist import ( + inspector2_active_findings_exist, + ) + + check = inspector2_active_findings_exist() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == "Inspector2 is enabled with no findings." + ) + assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert ( + result[0].resource_arn + == f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2" + ) + assert result[0].region == AWS_REGION_EU_WEST_1 + + def test_enabled_with_no_active_finding(self): + # Mock the inspector2 client + inspector2_client = mock.MagicMock + + inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + inspector2_client.audited_account = AWS_ACCOUNT_NUMBER + inspector2_client.audited_account_arn = ( + f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + ) + inspector2_client.region = AWS_REGION_EU_WEST_1 + inspector2_client.inspectors = [ + Inspector( + id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2", + region=AWS_REGION_EU_WEST_1, + status="ENABLED", + findings=[ + InspectorFinding( + arn=FINDING_ARN, + region=AWS_REGION_EU_WEST_1, + severity="MEDIUM", + status="NOT_ACTIVE", + title="CVE-2022-40897 - setuptools", + ) + ], + ) + ] + current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist.inspector2_client", + new=inspector2_client, + ): + + # Test Check + from prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist import ( + inspector2_active_findings_exist, + ) + + check = inspector2_active_findings_exist() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == "Inspector2 is enabled with no active findings." + ) + assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert ( + result[0].resource_arn + == f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2" + ) + assert result[0].region == AWS_REGION_EU_WEST_1 + + def test_enabled_with_active_finding(self): + # Mock the inspector2 client + inspector2_client = mock.MagicMock + + inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + inspector2_client.audited_account = AWS_ACCOUNT_NUMBER + inspector2_client.audited_account_arn = ( + f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + ) + inspector2_client.region = AWS_REGION_EU_WEST_1 + inspector2_client.inspectors = [ + Inspector( + id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2", + region=AWS_REGION_EU_WEST_1, + status="ENABLED", + findings=[ + InspectorFinding( + arn=FINDING_ARN, + region=AWS_REGION_EU_WEST_1, + severity="MEDIUM", + status="ACTIVE", + title="CVE-2022-40897 - setuptools", + ) + ], + ) + ] + current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist.inspector2_client", + new=inspector2_client, + ): + + # Test Check + from prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist import ( + inspector2_active_findings_exist, + ) + + check = inspector2_active_findings_exist() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == "There are 1 ACTIVE Inspector2 findings." + ) + assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert ( + result[0].resource_arn + == f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2" + ) + assert result[0].region == AWS_REGION_EU_WEST_1 + + def test_enabled_with_active_and_closed_findings(self): + # Mock the inspector2 client + inspector2_client = mock.MagicMock + + inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + inspector2_client.audited_account = AWS_ACCOUNT_NUMBER + inspector2_client.audited_account_arn = ( + f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + ) + inspector2_client.region = AWS_REGION_EU_WEST_1 + inspector2_client.inspectors = [ + Inspector( + id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2", + region=AWS_REGION_EU_WEST_1, + status="ENABLED", + findings=[ + InspectorFinding( + arn=FINDING_ARN, + region=AWS_REGION_EU_WEST_1, + severity="MEDIUM", + status="ACTIVE", + title="CVE-2022-40897 - setuptools", + ), + InspectorFinding( + arn=FINDING_ARN, + region=AWS_REGION_EU_WEST_1, + severity="MEDIUM", + status="CLOSED", + title="CVE-2022-27404 - freetype", + ), + ], + ) + ] + current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist.inspector2_client", + new=inspector2_client, + ): + + # Test Check + from prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist import ( + inspector2_active_findings_exist, + ) + + check = inspector2_active_findings_exist() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == "There are 1 ACTIVE Inspector2 findings." + ) + assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert ( + result[0].resource_arn + == f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2" + ) + assert result[0].region == AWS_REGION_EU_WEST_1 + + def test_inspector2_disabled_ignoring(self): + # Mock the inspector2 client + inspector2_client = mock.MagicMock + awslambda_client = mock.MagicMock + awslambda_client.functions = {} + ecr_client = mock.MagicMock + ecr_client.registries = {} + ecr_client.registries[AWS_REGION_EU_WEST_1] = mock.MagicMock + ecr_client.registries[AWS_REGION_EU_WEST_1].repositories = [] + ec2_client = mock.MagicMock + ec2_client.instances = [] + ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + inspector2_client.audit_info.ignore_unused_services = True + inspector2_client.audited_account = AWS_ACCOUNT_NUMBER + inspector2_client.audited_account_arn = ( + f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + ) + inspector2_client.region = AWS_REGION_EU_WEST_1 + inspector2_client.inspectors = [ + Inspector( + id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2", + status="DISABLED", + region=AWS_REGION_EU_WEST_1, + findings=[], + ) + ] + current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist.inspector2_client", + new=inspector2_client, + ): + + # Test Check + from prowler.providers.aws.services.inspector2.inspector2_active_findings_exist.inspector2_active_findings_exist import ( + inspector2_active_findings_exist, + ) + + check = inspector2_active_findings_exist() + result = check.execute() + + assert len(result) == 0 diff --git a/tests/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist_test.py b/tests/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist_test.py deleted file mode 100644 index fd855fb5..00000000 --- a/tests/providers/aws/services/inspector2/inspector2_findings_exist/inspector2_findings_exist_test.py +++ /dev/null @@ -1,538 +0,0 @@ -from unittest import mock - -from prowler.providers.aws.services.ecr.ecr_service import Repository -from prowler.providers.aws.services.inspector2.inspector2_service import ( - Inspector, - InspectorFinding, -) -from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_NUMBER, - AWS_REGION_EU_WEST_1, - set_mocked_aws_audit_info, -) - -FINDING_ARN = ( - "arn:aws:inspector2:us-east-1:123456789012:finding/0e436649379db5f327e3cf5bb4421d76" -) - - -class Test_inspector2_findings_exist: - def test_inspector2_disabled(self): - # Mock the inspector2 client - inspector2_client = mock.MagicMock - awslambda_client = mock.MagicMock - ecr_client = mock.MagicMock - ec2_client = mock.MagicMock - ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - inspector2_client.audited_account = AWS_ACCOUNT_NUMBER - inspector2_client.audited_account_arn = ( - f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" - ) - inspector2_client.region = AWS_REGION_EU_WEST_1 - inspector2_client.inspectors = [ - Inspector( - id=AWS_ACCOUNT_NUMBER, - status="DISABLED", - region=AWS_REGION_EU_WEST_1, - findings=[], - ) - ] - current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - - with mock.patch( - "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", - new=current_audit_info, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.inspector2_client", - new=inspector2_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ecr_client", - new=ecr_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ec2_client", - new=ec2_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.awslambda_client", - new=awslambda_client, - ): - # Test Check - from prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist import ( - inspector2_findings_exist, - ) - - check = inspector2_findings_exist() - result = check.execute() - - assert len(result) == 1 - assert result[0].status == "FAIL" - assert ( - result[0].status_extended - == "Inspector2 is not enabled." - ) - assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert ( - result[0].resource_arn - == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" - ) - assert result[0].region == AWS_REGION_EU_WEST_1 - - def test_enabled_no_finding(self): - # Mock the inspector2 client - inspector2_client = mock.MagicMock - awslambda_client = mock.MagicMock - ecr_client = mock.MagicMock - ec2_client = mock.MagicMock - ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - inspector2_client.audited_account = AWS_ACCOUNT_NUMBER - inspector2_client.audited_account_arn = ( - f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" - ) - inspector2_client.region = AWS_REGION_EU_WEST_1 - inspector2_client.inspectors = [ - Inspector( - id=AWS_ACCOUNT_NUMBER, - status="ENABLED", - region=AWS_REGION_EU_WEST_1, - findings=[], - ) - ] - current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - - with mock.patch( - "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", - new=current_audit_info, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.inspector2_client", - new=inspector2_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ecr_client", - new=ecr_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ec2_client", - new=ec2_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.awslambda_client", - new=awslambda_client, - ): - # Test Check - from prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist import ( - inspector2_findings_exist, - ) - - check = inspector2_findings_exist() - result = check.execute() - - assert len(result) == 1 - assert result[0].status == "PASS" - assert ( - result[0].status_extended - == "Inspector2 is enabled with no findings." - ) - assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert ( - result[0].resource_arn - == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" - ) - assert result[0].region == AWS_REGION_EU_WEST_1 - - def test_enabled_with_no_active_finding(self): - # Mock the inspector2 client - inspector2_client = mock.MagicMock - awslambda_client = mock.MagicMock - ecr_client = mock.MagicMock - ec2_client = mock.MagicMock - ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - inspector2_client.audited_account = AWS_ACCOUNT_NUMBER - inspector2_client.audited_account_arn = ( - f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" - ) - inspector2_client.region = AWS_REGION_EU_WEST_1 - inspector2_client.inspectors = [ - Inspector( - id=AWS_ACCOUNT_NUMBER, - region=AWS_REGION_EU_WEST_1, - status="ENABLED", - findings=[ - InspectorFinding( - arn=FINDING_ARN, - region=AWS_REGION_EU_WEST_1, - severity="MEDIUM", - status="NOT_ACTIVE", - title="CVE-2022-40897 - setuptools", - ) - ], - ) - ] - current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - - with mock.patch( - "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", - new=current_audit_info, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.inspector2_client", - new=inspector2_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ecr_client", - new=ecr_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ec2_client", - new=ec2_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.awslambda_client", - new=awslambda_client, - ): - # Test Check - from prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist import ( - inspector2_findings_exist, - ) - - check = inspector2_findings_exist() - result = check.execute() - - assert len(result) == 1 - assert result[0].status == "PASS" - assert ( - result[0].status_extended - == "Inspector2 is enabled with no active findings." - ) - assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert ( - result[0].resource_arn - == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" - ) - assert result[0].region == AWS_REGION_EU_WEST_1 - - def test_enabled_with_active_finding(self): - # Mock the inspector2 client - inspector2_client = mock.MagicMock - awslambda_client = mock.MagicMock - ecr_client = mock.MagicMock - ec2_client = mock.MagicMock - ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - inspector2_client.audited_account = AWS_ACCOUNT_NUMBER - inspector2_client.audited_account_arn = ( - f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" - ) - inspector2_client.region = AWS_REGION_EU_WEST_1 - inspector2_client.inspectors = [ - Inspector( - id=AWS_ACCOUNT_NUMBER, - region=AWS_REGION_EU_WEST_1, - status="ENABLED", - findings=[ - InspectorFinding( - arn=FINDING_ARN, - region=AWS_REGION_EU_WEST_1, - severity="MEDIUM", - status="ACTIVE", - title="CVE-2022-40897 - setuptools", - ) - ], - ) - ] - current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - - with mock.patch( - "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", - new=current_audit_info, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.inspector2_client", - new=inspector2_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ecr_client", - new=ecr_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ec2_client", - new=ec2_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.awslambda_client", - new=awslambda_client, - ): - # Test Check - from prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist import ( - inspector2_findings_exist, - ) - - check = inspector2_findings_exist() - result = check.execute() - - assert len(result) == 1 - assert result[0].status == "FAIL" - assert ( - result[0].status_extended - == "There are 1 ACTIVE Inspector2 findings." - ) - assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert ( - result[0].resource_arn - == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" - ) - assert result[0].region == AWS_REGION_EU_WEST_1 - - def test_enabled_with_active_and_closed_findings(self): - # Mock the inspector2 client - inspector2_client = mock.MagicMock - awslambda_client = mock.MagicMock - ecr_client = mock.MagicMock - ec2_client = mock.MagicMock - ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - inspector2_client.audited_account = AWS_ACCOUNT_NUMBER - inspector2_client.audited_account_arn = ( - f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" - ) - inspector2_client.region = AWS_REGION_EU_WEST_1 - inspector2_client.inspectors = [ - Inspector( - id=AWS_ACCOUNT_NUMBER, - region=AWS_REGION_EU_WEST_1, - status="ENABLED", - findings=[ - InspectorFinding( - arn=FINDING_ARN, - region=AWS_REGION_EU_WEST_1, - severity="MEDIUM", - status="ACTIVE", - title="CVE-2022-40897 - setuptools", - ), - InspectorFinding( - arn=FINDING_ARN, - region=AWS_REGION_EU_WEST_1, - severity="MEDIUM", - status="CLOSED", - title="CVE-2022-27404 - freetype", - ), - ], - ) - ] - current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - - with mock.patch( - "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", - new=current_audit_info, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.inspector2_client", - new=inspector2_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ecr_client", - new=ecr_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ec2_client", - new=ec2_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.awslambda_client", - new=awslambda_client, - ): - # Test Check - from prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist import ( - inspector2_findings_exist, - ) - - check = inspector2_findings_exist() - result = check.execute() - - assert len(result) == 1 - assert result[0].status == "FAIL" - assert ( - result[0].status_extended - == "There are 1 ACTIVE Inspector2 findings." - ) - assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert ( - result[0].resource_arn - == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" - ) - assert result[0].region == AWS_REGION_EU_WEST_1 - - def test_inspector2_disabled_ignoring(self): - # Mock the inspector2 client - inspector2_client = mock.MagicMock - awslambda_client = mock.MagicMock - awslambda_client.functions = {} - ecr_client = mock.MagicMock - ecr_client.registries = {} - ecr_client.registries[AWS_REGION_EU_WEST_1] = mock.MagicMock - ecr_client.registries[AWS_REGION_EU_WEST_1].repositories = [] - ec2_client = mock.MagicMock - ec2_client.instances = [] - ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - inspector2_client.audit_info.ignore_unused_services = True - inspector2_client.audited_account = AWS_ACCOUNT_NUMBER - inspector2_client.audited_account_arn = ( - f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" - ) - inspector2_client.region = AWS_REGION_EU_WEST_1 - inspector2_client.inspectors = [ - Inspector( - id=AWS_ACCOUNT_NUMBER, - status="DISABLED", - region=AWS_REGION_EU_WEST_1, - findings=[], - ) - ] - current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - - with mock.patch( - "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", - new=current_audit_info, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.inspector2_client", - new=inspector2_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ecr_client", - new=ecr_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ec2_client", - new=ec2_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.awslambda_client", - new=awslambda_client, - ): - # Test Check - from prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist import ( - inspector2_findings_exist, - ) - - check = inspector2_findings_exist() - result = check.execute() - - assert len(result) == 0 - - def test_inspector2_disabled_ignoring_with_resources(self): - # Mock the inspector2 client - inspector2_client = mock.MagicMock - awslambda_client = mock.MagicMock - awslambda_client.functions = {} - ecr_client = mock.MagicMock - ecr_client.registries = {} - ecr_client.registries[AWS_REGION_EU_WEST_1] = mock.MagicMock - repository_name = "test_repo" - repository_arn = ( - f"arn:aws:ecr:eu-west-1:{AWS_ACCOUNT_NUMBER}:repository/{repository_name}" - ) - repo_policy_public = { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "ECRRepositoryPolicy", - "Effect": "Allow", - "Principal": { - "AWS": f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:user/username" - }, - "Action": ["ecr:DescribeImages", "ecr:DescribeRepositories"], - } - ], - } - ecr_client.registries[AWS_REGION_EU_WEST_1].repositories = [ - Repository( - name=repository_name, - arn=repository_arn, - region=AWS_REGION_EU_WEST_1, - scan_on_push=True, - policy=repo_policy_public, - images_details=None, - lifecycle_policy="test-policy", - ) - ] - ec2_client = mock.MagicMock - ec2_client.instances = [] - ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - inspector2_client.audit_info.ignore_unused_services = True - inspector2_client.audited_account = AWS_ACCOUNT_NUMBER - inspector2_client.audited_account_arn = ( - f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" - ) - inspector2_client.region = AWS_REGION_EU_WEST_1 - inspector2_client.inspectors = [ - Inspector( - id=AWS_ACCOUNT_NUMBER, - status="DISABLED", - region=AWS_REGION_EU_WEST_1, - findings=[], - ) - ] - current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - - with mock.patch( - "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", - new=current_audit_info, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.inspector2_client", - new=inspector2_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ecr_client", - new=ecr_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.ec2_client", - new=ec2_client, - ): - with mock.patch( - "prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist.awslambda_client", - new=awslambda_client, - ): - # Test Check - from prowler.providers.aws.services.inspector2.inspector2_findings_exist.inspector2_findings_exist import ( - inspector2_findings_exist, - ) - - check = inspector2_findings_exist() - result = check.execute() - assert len(result) == 1 - assert result[0].status == "FAIL" - assert ( - result[0].status_extended - == "Inspector2 is not enabled." - ) - assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert ( - result[0].resource_arn - == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" - ) - assert result[0].region == AWS_REGION_EU_WEST_1 diff --git a/tests/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled_test.py b/tests/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled_test.py new file mode 100644 index 00000000..895a1f31 --- /dev/null +++ b/tests/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled_test.py @@ -0,0 +1,112 @@ +from unittest import mock + +from prowler.providers.aws.services.inspector2.inspector2_service import Inspector +from tests.providers.aws.audit_info_utils import ( + AWS_ACCOUNT_NUMBER, + AWS_REGION_EU_WEST_1, + set_mocked_aws_audit_info, +) + +FINDING_ARN = ( + "arn:aws:inspector2:us-east-1:123456789012:finding/0e436649379db5f327e3cf5bb4421d76" +) + + +class Test_inspector2_is_enabled: + def test_inspector2_disabled(self): + # Mock the inspector2 client + inspector2_client = mock.MagicMock + awslambda_client = mock.MagicMock + ecr_client = mock.MagicMock + ec2_client = mock.MagicMock + ec2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + ecr_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + awslambda_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + inspector2_client.audited_account = AWS_ACCOUNT_NUMBER + inspector2_client.audited_account_arn = ( + f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + ) + inspector2_client.region = AWS_REGION_EU_WEST_1 + inspector2_client.inspectors = [ + Inspector( + id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2", + status="DISABLED", + region=AWS_REGION_EU_WEST_1, + findings=[], + ) + ] + current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.inspector2.inspector2_is_enabled.inspector2_is_enabled.inspector2_client", + new=inspector2_client, + ): + # Test Check + from prowler.providers.aws.services.inspector2.inspector2_is_enabled.inspector2_is_enabled import ( + inspector2_is_enabled, + ) + + check = inspector2_is_enabled() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert result[0].status_extended == "Inspector2 is not enabled." + assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert ( + result[0].resource_arn + == f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2" + ) + assert result[0].region == AWS_REGION_EU_WEST_1 + + def test_enabled_no_finding(self): + # Mock the inspector2 client + inspector2_client = mock.MagicMock + inspector2_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + inspector2_client.audited_account = AWS_ACCOUNT_NUMBER + inspector2_client.audited_account_arn = ( + f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + ) + inspector2_client.region = AWS_REGION_EU_WEST_1 + inspector2_client.inspectors = [ + Inspector( + id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2", + status="ENABLED", + region=AWS_REGION_EU_WEST_1, + findings=[], + ) + ] + current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.inspector2.inspector2_is_enabled.inspector2_is_enabled.inspector2_client", + new=inspector2_client, + ): + # Test Check + from prowler.providers.aws.services.inspector2.inspector2_is_enabled.inspector2_is_enabled import ( + inspector2_is_enabled, + ) + + check = inspector2_is_enabled() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "PASS" + assert result[0].status_extended == "Inspector2 is enabled." + assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert ( + result[0].resource_arn + == f"arn:aws:inspector2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:inspector2" + ) + assert result[0].region == AWS_REGION_EU_WEST_1 diff --git a/tests/providers/aws/services/inspector2/inspector2_service_test.py b/tests/providers/aws/services/inspector2/inspector2_service_test.py index 4071506a..3babd887 100644 --- a/tests/providers/aws/services/inspector2/inspector2_service_test.py +++ b/tests/providers/aws/services/inspector2/inspector2_service_test.py @@ -101,7 +101,7 @@ class Test_Inspector2_Service: audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) inspector2 = Inspector2(audit_info) assert len(inspector2.inspectors) == 1 - assert inspector2.inspectors[0].id == AWS_ACCOUNT_NUMBER + assert inspector2.inspectors[0].id == "Inspector2" assert inspector2.inspectors[0].region == AWS_REGION_EU_WEST_1 assert inspector2.inspectors[0].status == "ENABLED"