diff --git a/docs/developer-guide/checks.md b/docs/developer-guide/checks.md index 7a4347e2..b9353773 100644 --- a/docs/developer-guide/checks.md +++ b/docs/developer-guide/checks.md @@ -125,7 +125,7 @@ All the checks MUST fill the `report.resource_id` and `report.resource_arn` with - Resource ARN -- `report.resource_arn` - AWS Account --> Root ARN `arn:aws:iam::123456789012:root` - AWS Resource --> Resource ARN - - Root resource --> Root ARN `arn:aws:iam::123456789012:root` + - Root resource --> Resource Type ARN `f"arn:{service_client.audited_partition}::{service_client.region}:{service_client.audited_account}:"` - GCP - Resource ID -- `report.resource_id` - GCP Resource --> Resource ID diff --git a/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py b/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py index e2b6e4f8..3823b95a 100644 --- a/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py +++ b/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py @@ -17,7 +17,7 @@ class backup_plans_exist(Check): report = Check_Report_AWS(self.metadata()) report.status = "FAIL" report.status_extended = "No Backup Plan exist." - report.resource_arn = backup_client.audited_account_arn + report.resource_arn = backup_client.backup_plan_arn_template report.resource_id = backup_client.audited_account report.region = backup_client.region findings.append(report) diff --git a/prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.py b/prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.py index 9870b90b..fac8ee4f 100644 --- a/prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.py +++ b/prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.py @@ -10,7 +10,7 @@ class backup_reportplans_exist(Check): report = Check_Report_AWS(self.metadata()) report.status = "FAIL" report.status_extended = "No Backup Report Plan exist." - report.resource_arn = backup_client.audited_account_arn + report.resource_arn = backup_client.report_plan_arn_template report.resource_id = backup_client.audited_account report.region = backup_client.region if backup_client.backup_report_plans: diff --git a/prowler/providers/aws/services/backup/backup_service.py b/prowler/providers/aws/services/backup/backup_service.py index 7b42c2e1..6be3f9ac 100644 --- a/prowler/providers/aws/services/backup/backup_service.py +++ b/prowler/providers/aws/services/backup/backup_service.py @@ -13,6 +13,9 @@ class Backup(AWSService): def __init__(self, audit_info): # Call AWSService's __init__ super().__init__(__class__.__name__, audit_info) + self.backup_plan_arn_template = f"arn:{self.audited_partition}:backup:{self.region}:{self.audited_account}:backup-plan" + self.report_plan_arn_template = f"arn:{self.audited_partition}:backup:{self.region}:{self.audited_account}:report-plan" + self.backup_vault_arn_template = f"arn:{self.audited_partition}:backup:{self.region}:{self.audited_account}:backup-vault" self.backup_vaults = [] self.__threading_call__(self.__list_backup_vaults__) self.backup_plans = [] diff --git a/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py b/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py index 4da46592..0c50e635 100644 --- a/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py +++ b/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py @@ -8,7 +8,7 @@ class backup_vaults_exist(Check): report = Check_Report_AWS(self.metadata()) report.status = "FAIL" report.status_extended = "No Backup Vault exist." - report.resource_arn = backup_client.audited_account_arn + report.resource_arn = backup_client.backup_vault_arn_template report.resource_id = backup_client.audited_account report.region = backup_client.region if backup_client.backup_vaults: diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.py index 42539d3d..14900819 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.py @@ -32,7 +32,9 @@ class cloudtrail_multi_region_enabled(Check): report.status_extended = ( "No CloudTrail trails enabled and logging were found." ) - report.resource_arn = cloudtrail_client.audited_account_arn + report.resource_arn = ( + cloudtrail_client.__get_trail_arn_template__(region) + ) report.resource_id = cloudtrail_client.audited_account # If there are no trails logging it is needed to store the FAIL once all the trails have been checked if report.status == "FAIL": diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events.py index 341a90d7..eef88a2c 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events.py @@ -14,7 +14,7 @@ class cloudtrail_multi_region_enabled_logging_management_events(Check): ) report.region = cloudtrail_client.region report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.resource_arn = cloudtrail_client.trail_arn_template for trail in cloudtrail_client.trails: if trail.is_logging: diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py index 6b63bd49..bfb5e105 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py @@ -54,7 +54,7 @@ class cloudtrail_s3_dataevents_read_enabled(Check): ): report = Check_Report_AWS(self.metadata()) report.region = cloudtrail_client.region - report.resource_arn = cloudtrail_client.audited_account_arn + report.resource_arn = cloudtrail_client.trail_arn_template report.resource_id = cloudtrail_client.audited_account report.status = "FAIL" report.status_extended = "No CloudTrail trails have a data event to record all S3 object-level API operations." diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py index 425f78f8..bc0d6088 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py @@ -54,7 +54,7 @@ class cloudtrail_s3_dataevents_write_enabled(Check): ): report = Check_Report_AWS(self.metadata()) report.region = cloudtrail_client.region - report.resource_arn = cloudtrail_client.audited_account_arn + report.resource_arn = cloudtrail_client.trail_arn_template report.resource_id = cloudtrail_client.audited_account report.status = "FAIL" report.status_extended = "No CloudTrail trails have a data event to record all S3 object-level API operations." diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_service.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_service.py index 8d225dd5..77809da2 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_service.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_service.py @@ -14,6 +14,7 @@ class Cloudtrail(AWSService): def __init__(self, audit_info): # Call AWSService's __init__ super().__init__(__class__.__name__, audit_info) + self.trail_arn_template = f"arn:{self.audited_partition}:cloudtrail:{self.region}:{self.audited_account}:trail" self.trails = [] self.__threading_call__(self.__get_trails__) self.__get_trail_status__() @@ -21,6 +22,13 @@ class Cloudtrail(AWSService): self.__get_event_selectors__() self.__list_tags_for_resource__() + def __get_trail_arn_template__(self, region): + return ( + f"arn:{self.audited_partition}:cloudtrail:{region}:{self.audited_account}:trail" + if region + else f"arn:{self.audited_partition}:cloudtrail:{self.region}:{self.audited_account}:trail" + ) + def __get_trails__(self, regional_client): logger.info("Cloudtrail - Getting trails...") try: diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py index 6bf9e6f3..21ad6c6f 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py @@ -20,9 +20,9 @@ class cloudwatch_changes_to_network_acls_alarm_configured(Check): report.status_extended = ( "No CloudWatch log groups found with metric filters or alarms associated." ) - report.region = cloudwatch_client.region - report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.region = logs_client.region + report.resource_id = logs_client.audited_account + report.resource_arn = logs_client.log_group_arn_template report = check_cloudwatch_log_metric_filter( pattern, cloudtrail_client.trails, diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py index 2ad693d1..1c8d4099 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py @@ -20,9 +20,9 @@ class cloudwatch_changes_to_network_gateways_alarm_configured(Check): report.status_extended = ( "No CloudWatch log groups found with metric filters or alarms associated." ) - report.region = cloudwatch_client.region - report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.region = logs_client.region + report.resource_id = logs_client.audited_account + report.resource_arn = logs_client.log_group_arn_template report = check_cloudwatch_log_metric_filter( pattern, cloudtrail_client.trails, diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py index c220af9e..f602d2a7 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py @@ -20,9 +20,9 @@ class cloudwatch_changes_to_network_route_tables_alarm_configured(Check): report.status_extended = ( "No CloudWatch log groups found with metric filters or alarms associated." ) - report.region = cloudwatch_client.region - report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.region = logs_client.region + report.resource_id = logs_client.audited_account + report.resource_arn = logs_client.log_group_arn_template report = check_cloudwatch_log_metric_filter( pattern, cloudtrail_client.trails, diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py index 41b20039..82afeb1f 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py @@ -20,9 +20,9 @@ class cloudwatch_changes_to_vpcs_alarm_configured(Check): report.status_extended = ( "No CloudWatch log groups found with metric filters or alarms associated." ) - report.region = cloudwatch_client.region - report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.region = logs_client.region + report.resource_id = logs_client.audited_account + report.resource_arn = logs_client.log_group_arn_template report = check_cloudwatch_log_metric_filter( pattern, cloudtrail_client.trails, diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py index 1f4d5934..c41954e8 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py @@ -8,7 +8,7 @@ class cloudwatch_cross_account_sharing_disabled(Check): report = Check_Report_AWS(self.metadata()) report.status = "PASS" report.status_extended = "CloudWatch doesn't allow cross-account sharing." - report.resource_arn = iam_client.audited_account_arn + report.resource_arn = iam_client.role_arn_template report.resource_id = iam_client.audited_account report.region = iam_client.region for role in iam_client.roles: diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py index 57791fd8..6cc439fe 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py @@ -22,9 +22,9 @@ class cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_change report.status_extended = ( "No CloudWatch log groups found with metric filters or alarms associated." ) - report.region = cloudwatch_client.region - report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.region = logs_client.region + report.resource_id = logs_client.audited_account + report.resource_arn = logs_client.log_group_arn_template report = check_cloudwatch_log_metric_filter( pattern, cloudtrail_client.trails, diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py index 90e8fcfa..b6c440d4 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py @@ -22,9 +22,9 @@ class cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_change report.status_extended = ( "No CloudWatch log groups found with metric filters or alarms associated." ) - report.region = cloudwatch_client.region - report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.region = logs_client.region + report.resource_id = logs_client.audited_account + report.resource_arn = logs_client.log_group_arn_template report = check_cloudwatch_log_metric_filter( pattern, cloudtrail_client.trails, diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py index 17c627f1..d70c602b 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py @@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_authentication_failures(Check): report.status_extended = ( "No CloudWatch log groups found with metric filters or alarms associated." ) - report.region = cloudwatch_client.region - report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.region = logs_client.region + report.resource_id = logs_client.audited_account + report.resource_arn = logs_client.log_group_arn_template report = check_cloudwatch_log_metric_filter( pattern, cloudtrail_client.trails, diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py index b4a49a90..6a700cc3 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py @@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_aws_organizations_changes(Check): report.status_extended = ( "No CloudWatch log groups found with metric filters or alarms associated." ) - report.region = cloudwatch_client.region - report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.region = logs_client.region + report.resource_id = logs_client.audited_account + report.resource_arn = logs_client.log_group_arn_template report = check_cloudwatch_log_metric_filter( pattern, cloudtrail_client.trails, diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py index cb963ca1..f2bc3433 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py @@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk(Chec report.status_extended = ( "No CloudWatch log groups found with metric filters or alarms associated." ) - report.region = cloudwatch_client.region - report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.region = logs_client.region + report.resource_id = logs_client.audited_account + report.resource_arn = logs_client.log_group_arn_template report = check_cloudwatch_log_metric_filter( pattern, cloudtrail_client.trails, diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py index 1e80b5d2..b21f2cd0 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py @@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_for_s3_bucket_policy_changes(Check): report.status_extended = ( "No CloudWatch log groups found with metric filters or alarms associated." ) - report.region = cloudwatch_client.region - report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.region = logs_client.region + report.resource_id = logs_client.audited_account + report.resource_arn = logs_client.log_group_arn_template report = check_cloudwatch_log_metric_filter( pattern, diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py index b33e9425..b5f121e3 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py @@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_policy_changes(Check): report.status_extended = ( "No CloudWatch log groups found with metric filters or alarms associated." ) - report.region = cloudwatch_client.region - report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.region = logs_client.region + report.resource_id = logs_client.audited_account + report.resource_arn = logs_client.log_group_arn_template report = check_cloudwatch_log_metric_filter( pattern, cloudtrail_client.trails, diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py index 4c78c4de..027c6d02 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py @@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_root_usage(Check): report.status_extended = ( "No CloudWatch log groups found with metric filters or alarms associated." ) - report.region = cloudwatch_client.region - report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.region = logs_client.region + report.resource_id = logs_client.audited_account + report.resource_arn = logs_client.log_group_arn_template report = check_cloudwatch_log_metric_filter( pattern, cloudtrail_client.trails, diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py index e87275a5..a9efd8e0 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py @@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_security_group_changes(Check): report.status_extended = ( "No CloudWatch log groups found with metric filters or alarms associated." ) - report.region = cloudwatch_client.region - report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.region = logs_client.region + report.resource_id = logs_client.audited_account + report.resource_arn = logs_client.log_group_arn_template report = check_cloudwatch_log_metric_filter( pattern, cloudtrail_client.trails, diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py index bfa69df3..42f0450c 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py @@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_sign_in_without_mfa(Check): report.status_extended = ( "No CloudWatch log groups found with metric filters or alarms associated." ) - report.region = cloudwatch_client.region - report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.region = logs_client.region + report.resource_id = logs_client.audited_account + report.resource_arn = logs_client.log_group_arn_template report = check_cloudwatch_log_metric_filter( pattern, cloudtrail_client.trails, diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py index a9a96fa7..f05133c1 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py @@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_unauthorized_api_calls(Check): report.status_extended = ( "No CloudWatch log groups found with metric filters or alarms associated." ) - report.region = cloudwatch_client.region - report.resource_id = cloudtrail_client.audited_account - report.resource_arn = cloudtrail_client.audited_account_arn + report.region = logs_client.region + report.resource_id = logs_client.audited_account + report.resource_arn = logs_client.log_group_arn_template report = check_cloudwatch_log_metric_filter( pattern, cloudtrail_client.trails, diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_service.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_service.py index e3097ea9..e395207c 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_service.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_service.py @@ -67,6 +67,7 @@ class Logs(AWSService): def __init__(self, audit_info): # Call AWSService's __init__ super().__init__(__class__.__name__, audit_info) + self.log_group_arn_template = f"arn:{self.audited_partition}:logs:{self.region}:{self.audited_account}:log-group" self.metric_filters = [] self.log_groups = [] self.__threading_call__(self.__describe_metric_filters__) diff --git a/prowler/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled.py b/prowler/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled.py index 5e4b86a5..56d0afa4 100644 --- a/prowler/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled.py +++ b/prowler/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled.py @@ -8,9 +8,9 @@ class config_recorder_all_regions_enabled(Check): for recorder in config_client.recorders: report = Check_Report_AWS(self.metadata()) report.region = recorder.region - report.resource_arn = ( - config_client.audited_account_arn - ) # Config Recorders do not have ARNs + report.resource_arn = config_client.__get_recorder_arn_template__( + recorder.region + ) report.resource_id = ( config_client.audited_account if not recorder.name else recorder.name ) diff --git a/prowler/providers/aws/services/config/config_service.py b/prowler/providers/aws/services/config/config_service.py index 5e6df4c0..3d0cbb30 100644 --- a/prowler/providers/aws/services/config/config_service.py +++ b/prowler/providers/aws/services/config/config_service.py @@ -15,6 +15,9 @@ class Config(AWSService): self.recorders = [] self.__threading_call__(self.__describe_configuration_recorder_status__) + def __get_recorder_arn_template__(self, region): + return f"arn:{self.audited_partition}:config:{region}:{self.audited_account}:recorder" + def __describe_configuration_recorder_status__(self, regional_client): logger.info("Config - Listing Recorders...") try: diff --git a/prowler/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists.py b/prowler/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists.py index 0786018a..99541e88 100644 --- a/prowler/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists.py +++ b/prowler/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists.py @@ -16,7 +16,9 @@ class dlm_ebs_snapshot_lifecycle_policy_exists(Check): report.status_extended = "No EBS Snapshot lifecycle policies found." report.region = region report.resource_id = dlm_client.audited_account - report.resource_arn = dlm_client.audited_account_arn + report.resource_arn = dlm_client.__get_lifecycle_policy_arn_template__( + region + ) if dlm_client.lifecycle_policies[region]: report.status = "PASS" report.status_extended = "EBS snapshot lifecycle policies found." diff --git a/prowler/providers/aws/services/dlm/dlm_service.py b/prowler/providers/aws/services/dlm/dlm_service.py index 1c620a44..507b5b62 100644 --- a/prowler/providers/aws/services/dlm/dlm_service.py +++ b/prowler/providers/aws/services/dlm/dlm_service.py @@ -9,9 +9,15 @@ class DLM(AWSService): def __init__(self, audit_info): # Call AWSService's __init__ super().__init__(__class__.__name__, audit_info) + self.lifecycle_policy_arn_template = f"arn:{self.audited_partition}:dlm:{self.region}:{self.audited_account}:policy" self.lifecycle_policies = {} self.__threading_call__(self.__get_lifecycle_policies__) + def __get_lifecycle_policy_arn_template__(self, region): + return ( + f"arn:{self.audited_partition}:dlm:{region}:{self.audited_account}:policy" + ) + def __get_lifecycle_policies__(self, regional_client): logger.info("DLM - Getting EBS Snapshots Lifecycle Policies...") try: diff --git a/prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.py b/prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.py index 9a65dea7..6330f1e7 100644 --- a/prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.py +++ b/prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.py @@ -11,7 +11,9 @@ class drs_job_exist(Check): report.status_extended = "DRS is not enabled for this region." report.region = drs.region report.resource_tags = [] - report.resource_arn = drs_client.audited_account_arn + report.resource_arn = drs_client.__get_recovery_job_arn_template__( + drs.region + ) report.resource_id = drs_client.audited_account if drs.status == "ENABLED": report.status_extended = "DRS is enabled for this region without jobs." diff --git a/prowler/providers/aws/services/drs/drs_service.py b/prowler/providers/aws/services/drs/drs_service.py index 3fe4ad1b..663267b2 100644 --- a/prowler/providers/aws/services/drs/drs_service.py +++ b/prowler/providers/aws/services/drs/drs_service.py @@ -11,9 +11,13 @@ class DRS(AWSService): def __init__(self, audit_info): # Call AWSService's __init__ super().__init__(__class__.__name__, audit_info) + self.recovery_job_arn_template = f"arn:{self.audited_partition}:drs:{self.region}:{self.audited_account}:recovery-job" self.drs_services = [] self.__threading_call__(self.__describe_jobs__) + def __get_recovery_job_arn_template__(self, region): + return f"arn:{self.audited_partition}:drs:{region}:{self.audited_account}:recovery-job" + def __describe_jobs__(self, regional_client): logger.info("DRS - Describe Jobs...") try: diff --git a/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.py b/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.py index a208d1ff..8341b012 100644 --- a/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.py +++ b/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.py @@ -8,7 +8,9 @@ class ec2_ebs_default_encryption(Check): for ebs_encryption in ec2_client.ebs_encryption_by_default: report = Check_Report_AWS(self.metadata()) report.region = ebs_encryption.region - report.resource_arn = ec2_client.audited_account_arn + report.resource_arn = ec2_client.__get_volume_arn_template__( + ebs_encryption.region + ) report.resource_id = ec2_client.audited_account if ebs_encryption.status: report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_service.py b/prowler/providers/aws/services/ec2/ec2_service.py index bb1863bd..ac600d0e 100644 --- a/prowler/providers/aws/services/ec2/ec2_service.py +++ b/prowler/providers/aws/services/ec2/ec2_service.py @@ -15,6 +15,7 @@ class EC2(AWSService): def __init__(self, audit_info): # Call AWSService's __init__ super().__init__(__class__.__name__, audit_info) + self.volume_arn_template = f"arn:{self.audited_partition}:ec2:{self.region}:{self.audited_account}:volume" self.instances = [] self.__threading_call__(self.__describe_instances__) self.__threading_call__(self.__get_instance_user_data__, self.instances) @@ -40,6 +41,11 @@ class EC2(AWSService): self.elastic_ips = [] self.__threading_call__(self.__describe_ec2_addresses__) + def __get_volume_arn_template__(self, region): + return ( + f"arn:{self.audited_partition}:ec2:{region}:{self.audited_account}:volume" + ) + def __describe_instances__(self, regional_client): try: describe_instances_paginator = regional_client.get_paginator( diff --git a/prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.py b/prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.py index 339d2657..e1ebd20f 100644 --- a/prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.py +++ b/prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.py @@ -9,7 +9,7 @@ class emr_cluster_account_public_block_enabled(Check): report = Check_Report_AWS(self.metadata()) report.region = region report.resource_id = emr_client.audited_account - report.resource_arn = emr_client.audited_account_arn + report.resource_arn = emr_client.__get_cluster_arn_template__(region) if emr_client.block_public_access_configuration[ region ].block_public_security_group_rules: diff --git a/prowler/providers/aws/services/emr/emr_service.py b/prowler/providers/aws/services/emr/emr_service.py index 577e02b2..8f73a0a9 100644 --- a/prowler/providers/aws/services/emr/emr_service.py +++ b/prowler/providers/aws/services/emr/emr_service.py @@ -14,12 +14,16 @@ class EMR(AWSService): def __init__(self, audit_info): # Call AWSService's __init__ super().__init__(__class__.__name__, audit_info) + self.cluster_arn_template = f"arn:{self.audited_partition}:elasticmapreduce:{self.region}:{self.audited_account}:cluster" self.clusters = {} self.block_public_access_configuration = {} self.__threading_call__(self.__list_clusters__) self.__threading_call__(self.__describe_cluster__) self.__threading_call__(self.__get_block_public_access_configuration__) + def __get_cluster_arn_template__(self, region): + return f"arn:{self.audited_partition}:elasticmapreduce:{region}:{self.audited_account}:cluster" + def __list_clusters__(self, regional_client): logger.info("EMR - Listing Clusters...") try: diff --git a/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py b/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py index bfb9b698..9c94974c 100644 --- a/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py +++ b/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py @@ -7,7 +7,7 @@ class fms_policy_compliant(Check): findings = [] if fms_client.fms_admin_account: report = Check_Report_AWS(self.metadata()) - report.resource_arn = fms_client.audited_account_arn + report.resource_arn = fms_client.policy_arn_template report.resource_id = fms_client.audited_account report.region = fms_client.region report.status = "PASS" diff --git a/prowler/providers/aws/services/fms/fms_service.py b/prowler/providers/aws/services/fms/fms_service.py index 241c5ec5..a241b44b 100644 --- a/prowler/providers/aws/services/fms/fms_service.py +++ b/prowler/providers/aws/services/fms/fms_service.py @@ -11,6 +11,7 @@ class FMS(AWSService): def __init__(self, audit_info): # # Call AWSService's __init__ super().__init__(__class__.__name__, audit_info, global_service=True) + self.policy_arn_template = f"arn:{self.audited_partition}:fms:{self.region}:{self.audited_account}:policy" self.fms_admin_account = True self.fms_policies = [] self.__list_policies__() diff --git a/prowler/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.py index f71b4a0b..03ae1e80 100644 --- a/prowler/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.py @@ -10,7 +10,9 @@ class glue_data_catalogs_connection_passwords_encryption_enabled(Check): if encryption.tables or not glue_client.audit_info.ignore_unused_services: report = Check_Report_AWS(self.metadata()) report.resource_id = glue_client.audited_account - report.resource_arn = glue_client.audited_account_arn + report.resource_arn = glue_client.__get_data_catalog_arn_template__( + encryption.region + ) report.region = encryption.region report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.py index 6ed906cc..49aef592 100644 --- a/prowler/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.py @@ -10,7 +10,9 @@ class glue_data_catalogs_metadata_encryption_enabled(Check): if encryption.tables or not glue_client.audit_info.ignore_unused_services: report = Check_Report_AWS(self.metadata()) report.resource_id = glue_client.audited_account - report.resource_arn = glue_client.audited_account_arn + report.resource_arn = glue_client.__get_data_catalog_arn_template__( + encryption.region + ) report.region = encryption.region report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/glue/glue_service.py b/prowler/providers/aws/services/glue/glue_service.py index 24be4f59..3ce647ac 100644 --- a/prowler/providers/aws/services/glue/glue_service.py +++ b/prowler/providers/aws/services/glue/glue_service.py @@ -25,6 +25,9 @@ class Glue(AWSService): self.jobs = [] self.__threading_call__(self.__get_jobs__) + def __get_data_catalog_arn_template__(self, region): + return f"arn:{self.audited_partition}:glue:{region}:{self.audited_account}:data-catalog" + def __get_connections__(self, regional_client): logger.info("Glue - Getting connections...") try: diff --git a/prowler/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less.py b/prowler/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less.py index ca3f938c..ebb79f14 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less.py @@ -7,7 +7,7 @@ class iam_password_policy_expires_passwords_within_90_days_or_less(Check): findings = [] report = Check_Report_AWS(self.metadata()) report.region = iam_client.region - report.resource_arn = iam_client.audited_account_arn + report.resource_arn = iam_client.password_policy_arn_template report.resource_id = iam_client.audited_account # Check if password policy exists if iam_client.password_policy: diff --git a/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase.py b/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase.py index 69b5d999..4d7d5212 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase.py @@ -7,7 +7,7 @@ class iam_password_policy_lowercase(Check): findings = [] report = Check_Report_AWS(self.metadata()) report.region = iam_client.region - report.resource_arn = iam_client.audited_account_arn + report.resource_arn = iam_client.password_policy_arn_template report.resource_id = iam_client.audited_account # Check if password policy exists if iam_client.password_policy: diff --git a/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14.py b/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14.py index 5364c68a..74e9443d 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14.py @@ -7,7 +7,7 @@ class iam_password_policy_minimum_length_14(Check): findings = [] report = Check_Report_AWS(self.metadata()) report.region = iam_client.region - report.resource_arn = iam_client.audited_account_arn + report.resource_arn = iam_client.password_policy_arn_template report.resource_id = iam_client.audited_account # Check if password policy exists if iam_client.password_policy: diff --git a/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number.py b/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number.py index 899f677c..22f6f6d7 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number.py @@ -7,7 +7,7 @@ class iam_password_policy_number(Check): findings = [] report = Check_Report_AWS(self.metadata()) report.region = iam_client.region - report.resource_arn = iam_client.audited_account_arn + report.resource_arn = iam_client.password_policy_arn_template report.resource_id = iam_client.audited_account # Check if password policy exists if iam_client.password_policy: diff --git a/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24.py b/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24.py index 2fb37fbb..e06ce4e5 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24.py @@ -7,7 +7,7 @@ class iam_password_policy_reuse_24(Check): findings = [] report = Check_Report_AWS(self.metadata()) report.region = iam_client.region - report.resource_arn = iam_client.audited_account_arn + report.resource_arn = iam_client.password_policy_arn_template report.resource_id = iam_client.audited_account # Check if password policy exists if iam_client.password_policy: diff --git a/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol.py b/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol.py index b49cc786..d5d83cc7 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol.py @@ -7,7 +7,7 @@ class iam_password_policy_symbol(Check): findings = [] report = Check_Report_AWS(self.metadata()) report.region = iam_client.region - report.resource_arn = iam_client.audited_account_arn + report.resource_arn = iam_client.password_policy_arn_template report.resource_id = iam_client.audited_account # Check if password policy exists if iam_client.password_policy: diff --git a/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase.py b/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase.py index 2dee186a..176dfabc 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase.py @@ -7,7 +7,7 @@ class iam_password_policy_uppercase(Check): findings = [] report = Check_Report_AWS(self.metadata()) report.region = iam_client.region - report.resource_arn = iam_client.audited_account_arn + report.resource_arn = iam_client.password_policy_arn_template report.resource_id = iam_client.audited_account # Check if password policy exists if iam_client.password_policy: diff --git a/prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py b/prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py index f7483180..82f4b120 100644 --- a/prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py +++ b/prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py @@ -12,7 +12,7 @@ class iam_root_hardware_mfa_enabled(Check): report = Check_Report_AWS(self.metadata()) report.region = iam_client.region report.resource_id = "" - report.resource_arn = iam_client.audited_account_arn + report.resource_arn = iam_client.mfa_arn_template if iam_client.account_summary["SummaryMap"]["AccountMFAEnabled"] > 0: virtual_mfas = iam_client.virtual_mfa_devices diff --git a/prowler/providers/aws/services/iam/iam_service.py b/prowler/providers/aws/services/iam/iam_service.py index ce8a5038..d6adc7fc 100644 --- a/prowler/providers/aws/services/iam/iam_service.py +++ b/prowler/providers/aws/services/iam/iam_service.py @@ -51,6 +51,11 @@ class IAM(AWSService): def __init__(self, audit_info): # Call AWSService's __init__ super().__init__(__class__.__name__, audit_info) + self.role_arn_template = f"arn:{self.audited_partition}:iam:{self.region}:{self.audited_account}:role" + self.password_policy_arn_template = f"arn:{self.audited_partition}:iam:{self.region}:{self.audited_account}:password-policy" + self.mfa_arn_template = ( + f"arn:{self.audited_partition}:iam:{self.region}:{self.audited_account}:mfa" + ) self.users = self.__get_users__() self.roles = self.__get_roles__() self.account_summary = self.__get_account_summary__() diff --git a/prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.py b/prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.py index eeb1d134..ab40f262 100644 --- a/prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.py +++ b/prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.py @@ -9,7 +9,9 @@ class macie_is_enabled(Check): for session in macie_client.sessions: report = Check_Report_AWS(self.metadata()) report.region = session.region - report.resource_arn = macie_client.audited_account_arn + report.resource_arn = macie_client.__get_session_arn_template__( + session.region + ) report.resource_id = macie_client.audited_account if session.status == "ENABLED": report.status = "PASS" diff --git a/prowler/providers/aws/services/macie/macie_service.py b/prowler/providers/aws/services/macie/macie_service.py index 4831aaf8..8f0f1fb3 100644 --- a/prowler/providers/aws/services/macie/macie_service.py +++ b/prowler/providers/aws/services/macie/macie_service.py @@ -12,6 +12,9 @@ class Macie(AWSService): self.sessions = [] self.__threading_call__(self.__get_macie_session__) + def __get_session_arn_template__(self, region): + return f"arn:{self.audited_partition}:macie:{region}:{self.audited_account}:session" + def __get_macie_session__(self, regional_client): logger.info("Macie - Get Macie Session...") try: diff --git a/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py b/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py index fde1b4ca..3e993a27 100644 --- a/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py +++ b/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py @@ -13,7 +13,7 @@ class resourceexplorer2_indexes_found(Check): report.region = resource_explorer_2_client.region report.resource_arn = "NoResourceExplorer" report.resource_id = resource_explorer_2_client.audited_account - report.resource_arn = resource_explorer_2_client.audited_account_arn + report.resource_arn = resource_explorer_2_client.index_arn_template if resource_explorer_2_client.indexes: report.region = resource_explorer_2_client.indexes[0].region report.resource_arn = resource_explorer_2_client.indexes[0].arn diff --git a/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_service.py b/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_service.py index f81b7144..24ef4848 100644 --- a/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_service.py +++ b/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_service.py @@ -10,6 +10,7 @@ class ResourceExplorer2(AWSService): def __init__(self, audit_info): # Call AWSService's __init__ super().__init__("resource-explorer-2", audit_info) + self.index_arn_template = f"arn:{self.audited_partition}:resource-explorer:{self.region}:{self.audited_account}:index" self.indexes = [] self.__threading_call__(self.__list_indexes__) diff --git a/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks.py b/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks.py index 1374c727..6ea4155c 100644 --- a/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks.py +++ b/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks.py @@ -16,14 +16,14 @@ class s3_account_level_public_access_blocks(Check): report.status_extended = f"Block Public Access is configured for the account {s3control_client.audited_account}." report.region = s3control_client.region report.resource_id = s3control_client.audited_account - report.resource_arn = s3control_client.audited_account_arn + report.resource_arn = s3_client.account_arn_template findings.append(report) elif s3_client.buckets or not s3_client.audit_info.ignore_unused_services: report.status = "FAIL" report.status_extended = f"Block Public Access is not configured for the account {s3control_client.audited_account}." report.region = s3control_client.region report.resource_id = s3control_client.audited_account - report.resource_arn = s3control_client.audited_account_arn + report.resource_arn = s3_client.account_arn_template findings.append(report) return findings diff --git a/prowler/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access.py b/prowler/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access.py index c6a41763..0042d219 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access.py +++ b/prowler/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access.py @@ -17,7 +17,7 @@ class s3_bucket_public_access(Check): report.status_extended = "All S3 public access blocked at account level." report.region = s3control_client.region report.resource_id = s3_client.audited_account - report.resource_arn = s3_client.audited_account_arn + report.resource_arn = s3_client.account_arn_template findings.append(report) else: # 2. If public access is not blocked at account level, check it at each bucket level diff --git a/prowler/providers/aws/services/s3/s3_bucket_public_list_acl/s3_bucket_public_list_acl.py b/prowler/providers/aws/services/s3/s3_bucket_public_list_acl/s3_bucket_public_list_acl.py index 66a07819..aa613201 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_public_list_acl/s3_bucket_public_list_acl.py +++ b/prowler/providers/aws/services/s3/s3_bucket_public_list_acl/s3_bucket_public_list_acl.py @@ -17,7 +17,7 @@ class s3_bucket_public_list_acl(Check): report.status_extended = "All S3 public access blocked at account level." report.region = s3control_client.region report.resource_id = s3_client.audited_account - report.resource_arn = s3_client.audited_account_arn + report.resource_arn = s3_client.account_arn_template findings.append(report) else: # 2. If public access is not blocked at account level, check it at each bucket level diff --git a/prowler/providers/aws/services/s3/s3_bucket_public_write_acl/s3_bucket_public_write_acl.py b/prowler/providers/aws/services/s3/s3_bucket_public_write_acl/s3_bucket_public_write_acl.py index 2693c3c4..5a32c168 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_public_write_acl/s3_bucket_public_write_acl.py +++ b/prowler/providers/aws/services/s3/s3_bucket_public_write_acl/s3_bucket_public_write_acl.py @@ -17,7 +17,7 @@ class s3_bucket_public_write_acl(Check): report.status_extended = "All S3 public access blocked at account level." report.region = s3control_client.region report.resource_id = s3_client.audited_account - report.resource_arn = s3_client.audited_account_arn + report.resource_arn = s3_client.account_arn_template findings.append(report) else: # 2. If public access is not blocked at account level, check it at each bucket level diff --git a/prowler/providers/aws/services/s3/s3_service.py b/prowler/providers/aws/services/s3/s3_service.py index aa05cc62..7c703c08 100644 --- a/prowler/providers/aws/services/s3/s3_service.py +++ b/prowler/providers/aws/services/s3/s3_service.py @@ -15,6 +15,7 @@ class S3(AWSService): def __init__(self, audit_info): # Call AWSService's __init__ super().__init__(__class__.__name__, audit_info) + self.account_arn_template = f"arn:{self.audited_partition}:s3:{self.region}:{self.audited_account}:account" self.regions_with_buckets = [] self.buckets = self.__list_buckets__(audit_info) self.__threading_call__(self.__get_bucket_versioning__) diff --git a/prowler/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans.py b/prowler/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans.py index 9abd68e5..912e1a31 100644 --- a/prowler/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans.py +++ b/prowler/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans.py @@ -10,7 +10,7 @@ class ssmincidents_enabled_with_plans(Check): report = Check_Report_AWS(self.metadata()) report.status = "FAIL" report.status_extended = "No SSM Incidents replication set exists." - report.resource_arn = ssmincidents_client.audited_account_arn + report.resource_arn = ssmincidents_client.replication_set_arn_template report.resource_id = ssmincidents_client.audited_account report.region = ssmincidents_client.region if ssmincidents_client.replication_set: diff --git a/prowler/providers/aws/services/ssmincidents/ssmincidents_service.py b/prowler/providers/aws/services/ssmincidents/ssmincidents_service.py index 1be0c546..07052cb9 100644 --- a/prowler/providers/aws/services/ssmincidents/ssmincidents_service.py +++ b/prowler/providers/aws/services/ssmincidents/ssmincidents_service.py @@ -17,6 +17,7 @@ class SSMIncidents(AWSService): def __init__(self, audit_info): # Call AWSService's __init__ super().__init__("ssm-incidents", audit_info) + self.replication_set_arn_template = f"arn:{self.audited_partition}:ssm-incidents:{self.region}:{self.audited_account}:replication-set" self.replication_set = [] self.__list_replication_sets__() self.__get_replication_set__() diff --git a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py index 980735d8..31890de8 100644 --- a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py +++ b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py @@ -16,6 +16,7 @@ class trustedadvisor_errors_and_warnings(Check): report = Check_Report_AWS(self.metadata()) report.region = check.region report.resource_id = check.id + report.resource_arn = check.arn report.status = "FAIL" report.status_extended = f"Trusted Advisor check {check.name} is in state {check.status}." if check.status == "ok": @@ -26,7 +27,7 @@ class trustedadvisor_errors_and_warnings(Check): report.status = "INFO" report.status_extended = "Amazon Web Services Premium Support Subscription is required to use this service." report.resource_id = trustedadvisor_client.audited_account - report.resource_arn = trustedadvisor_client.audited_account_arn + report.resource_arn = trustedadvisor_client.account_arn_template report.region = trustedadvisor_client.region findings.append(report) diff --git a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_premium_support_plan_subscribed/trustedadvisor_premium_support_plan_subscribed.py b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_premium_support_plan_subscribed/trustedadvisor_premium_support_plan_subscribed.py index 691f2080..8d045cf4 100644 --- a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_premium_support_plan_subscribed/trustedadvisor_premium_support_plan_subscribed.py +++ b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_premium_support_plan_subscribed/trustedadvisor_premium_support_plan_subscribed.py @@ -15,7 +15,7 @@ class trustedadvisor_premium_support_plan_subscribed(Check): ) report.region = trustedadvisor_client.region report.resource_id = trustedadvisor_client.audited_account - report.resource_arn = trustedadvisor_client.audited_account_arn + report.resource_arn = trustedadvisor_client.account_arn_template if trustedadvisor_client.premium_support.enabled: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_service.py b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_service.py index 33e0b01e..32bdc5ab 100644 --- a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_service.py +++ b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_service.py @@ -12,6 +12,7 @@ class TrustedAdvisor(AWSService): def __init__(self, audit_info): # Call AWSService's __init__ super().__init__("support", audit_info) + self.account_arn_template = f"arn:{self.audited_partition}:trusted-advisor:{self.region}:{self.audited_account}:account" self.checks = [] self.premium_support = PremiumSupport(enabled=False) # Support API is not available in China Partition @@ -37,10 +38,12 @@ class TrustedAdvisor(AWSService): for check in self.client.describe_trusted_advisor_checks(language="en").get( "checks", [] ): + check_arn = f"arn:{self.audited_partition}:trusted-advisor:{self.client.region}:{self.audited_account}:check/{check['id']}" self.checks.append( Check( id=check["id"], name=check["name"], + arn=check_arn, region=self.client.region, ) ) @@ -117,6 +120,7 @@ class TrustedAdvisor(AWSService): class Check(BaseModel): id: str name: str + arn: str status: Optional[str] region: str diff --git a/prowler/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions.py b/prowler/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions.py index ee7421a4..74220c71 100644 --- a/prowler/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions.py +++ b/prowler/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions.py @@ -14,7 +14,7 @@ class vpc_different_regions(Check): report = Check_Report_AWS(self.metadata()) report.region = vpc_client.region report.resource_id = vpc_client.audited_account - report.resource_arn = vpc_client.audited_account_arn + report.resource_arn = vpc_client.vpc_arn_template report.status = "FAIL" report.status_extended = "VPCs found only in one region." diff --git a/prowler/providers/aws/services/vpc/vpc_service.py b/prowler/providers/aws/services/vpc/vpc_service.py index 7affa7ee..7c73b32f 100644 --- a/prowler/providers/aws/services/vpc/vpc_service.py +++ b/prowler/providers/aws/services/vpc/vpc_service.py @@ -14,6 +14,9 @@ class VPC(AWSService): def __init__(self, audit_info): # Call AWSService's __init__ super().__init__("ec2", audit_info) + self.vpc_arn_template = ( + f"arn:{self.audited_partition}:ec2:{self.region}:{self.audited_account}:vpc" + ) self.vpcs = {} self.vpc_peering_connections = [] self.vpc_endpoints = [] diff --git a/tests/providers/aws/services/backup/backup_plans_exist/backup_plans_exist_test.py b/tests/providers/aws/services/backup/backup_plans_exist/backup_plans_exist_test.py index b29497f0..c5e915d5 100644 --- a/tests/providers/aws/services/backup/backup_plans_exist/backup_plans_exist_test.py +++ b/tests/providers/aws/services/backup/backup_plans_exist/backup_plans_exist_test.py @@ -13,7 +13,12 @@ class Test_backup_plans_exist: backup_client = mock.MagicMock backup_client.audited_account = AWS_ACCOUNT_NUMBER backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + backup_client.audited_partition = "aws" backup_client.region = AWS_REGION + backup_client.backup_plan_arn_template = f"arn:{backup_client.audited_partition}:backup:{backup_client.region}:{backup_client.audited_account}:backup-plan" + backup_client.__get_backup_plan_arn_template__ = mock.MagicMock( + return_value=backup_client.backup_plan_arn_template + ) backup_client.backup_plans = [] backup_client.backup_vaults = ["vault"] with mock.patch( @@ -32,7 +37,10 @@ class Test_backup_plans_exist: assert result[0].status == "FAIL" assert result[0].status_extended == "No Backup Plan exist." assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:backup:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:backup-plan" + ) assert result[0].region == AWS_REGION def test_no_backup_plans_not_vaults(self): diff --git a/tests/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist_test.py b/tests/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist_test.py index e323378f..a30f0080 100644 --- a/tests/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist_test.py +++ b/tests/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist_test.py @@ -35,6 +35,11 @@ class Test_backup_reportplans_exist: backup_client.audited_account = AWS_ACCOUNT_NUMBER backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" backup_client.region = AWS_REGION + backup_client.audited_partition = "aws" + backup_client.report_plan_arn_template = f"arn:{backup_client.audited_partition}:backup:{backup_client.region}:{backup_client.audited_account}:report-plan" + backup_client.__get_report_plan_arn_template__ = mock.MagicMock( + return_value=backup_client.report_plan_arn_template + ) backup_plan_id = str(uuid4()).upper() backup_plan_arn = ( f"arn:aws:backup:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:plan:{backup_plan_id}" @@ -67,7 +72,10 @@ class Test_backup_reportplans_exist: assert result[0].status == "FAIL" assert result[0].status_extended == "No Backup Report Plan exist." assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:backup:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:report-plan" + ) assert result[0].region == AWS_REGION def test_one_backup_report_plan(self): @@ -75,6 +83,11 @@ class Test_backup_reportplans_exist: backup_client.audited_account = AWS_ACCOUNT_NUMBER backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" backup_client.region = AWS_REGION + backup_client.audited_partition = "aws" + backup_client.report_plan_arn_template = f"arn:{backup_client.audited_partition}:backup:{backup_client.region}:{backup_client.audited_account}:report-plan" + backup_client.__get_report_plan_arn_template__ = mock.MagicMock( + return_value=backup_client.report_plan_arn_template + ) backup_plan_id = str(uuid4()).upper() backup_plan_arn = ( f"arn:aws:backup:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:plan:{backup_plan_id}" diff --git a/tests/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist_test.py b/tests/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist_test.py index 429f13d0..857ae0d9 100644 --- a/tests/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist_test.py +++ b/tests/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist_test.py @@ -12,6 +12,11 @@ class Test_backup_vaults_exist: backup_client.audited_account = AWS_ACCOUNT_NUMBER backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" backup_client.region = AWS_REGION + backup_client.audited_partition = "aws" + backup_client.backup_vault_arn_template = f"arn:{backup_client.audited_partition}:backup:{backup_client.region}:{backup_client.audited_account}:backup-vault" + backup_client.__get_backup_vault_arn_template__ = mock.MagicMock( + return_value=backup_client.backup_vault_arn_template + ) backup_client.backup_vaults = [] with mock.patch( "prowler.providers.aws.services.backup.backup_service.Backup", @@ -29,7 +34,10 @@ class Test_backup_vaults_exist: assert result[0].status == "FAIL" assert result[0].status_extended == "No Backup Vault exist." assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:backup:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:backup-vault" + ) assert result[0].region == AWS_REGION def test_one_backup_vault(self): @@ -37,6 +45,11 @@ class Test_backup_vaults_exist: backup_client.audited_account = AWS_ACCOUNT_NUMBER backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" backup_client.region = AWS_REGION + backup_client.audited_partition = "aws" + backup_client.backup_vault_arn_template = f"arn:{backup_client.audited_partition}:backup:{backup_client.region}:{backup_client.audited_account}:backup-vault" + backup_client.__get_backup_vault_arn_template__ = mock.MagicMock( + return_value=backup_client.backup_vault_arn_template + ) backup_vault_arn = f"arn:aws:backup:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:backup-vault:MyBackupVault" backup_client.backup_vaults = [ BackupVault( diff --git a/tests/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled_test.py b/tests/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled_test.py index cebbe0c8..c5335678 100644 --- a/tests/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled_test.py +++ b/tests/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled_test.py @@ -49,7 +49,7 @@ class Test_cloudtrail_multi_region_enabled: assert report.resource_id == AWS_ACCOUNT_NUMBER assert ( report.resource_arn - == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail" ) assert report.resource_tags == [] elif report.region == AWS_REGION_EU_WEST_1: @@ -61,7 +61,7 @@ class Test_cloudtrail_multi_region_enabled: assert report.resource_id == AWS_ACCOUNT_NUMBER assert ( report.resource_arn - == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + == f"arn:aws:cloudtrail:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:trail" ) assert report.resource_tags == [] @@ -125,7 +125,7 @@ class Test_cloudtrail_multi_region_enabled: assert report.resource_id == AWS_ACCOUNT_NUMBER assert ( report.resource_arn - == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail" ) assert report.resource_tags == [] elif report.region == AWS_REGION_EU_WEST_1: @@ -137,7 +137,7 @@ class Test_cloudtrail_multi_region_enabled: assert report.resource_id == AWS_ACCOUNT_NUMBER assert ( report.resource_arn - == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + == f"arn:aws:cloudtrail:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:trail" ) assert report.resource_tags == [] @@ -213,7 +213,7 @@ class Test_cloudtrail_multi_region_enabled: assert report.resource_id == AWS_ACCOUNT_NUMBER assert ( report.resource_arn - == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + == f"arn:aws:cloudtrail:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:trail" ) assert report.resource_tags == [] assert report.region == AWS_REGION_EU_WEST_1 diff --git a/tests/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events_test.py b/tests/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events_test.py index 66506867..8f32e0c0 100644 --- a/tests/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events_test.py +++ b/tests/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1, set_mocked_aws_audit_info, @@ -37,7 +36,10 @@ class Test_cloudtrail_multi_region_enabled_logging_management_events: result = check.execute() assert len(result) == 1 assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail" + ) assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].status == "FAIL" assert ( @@ -149,7 +151,10 @@ class Test_cloudtrail_multi_region_enabled_logging_management_events: check = cloudtrail_multi_region_enabled_logging_management_events() result = check.execute() assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail" + ) assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].status == "FAIL" assert ( @@ -258,7 +263,10 @@ class Test_cloudtrail_multi_region_enabled_logging_management_events: check = cloudtrail_multi_region_enabled_logging_management_events() result = check.execute() assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail" + ) assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].status == "FAIL" assert ( diff --git a/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled_test.py b/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled_test.py index ba711f1e..13a15140 100644 --- a/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled_test.py +++ b/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled_test.py @@ -56,7 +56,10 @@ class Test_cloudtrail_s3_dataevents_read_enabled: == "No CloudTrail trails have a data event to record all S3 object-level API operations." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail" + ) assert result[0].resource_tags == [] assert result[0].region == AWS_REGION_US_EAST_1 @@ -129,7 +132,10 @@ class Test_cloudtrail_s3_dataevents_read_enabled: == "No CloudTrail trails have a data event to record all S3 object-level API operations." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail" + ) assert result[0].resource_tags == [] assert result[0].region == AWS_REGION_US_EAST_1 @@ -190,7 +196,10 @@ class Test_cloudtrail_s3_dataevents_read_enabled: == "No CloudTrail trails have a data event to record all S3 object-level API operations." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail" + ) assert result[0].resource_tags == [] assert result[0].region == AWS_REGION_US_EAST_1 diff --git a/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled_test.py b/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled_test.py index f686d773..379ba187 100644 --- a/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled_test.py +++ b/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled_test.py @@ -56,7 +56,10 @@ class Test_cloudtrail_s3_dataevents_write_enabled: == "No CloudTrail trails have a data event to record all S3 object-level API operations." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail" + ) assert result[0].resource_tags == [] assert result[0].region == AWS_REGION_US_EAST_1 @@ -117,7 +120,10 @@ class Test_cloudtrail_s3_dataevents_write_enabled: == "No CloudTrail trails have a data event to record all S3 object-level API operations." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail" + ) assert result[0].resource_tags == [] assert result[0].region == AWS_REGION_US_EAST_1 @@ -189,7 +195,10 @@ class Test_cloudtrail_s3_dataevents_write_enabled: == "No CloudTrail trails have a data event to record all S3 object-level API operations." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail" + ) assert result[0].resource_tags == [] assert result[0].region == AWS_REGION_US_EAST_1 diff --git a/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured_test.py b/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured_test.py index 1ddb0d1a..6b0d63ec 100644 --- a/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured_test.py +++ b/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -65,7 +64,10 @@ class Test_cloudwatch_changes_to_network_acls_alarm_configured: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -125,7 +127,10 @@ class Test_cloudwatch_changes_to_network_acls_alarm_configured: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws @@ -191,7 +196,10 @@ class Test_cloudwatch_changes_to_network_acls_alarm_configured: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws diff --git a/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured_test.py b/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured_test.py index f807e751..83f2eaaa 100644 --- a/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured_test.py +++ b/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -65,7 +64,10 @@ class Test_cloudwatch_changes_to_network_gateways_alarm_configured: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -125,7 +127,10 @@ class Test_cloudwatch_changes_to_network_gateways_alarm_configured: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -191,7 +196,10 @@ class Test_cloudwatch_changes_to_network_gateways_alarm_configured: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws diff --git a/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured_test.py b/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured_test.py index 2e8a4264..beba23b4 100644 --- a/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured_test.py +++ b/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -65,7 +64,10 @@ class Test_cloudwatch_changes_to_network_route_tables_alarm_configured: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -125,7 +127,10 @@ class Test_cloudwatch_changes_to_network_route_tables_alarm_configured: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -191,7 +196,10 @@ class Test_cloudwatch_changes_to_network_route_tables_alarm_configured: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws diff --git a/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured_test.py b/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured_test.py index 89cabfa2..70c5215c 100644 --- a/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured_test.py +++ b/tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -65,7 +64,10 @@ class Test_cloudwatch_changes_to_vpcs_alarm_configured: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -125,7 +127,10 @@ class Test_cloudwatch_changes_to_vpcs_alarm_configured: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -191,7 +196,10 @@ class Test_cloudwatch_changes_to_vpcs_alarm_configured: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws diff --git a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled_test.py b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled_test.py index d51e206b..65c306e5 100644 --- a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled_test.py +++ b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -67,7 +66,10 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_c == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -129,7 +131,10 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_c == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -197,7 +202,10 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_c == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws diff --git a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled_test.py b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled_test.py index fc1c4b9e..270d74ac 100644 --- a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled_test.py +++ b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -67,7 +66,10 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_c == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -129,7 +131,10 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_c == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -197,7 +202,10 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_c == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws diff --git a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures_test.py b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures_test.py index d825830f..d530a9b5 100644 --- a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures_test.py +++ b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -65,7 +64,10 @@ class Test_cloudwatch_log_metric_filter_authentication_failures: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -125,7 +127,10 @@ class Test_cloudwatch_log_metric_filter_authentication_failures: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -191,7 +196,10 @@ class Test_cloudwatch_log_metric_filter_authentication_failures: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws diff --git a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes_test.py b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes_test.py index 3bc9b82f..7a71c67d 100644 --- a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes_test.py +++ b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -65,7 +64,10 @@ class Test_cloudwatch_log_metric_filter_aws_organizations_changes: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -125,7 +127,10 @@ class Test_cloudwatch_log_metric_filter_aws_organizations_changes: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -191,7 +196,10 @@ class Test_cloudwatch_log_metric_filter_aws_organizations_changes: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws diff --git a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk_test.py b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk_test.py index 583af0d1..a97687e6 100644 --- a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk_test.py +++ b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -67,7 +66,10 @@ class Test_cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -129,7 +131,10 @@ class Test_cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -197,7 +202,10 @@ class Test_cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws diff --git a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes_test.py b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes_test.py index 86ebed4a..af7eddc5 100644 --- a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes_test.py +++ b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -65,7 +64,10 @@ class Test_cloudwatch_log_metric_filter_for_s3_bucket_policy_changes: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -125,7 +127,10 @@ class Test_cloudwatch_log_metric_filter_for_s3_bucket_policy_changes: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -191,7 +196,10 @@ class Test_cloudwatch_log_metric_filter_for_s3_bucket_policy_changes: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws diff --git a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes_test.py b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes_test.py index d3a7bd9f..e976f316 100644 --- a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes_test.py +++ b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -65,7 +64,10 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -125,7 +127,10 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -191,7 +196,10 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws diff --git a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage_test.py b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage_test.py index ec1abf59..1c692e11 100644 --- a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage_test.py +++ b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -65,7 +64,10 @@ class Test_cloudwatch_log_metric_filter_root_usage: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -125,7 +127,10 @@ class Test_cloudwatch_log_metric_filter_root_usage: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -191,7 +196,10 @@ class Test_cloudwatch_log_metric_filter_root_usage: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws diff --git a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes_test.py b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes_test.py index 455b10f5..8a6d77e7 100644 --- a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes_test.py +++ b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -65,7 +64,11 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -125,7 +128,11 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -191,7 +198,11 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws diff --git a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa_test.py b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa_test.py index 30903353..bf26879f 100644 --- a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa_test.py +++ b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -65,7 +64,10 @@ class Test_cloudwatch_log_metric_filter_sign_in_without_mfa: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -125,7 +127,10 @@ class Test_cloudwatch_log_metric_filter_sign_in_without_mfa: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -191,7 +196,10 @@ class Test_cloudwatch_log_metric_filter_sign_in_without_mfa: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws diff --git a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls_test.py b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls_test.py index bb4de718..1240d230 100644 --- a/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls_test.py +++ b/tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -65,7 +64,10 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -125,7 +127,10 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -191,7 +196,10 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls: == "No CloudWatch log groups found with metric filters or alarms associated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws diff --git a/tests/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled_test.py b/tests/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled_test.py index 852d852a..a5913e0e 100644 --- a/tests/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled_test.py +++ b/tests/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_SOUTH_2, AWS_REGION_EU_WEST_1, @@ -35,18 +34,33 @@ class Test_config_recorder_all_regions_enabled: ) check = config_recorder_all_regions_enabled() - result = check.execute() + results = check.execute() - assert ( - len(result) == 2 - ) # One fail result per region, since there are no recorders - assert result[0].status == "FAIL" - assert ( - result[0].status_extended - == f"AWS Config recorder {AWS_ACCOUNT_NUMBER} is disabled." - ) - assert result[0].resource_arn == AWS_ACCOUNT_ARN - assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert len(results) == 2 + for result in results: + if result.region == AWS_REGION_EU_WEST_1: + + assert result.status == "FAIL" + assert ( + result.status_extended + == f"AWS Config recorder {AWS_ACCOUNT_NUMBER} is disabled." + ) + assert ( + result.resource_arn + == f"arn:aws:config:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:recorder" + ) + assert result.resource_id == AWS_ACCOUNT_NUMBER + if result.region == AWS_REGION_EU_WEST_1: + assert result.status == "FAIL" + assert ( + result.status_extended + == f"AWS Config recorder {AWS_ACCOUNT_NUMBER} is disabled." + ) + assert ( + result.resource_arn + == f"arn:aws:config:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:recorder" + ) + assert result.resource_id == AWS_ACCOUNT_NUMBER @mock_aws def test_config_one_recoder_disabled(self): @@ -84,7 +98,10 @@ class Test_config_recorder_all_regions_enabled: == "AWS Config recorder default is disabled." ) assert recorder.resource_id == "default" - assert recorder.resource_arn == AWS_ACCOUNT_ARN + assert ( + recorder.resource_arn + == f"arn:aws:config:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:recorder" + ) assert recorder.region == AWS_REGION_US_EAST_1 @mock_aws @@ -128,7 +145,10 @@ class Test_config_recorder_all_regions_enabled: == "AWS Config recorder default is enabled." ) assert recorder.resource_id == "default" - assert recorder.resource_arn == AWS_ACCOUNT_ARN + assert ( + recorder.resource_arn + == f"arn:aws:config:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:recorder" + ) assert recorder.region == AWS_REGION_US_EAST_1 @mock_aws @@ -171,7 +191,10 @@ class Test_config_recorder_all_regions_enabled: == f"AWS Config recorder {AWS_ACCOUNT_NUMBER} is disabled." ) assert recorder.resource_id == AWS_ACCOUNT_NUMBER - assert recorder.resource_arn == AWS_ACCOUNT_ARN + assert ( + recorder.resource_arn + == f"arn:aws:config:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:recorder" + ) assert recorder.region == AWS_REGION_US_EAST_1 else: assert recorder.status == "FAIL" @@ -180,5 +203,8 @@ class Test_config_recorder_all_regions_enabled: == f"AWS Config recorder {AWS_ACCOUNT_NUMBER} is disabled." ) assert recorder.resource_id == AWS_ACCOUNT_NUMBER - assert recorder.resource_arn == AWS_ACCOUNT_ARN - assert recorder.region == "eu-south-2" + assert ( + recorder.resource_arn + == f"arn:aws:config:{AWS_REGION_EU_SOUTH_2}:{AWS_ACCOUNT_NUMBER}:recorder" + ) + assert recorder.region == AWS_REGION_EU_SOUTH_2 diff --git a/tests/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists_test.py b/tests/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists_test.py index 062378a3..c06860f8 100644 --- a/tests/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists_test.py +++ b/tests/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists_test.py @@ -75,6 +75,8 @@ class Test_dlm_ebs_snapshot_lifecycle_policy_exists: dlm_client = mock.MagicMock dlm_client.audited_account = AWS_ACCOUNT_NUMBER dlm_client.audited_account_arn = AWS_ACCOUNT_ARN + dlm_client.region = AWS_REGION_US_EAST_1 + dlm_client.audited_partition = "aws" dlm_client.lifecycle_policies = { AWS_REGION_US_EAST_1: { LIFECYCLE_POLICY_ID: LifecyclePolicy( @@ -85,7 +87,10 @@ class Test_dlm_ebs_snapshot_lifecycle_policy_exists: ) } } - + dlm_client.lifecycle_policy_arn_template = f"arn:{dlm_client.audited_partition}:dlm:{dlm_client.region}:{dlm_client.audited_account}:policy" + dlm_client.__get_lifecycle_policy_arn_template__ = mock.MagicMock( + return_value=dlm_client.lifecycle_policy_arn_template + ) audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1]) from prowler.providers.aws.services.ec2.ec2_service import EC2 @@ -111,7 +116,10 @@ class Test_dlm_ebs_snapshot_lifecycle_policy_exists: assert result[0].status_extended == "EBS snapshot lifecycle policies found." assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:dlm:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:policy" + ) @mock_aws def test_one_ebs_snapshot_and_no_dlm_lifecycle_policy(self): diff --git a/tests/providers/aws/services/drs/drs_job_exist/drs_job_exist_test.py b/tests/providers/aws/services/drs/drs_job_exist/drs_job_exist_test.py index 4fad6112..ff4eb895 100644 --- a/tests/providers/aws/services/drs/drs_job_exist/drs_job_exist_test.py +++ b/tests/providers/aws/services/drs/drs_job_exist/drs_job_exist_test.py @@ -13,6 +13,7 @@ class Test_drs_job_exist: drs_client.audited_account = AWS_ACCOUNT_NUMBER drs_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" drs_client.region = AWS_REGION + drs_client.audited_partition = "aws" drs_client.drs_services = [ DRSservice( id="DRS", @@ -29,6 +30,10 @@ class Test_drs_job_exist: ], ) ] + drs_client.recovery_job_arn_template = f"arn:{drs_client.audited_partition}:drs:{drs_client.region}:{drs_client.audited_account}:recovery-job" + drs_client.__get_recovery_job_arn_template__ = mock.MagicMock( + return_value=drs_client.recovery_job_arn_template + ) with mock.patch( "prowler.providers.aws.services.drs.drs_service.DRS", new=drs_client, @@ -47,7 +52,10 @@ class Test_drs_job_exist: result[0].status_extended == "DRS is enabled for this region with jobs." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:drs:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:recovery-job" + ) assert result[0].region == AWS_REGION assert result[0].resource_tags == [] @@ -56,6 +64,7 @@ class Test_drs_job_exist: drs_client.audited_account = AWS_ACCOUNT_NUMBER drs_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" drs_client.region = AWS_REGION + drs_client.audited_partition = "aws" drs_client.drs_services = [ DRSservice( id="DRS", @@ -64,6 +73,10 @@ class Test_drs_job_exist: jobs=[], ) ] + drs_client.recovery_job_arn_template = f"arn:{drs_client.audited_partition}:drs:{drs_client.region}:{drs_client.audited_account}:recovery-job" + drs_client.__get_recovery_job_arn_template__ = mock.MagicMock( + return_value=drs_client.recovery_job_arn_template + ) with mock.patch( "prowler.providers.aws.services.drs.drs_service.DRS", new=drs_client, @@ -83,7 +96,10 @@ class Test_drs_job_exist: == "DRS is enabled for this region without jobs." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:drs:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:recovery-job" + ) assert result[0].region == AWS_REGION assert result[0].resource_tags == [] @@ -92,6 +108,7 @@ class Test_drs_job_exist: drs_client.audited_account = AWS_ACCOUNT_NUMBER drs_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" drs_client.region = AWS_REGION + drs_client.audited_partition = "aws" drs_client.drs_services = [ DRSservice( id="DRS", @@ -100,6 +117,10 @@ class Test_drs_job_exist: jobs=[], ) ] + drs_client.recovery_job_arn_template = f"arn:{drs_client.audited_partition}:drs:{drs_client.region}:{drs_client.audited_account}:recovery-job" + drs_client.__get_recovery_job_arn_template__ = mock.MagicMock( + return_value=drs_client.recovery_job_arn_template + ) with mock.patch( "prowler.providers.aws.services.drs.drs_service.DRS", new=drs_client, @@ -116,7 +137,10 @@ class Test_drs_job_exist: assert result[0].status == "FAIL" assert result[0].status_extended == "DRS is not enabled for this region." assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:drs:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:recovery-job" + ) assert result[0].region == AWS_REGION assert result[0].resource_tags == [] @@ -125,6 +149,7 @@ class Test_drs_job_exist: drs_client.audit_config = {"allowlist_non_default_regions": True} drs_client.audited_account = AWS_ACCOUNT_NUMBER drs_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + drs_client.audited_partition = "aws" drs_client.region = "eu-west-2" drs_client.drs_services = [ DRSservice( @@ -134,6 +159,10 @@ class Test_drs_job_exist: jobs=[], ) ] + drs_client.recovery_job_arn_template = f"arn:{drs_client.audited_partition}:drs:{drs_client.region}:{drs_client.audited_account}:recovery-job" + drs_client.__get_recovery_job_arn_template__ = mock.MagicMock( + return_value=drs_client.recovery_job_arn_template + ) with mock.patch( "prowler.providers.aws.services.drs.drs_service.DRS", new=drs_client, @@ -150,6 +179,9 @@ class Test_drs_job_exist: assert result[0].status == "WARNING" assert result[0].status_extended == "DRS is not enabled for this region." assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:drs:eu-west-2:{AWS_ACCOUNT_NUMBER}:recovery-job" + ) assert result[0].region == AWS_REGION assert result[0].resource_tags == [] diff --git a/tests/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_test.py b/tests/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_test.py index 1cbf16fc..fb258c29 100644 --- a/tests/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_test.py +++ b/tests/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_test.py @@ -51,7 +51,19 @@ class Test_ec2_ebs_default_encryption: ) assert result.resource_id == AWS_ACCOUNT_NUMBER assert ( - result.resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + result.resource_arn + == f"arn:aws:ec2:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:volume" + ) + if result.region == AWS_REGION_EU_WEST_1: + assert result.status == "FAIL" + assert ( + result.status_extended + == "EBS Default Encryption is not activated." + ) + assert result.resource_id == AWS_ACCOUNT_NUMBER + assert ( + result.resource_arn + == f"arn:aws:ec2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:volume" ) @mock_aws @@ -75,16 +87,33 @@ class Test_ec2_ebs_default_encryption: ) check = ec2_ebs_default_encryption() - result = check.execute() + results = check.execute() # One result per region - assert len(result) == 2 - assert result[0].status == "FAIL" - assert ( - result[0].status_extended == "EBS Default Encryption is not activated." - ) - assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert len(results) == 2 + for result in results: + if result.region == AWS_REGION_US_EAST_1: + assert result.status == "FAIL" + assert ( + result.status_extended + == "EBS Default Encryption is not activated." + ) + assert result.resource_id == AWS_ACCOUNT_NUMBER + assert ( + result.resource_arn + == f"arn:aws:ec2:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:volume" + ) + if result.region == AWS_REGION_EU_WEST_1: + assert result.status == "FAIL" + assert ( + result.status_extended + == "EBS Default Encryption is not activated." + ) + assert result.resource_id == AWS_ACCOUNT_NUMBER + assert ( + result.resource_arn + == f"arn:aws:ec2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:volume" + ) @mock_aws def test_ec2_ebs_encryption_disabled_ignored(self): @@ -148,4 +177,7 @@ class Test_ec2_ebs_default_encryption: result[0].status_extended == "EBS Default Encryption is not activated." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:ec2:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:volume" + ) diff --git a/tests/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled_test.py b/tests/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled_test.py index f2af2bc2..84283e79 100644 --- a/tests/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled_test.py +++ b/tests/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled_test.py @@ -18,6 +18,12 @@ class Test_emr_cluster_account_public_block_enabled: block_public_security_group_rules=True ) } + emr_client.region = AWS_REGION_EU_WEST_1 + emr_client.audited_partition = "aws" + emr_client.cluster_arn_template = f"arn:{emr_client.audited_partition}:elasticmapreduce:{emr_client.region}:{emr_client.audited_account}:cluster" + emr_client.__get_cluster_arn_template__ = mock.MagicMock( + return_value=emr_client.cluster_arn_template + ) with mock.patch( "prowler.providers.aws.services.emr.emr_service.EMR", new=emr_client, @@ -47,6 +53,12 @@ class Test_emr_cluster_account_public_block_enabled: block_public_security_group_rules=False ) } + emr_client.region = AWS_REGION_EU_WEST_1 + emr_client.audited_partition = "aws" + emr_client.cluster_arn_template = f"arn:{emr_client.audited_partition}:elasticmapreduce:{emr_client.region}:{emr_client.audited_account}:cluster" + emr_client.__get_cluster_arn_template__ = mock.MagicMock( + return_value=emr_client.cluster_arn_template + ) with mock.patch( "prowler.providers.aws.services.emr.emr_service.EMR", new=emr_client, diff --git a/tests/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant_test.py b/tests/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant_test.py index 18325fb7..f56919b3 100644 --- a/tests/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant_test.py +++ b/tests/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant_test.py @@ -34,11 +34,12 @@ class Test_fms_policy_compliant: fms_client.audited_account = AWS_ACCOUNT_NUMBER fms_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" fms_client.region = AWS_REGION_US_EAST_1 + fms_client.audited_partition = "aws" fms_client.fms_admin_account = True fms_client.fms_policies = [ Policy( - arn="arn:aws:fms:us-east-1:12345678901", - id="12345678901", + arn=f"arn:aws:fms:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:policy", + id=AWS_ACCOUNT_NUMBER, name="test", resource_type="AWS::EC2::Instance", service_type="WAF", @@ -46,13 +47,17 @@ class Test_fms_policy_compliant: delete_unused_managed_resources=True, compliance_status=[ PolicyAccountComplianceStatus( - account_id="12345678901", - policy_id="12345678901", + account_id=AWS_ACCOUNT_NUMBER, + policy_id=AWS_ACCOUNT_NUMBER, status="NON_COMPLIANT", ) ], ) ] + fms_client.policy_arn_template = f"arn:{fms_client.audited_partition}:fms:{fms_client.region}:{fms_client.audited_account}:policy" + fms_client.__get_policy_arn_template__ = mock.MagicMock( + return_value=fms_client.policy_arn_template + ) with mock.patch( "prowler.providers.aws.services.fms.fms_service.FMS", new=fms_client, @@ -71,8 +76,11 @@ class Test_fms_policy_compliant: result[0].status_extended == f"FMS with non-compliant policy {fms_client.fms_policies[0].name} for account {fms_client.fms_policies[0].compliance_status[0].account_id}." ) - assert result[0].resource_id == "12345678901" - assert result[0].resource_arn == "arn:aws:fms:us-east-1:12345678901" + assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert ( + result[0].resource_arn + == f"arn:aws:fms:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 def test_fms_admin_with_compliant_policies(self): @@ -80,6 +88,7 @@ class Test_fms_policy_compliant: fms_client.audited_account = AWS_ACCOUNT_NUMBER fms_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" fms_client.region = AWS_REGION_US_EAST_1 + fms_client.audited_partition = "aws" fms_client.fms_admin_account = True fms_client.fms_policies = [ Policy( @@ -99,6 +108,10 @@ class Test_fms_policy_compliant: ], ) ] + fms_client.policy_arn_template = f"arn:{fms_client.audited_partition}:fms:{fms_client.region}:{fms_client.audited_account}:policy" + fms_client.__get_policy_arn_template__ = mock.MagicMock( + return_value=fms_client.policy_arn_template + ) with mock.patch( "prowler.providers.aws.services.fms.fms_service.FMS", new=fms_client, @@ -117,18 +130,22 @@ class Test_fms_policy_compliant: result[0].status_extended == "FMS enabled with all compliant accounts." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:fms:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 def test_fms_admin_with_non_and_compliant_policies(self): fms_client = mock.MagicMock fms_client.audited_account = AWS_ACCOUNT_NUMBER fms_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + fms_client.audited_partition = "aws" fms_client.region = AWS_REGION_US_EAST_1 fms_client.fms_admin_account = True fms_client.fms_policies = [ Policy( - arn="arn:aws:fms:us-east-1:12345678901", + arn=f"arn:aws:fms:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:policy", id="12345678901", name="test", resource_type="AWS::EC2::Instance", @@ -149,6 +166,10 @@ class Test_fms_policy_compliant: ], ) ] + fms_client.policy_arn_template = f"arn:{fms_client.audited_partition}:fms:{fms_client.region}:{fms_client.audited_account}:policy" + fms_client.__get_policy_arn_template__ = mock.MagicMock( + return_value=fms_client.policy_arn_template + ) with mock.patch( "prowler.providers.aws.services.fms.fms_service.FMS", new=fms_client, @@ -168,7 +189,10 @@ class Test_fms_policy_compliant: == f"FMS with non-compliant policy {fms_client.fms_policies[0].name} for account {fms_client.fms_policies[0].compliance_status[0].account_id}." ) assert result[0].resource_id == "12345678901" - assert result[0].resource_arn == "arn:aws:fms:us-east-1:12345678901" + assert ( + result[0].resource_arn + == f"arn:aws:fms:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 def test_fms_admin_without_policies(self): @@ -176,8 +200,13 @@ class Test_fms_policy_compliant: fms_client.audited_account = AWS_ACCOUNT_NUMBER fms_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" fms_client.region = AWS_REGION_US_EAST_1 + fms_client.audited_partition = "aws" fms_client.fms_admin_account = True fms_client.fms_policies = [] + fms_client.policy_arn_template = f"arn:{fms_client.audited_partition}:fms:{fms_client.region}:{fms_client.audited_account}:policy" + fms_client.__get_policy_arn_template__ = mock.MagicMock( + return_value=fms_client.policy_arn_template + ) with mock.patch( "prowler.providers.aws.services.fms.fms_service.FMS", new=fms_client, @@ -197,13 +226,17 @@ class Test_fms_policy_compliant: == f"FMS without any compliant policy for account {AWS_ACCOUNT_NUMBER}." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == fms_client.audited_account_arn + assert ( + result[0].resource_arn + == f"arn:aws:fms:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 def test_fms_admin_with_policy_with_null_status(self): fms_client = mock.MagicMock fms_client.audited_account = AWS_ACCOUNT_NUMBER fms_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + fms_client.audited_partition = "aws" fms_client.region = AWS_REGION_US_EAST_1 fms_client.fms_admin_account = True fms_client.fms_policies = [ @@ -224,6 +257,10 @@ class Test_fms_policy_compliant: ], ) ] + fms_client.policy_arn_template = f"arn:{fms_client.audited_partition}:fms:{fms_client.region}:{fms_client.audited_account}:policy" + fms_client.__get_policy_arn_template__ = mock.MagicMock( + return_value=fms_client.policy_arn_template + ) with mock.patch( "prowler.providers.aws.services.fms.fms_service.FMS", new=fms_client, diff --git a/tests/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled_test.py b/tests/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled_test.py index 73d3dbf9..b6f4c990 100644 --- a/tests/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled_test.py +++ b/tests/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled_test.py @@ -41,7 +41,12 @@ class Test_glue_data_catalogs_connection_passwords_encryption_enabled: ) ] glue_client.audited_account = "12345678912" - + glue_client.audited_partition = "aws" + glue_client.region = AWS_REGION_US_EAST_1 + glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog" + glue_client.__get_data_catalog_arn_template__ = mock.MagicMock( + return_value=glue_client.data_catalog_arn_template + ) with mock.patch( "prowler.providers.aws.services.glue.glue_service.Glue", glue_client, @@ -77,6 +82,12 @@ class Test_glue_data_catalogs_connection_passwords_encryption_enabled: ) ] glue_client.audited_account = "12345678912" + glue_client.audited_partition = "aws" + glue_client.region = AWS_REGION_US_EAST_1 + glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog" + glue_client.__get_data_catalog_arn_template__ = mock.MagicMock( + return_value=glue_client.data_catalog_arn_template + ) glue_client.audit_info.ignore_unused_services = True with mock.patch( "prowler.providers.aws.services.glue.glue_service.Glue", @@ -106,6 +117,12 @@ class Test_glue_data_catalogs_connection_passwords_encryption_enabled: ) ] glue_client.audited_account = "12345678912" + glue_client.audited_partition = "aws" + glue_client.region = AWS_REGION_US_EAST_1 + glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog" + glue_client.__get_data_catalog_arn_template__ = mock.MagicMock( + return_value=glue_client.data_catalog_arn_template + ) glue_client.audit_info.ignore_unused_services = True with mock.patch( "prowler.providers.aws.services.glue.glue_service.Glue", diff --git a/tests/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled_test.py b/tests/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled_test.py index 9d1e7faa..ccb3d589 100644 --- a/tests/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled_test.py +++ b/tests/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled_test.py @@ -42,7 +42,12 @@ class Test_glue_data_catalogs_metadata_encryption_enabled: ) ] glue_client.audited_account = "12345678912" - + glue_client.audited_partition = "aws" + glue_client.region = AWS_REGION_US_EAST_1 + glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog" + glue_client.__get_data_catalog_arn_template__ = mock.MagicMock( + return_value=glue_client.data_catalog_arn_template + ) with mock.patch( "prowler.providers.aws.services.glue.glue_service.Glue", glue_client, @@ -79,7 +84,12 @@ class Test_glue_data_catalogs_metadata_encryption_enabled: ] glue_client.audited_account = "12345678912" glue_client.audit_info.ignore_unused_services = True - + glue_client.audited_partition = "aws" + glue_client.region = AWS_REGION_US_EAST_1 + glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog" + glue_client.__get_data_catalog_arn_template__ = mock.MagicMock( + return_value=glue_client.data_catalog_arn_template + ) with mock.patch( "prowler.providers.aws.services.glue.glue_service.Glue", glue_client, @@ -109,7 +119,12 @@ class Test_glue_data_catalogs_metadata_encryption_enabled: ] glue_client.audited_account = "12345678912" glue_client.audit_info.ignore_unused_services = True - + glue_client.audited_partition = "aws" + glue_client.region = AWS_REGION_US_EAST_1 + glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog" + glue_client.__get_data_catalog_arn_template__ = mock.MagicMock( + return_value=glue_client.data_catalog_arn_template + ) with mock.patch( "prowler.providers.aws.services.glue.glue_service.Glue", glue_client, @@ -145,7 +160,12 @@ class Test_glue_data_catalogs_metadata_encryption_enabled: ) ] glue_client.audited_account = "12345678912" - + glue_client.audited_partition = "aws" + glue_client.region = AWS_REGION_US_EAST_1 + glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog" + glue_client.__get_data_catalog_arn_template__ = mock.MagicMock( + return_value=glue_client.data_catalog_arn_template + ) with mock.patch( "prowler.providers.aws.services.glue.glue_service.Glue", glue_client, diff --git a/tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py b/tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py index 31d72c97..a4fa8d2d 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py @@ -4,7 +4,6 @@ from unittest import mock from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1, set_mocked_aws_audit_info, @@ -47,7 +46,10 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less: assert len(result) == 1 assert result[0].status == "PASS" assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 assert search( "Password expiration is set lower than 90 days", @@ -89,7 +91,10 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less: assert len(result) == 1 assert result[0].status == "FAIL" assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 assert search( "Password expiration is set greater than 90 days", @@ -131,7 +136,10 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less: assert len(result) == 1 assert result[0].status == "PASS" assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 assert search( "Password expiration is set lower than 90 days", diff --git a/tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py b/tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py index 13339371..d5ec4354 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py @@ -5,7 +5,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1, set_mocked_aws_audit_info, @@ -44,7 +43,10 @@ class Test_iam_password_policy_lowercase: result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws @@ -78,5 +80,8 @@ class Test_iam_password_policy_lowercase: result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 diff --git a/tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py b/tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py index 78981529..1815dd27 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py @@ -5,7 +5,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1, set_mocked_aws_audit_info, @@ -51,7 +50,10 @@ class Test_iam_password_policy_minimum_length_14: result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws @@ -85,7 +87,10 @@ class Test_iam_password_policy_minimum_length_14: result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws @@ -119,5 +124,8 @@ class Test_iam_password_policy_minimum_length_14: result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 diff --git a/tests/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_test.py b/tests/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_test.py index dc164ce9..9b518e4b 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_test.py @@ -5,7 +5,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1, set_mocked_aws_audit_info, @@ -51,7 +50,10 @@ class Test_iam_password_policy_number: result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws @@ -85,5 +87,8 @@ class Test_iam_password_policy_number: result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 diff --git a/tests/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_test.py b/tests/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_test.py index 980141c3..27ad3aa8 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1, set_mocked_aws_audit_info, @@ -49,7 +48,10 @@ class Test_iam_password_policy_reuse_24: == "IAM password policy reuse prevention is equal to 24." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws @@ -82,5 +84,8 @@ class Test_iam_password_policy_reuse_24: == "IAM password policy reuse prevention is less than 24 or not set." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 diff --git a/tests/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_test.py b/tests/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_test.py index 9328dac9..8285a543 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_test.py @@ -5,7 +5,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1, set_mocked_aws_audit_info, @@ -51,7 +50,10 @@ class Test_iam_password_policy_symbol: result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws @@ -85,5 +87,8 @@ class Test_iam_password_policy_symbol: result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 diff --git a/tests/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_test.py b/tests/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_test.py index 19de44cf..97b7442d 100644 --- a/tests/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_test.py +++ b/tests/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1, set_mocked_aws_audit_info, @@ -49,7 +48,10 @@ class Test_iam_password_policy_uppercase: == "IAM password policy does not require at least one uppercase letter." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws @@ -82,5 +84,8 @@ class Test_iam_password_policy_uppercase: == "IAM password policy requires at least one uppercase letter." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy" + ) assert result[0].region == AWS_REGION_US_EAST_1 diff --git a/tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py b/tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py index 1f2e91c1..0fc5f032 100644 --- a/tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py +++ b/tests/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled_test.py @@ -5,6 +5,7 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( + AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1, set_mocked_aws_audit_info, ) @@ -85,5 +86,5 @@ class Test_iam_root_hardware_mfa_enabled_test: assert result[0].resource_id == "" assert ( result[0].resource_arn - == f"arn:aws:iam::{service_client.audited_account}:root" + == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:mfa" ) diff --git a/tests/providers/aws/services/macie/macie_is_enabled/macie_is_enabled_test.py b/tests/providers/aws/services/macie/macie_is_enabled/macie_is_enabled_test.py index 7864dc58..7df819f3 100644 --- a/tests/providers/aws/services/macie/macie_is_enabled/macie_is_enabled_test.py +++ b/tests/providers/aws/services/macie/macie_is_enabled/macie_is_enabled_test.py @@ -23,12 +23,18 @@ class Test_macie_is_enabled: macie_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) macie_client.audited_account = AWS_ACCOUNT_NUMBER macie_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + macie_client.audited_partition = "aws" + macie_client.region = AWS_REGION_EU_WEST_1 macie_client.sessions = [ Session( status="DISABLED", region="eu-west-1", ) ] + macie_client.session_arn_template = f"arn:{macie_client.audited_partition}:macie:{macie_client.region}:{macie_client.audited_account}:session" + macie_client.__get_session_arn_template__ = mock.MagicMock( + return_value=macie_client.session_arn_template + ) current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) with mock.patch( @@ -53,6 +59,10 @@ class Test_macie_is_enabled: assert result[0].status == "FAIL" assert result[0].status_extended == "Macie is not enabled." assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert ( + result[0].resource_arn + == f"arn:aws:macie:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:session" + ) @mock_aws def test_macie_enabled(self): @@ -65,12 +75,18 @@ class Test_macie_is_enabled: macie_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) macie_client.audited_account = AWS_ACCOUNT_NUMBER macie_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + macie_client.audited_partition = "aws" + macie_client.region = AWS_REGION_EU_WEST_1 macie_client.sessions = [ Session( status="ENABLED", region="eu-west-1", ) ] + macie_client.session_arn_template = f"arn:{macie_client.audited_partition}:macie:{macie_client.region}:{macie_client.audited_account}:session" + macie_client.__get_session_arn_template__ = mock.MagicMock( + return_value=macie_client.session_arn_template + ) current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) with mock.patch( @@ -95,6 +111,10 @@ class Test_macie_is_enabled: assert result[0].status == "PASS" assert result[0].status_extended == "Macie is enabled." assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert ( + result[0].resource_arn + == f"arn:aws:macie:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:session" + ) @mock_aws def test_macie_suspended_ignored(self): @@ -107,6 +127,12 @@ class Test_macie_is_enabled: macie_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) macie_client.audited_account = AWS_ACCOUNT_NUMBER macie_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + macie_client.audited_partition = "aws" + macie_client.region = AWS_REGION_EU_WEST_1 + macie_client.session_arn_template = f"arn:{macie_client.audited_partition}:macie:{macie_client.region}:{macie_client.audited_account}:session" + macie_client.__get_session_arn_template__ = mock.MagicMock( + return_value=macie_client.session_arn_template + ) macie_client.sessions = [ Session( status="PAUSED", @@ -154,13 +180,18 @@ class Test_macie_is_enabled: macie_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) macie_client.audited_account = AWS_ACCOUNT_NUMBER macie_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + macie_client.audited_partition = "aws" + macie_client.region = AWS_REGION_EU_WEST_1 macie_client.sessions = [ Session( status="PAUSED", region=AWS_REGION_EU_WEST_1, ) ] - + macie_client.session_arn_template = f"arn:{macie_client.audited_partition}:macie:{macie_client.region}:{macie_client.audited_account}:session" + macie_client.__get_session_arn_template__ = mock.MagicMock( + return_value=macie_client.session_arn_template + ) macie_client.audit_info.ignore_unused_services = True current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) @@ -188,6 +219,10 @@ class Test_macie_is_enabled: result[0].status_extended == "Macie is currently in a SUSPENDED state." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert ( + result[0].resource_arn + == f"arn:aws:macie:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:session" + ) @mock_aws def test_macie_suspended(self): @@ -198,6 +233,8 @@ class Test_macie_is_enabled: macie_client.audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) macie_client.audited_account = AWS_ACCOUNT_NUMBER macie_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + macie_client.audited_partition = "aws" + macie_client.region = AWS_REGION_EU_WEST_1 macie_client.sessions = [ Session( status="PAUSED", @@ -205,7 +242,10 @@ class Test_macie_is_enabled: ) ] current_audit_info = set_mocked_aws_audit_info([AWS_REGION_EU_WEST_1]) - + macie_client.session_arn_template = f"arn:{macie_client.audited_partition}:macie:{macie_client.region}:{macie_client.audited_account}:session" + macie_client.__get_session_arn_template__ = mock.MagicMock( + return_value=macie_client.session_arn_template + ) with mock.patch( "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", new=current_audit_info, @@ -230,3 +270,7 @@ class Test_macie_is_enabled: result[0].status_extended == "Macie is currently in a SUSPENDED state." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert ( + result[0].resource_arn + == f"arn:aws:macie:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:session" + ) diff --git a/tests/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found_test.py b/tests/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found_test.py index aa958ec8..0abd945b 100644 --- a/tests/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found_test.py +++ b/tests/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found_test.py @@ -20,7 +20,12 @@ class Test_resourceexplorer2_indexes_found: resourceexplorer2_client.audited_account_arn = ( f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" ) + resourceexplorer2_client.audited_partition = "aws" resourceexplorer2_client.region = AWS_REGION_US_EAST_1 + resourceexplorer2_client.index_arn_template = f"arn:{resourceexplorer2_client.audited_partition}:resource-explorer:{resourceexplorer2_client.region}:{resourceexplorer2_client.audited_account}:index" + resourceexplorer2_client.__get_index_arn_template__ = mock.MagicMock( + return_value=resourceexplorer2_client.index_arn_template + ) with mock.patch( "prowler.providers.aws.services.resourceexplorer2.resourceexplorer2_service.ResourceExplorer2", new=resourceexplorer2_client, @@ -38,7 +43,10 @@ class Test_resourceexplorer2_indexes_found: assert result[0].status == "FAIL" assert result[0].status_extended == "No Resource Explorer Indexes found." assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:aws:resource-explorer:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:index" + ) assert result[0].region == AWS_REGION_US_EAST_1 def test_one_index_found(self): @@ -51,6 +59,11 @@ class Test_resourceexplorer2_indexes_found: f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" ) resourceexplorer2_client.region = AWS_REGION_US_EAST_1 + resourceexplorer2_client.audited_partition = "aws" + resourceexplorer2_client.index_arn_template = f"arn:{resourceexplorer2_client.audited_partition}:resource-explorer:{resourceexplorer2_client.region}:{resourceexplorer2_client.audited_account}:index" + resourceexplorer2_client.__get_index_arn_template__ = mock.MagicMock( + return_value=resourceexplorer2_client.index_arn_template + ) with mock.patch( "prowler.providers.aws.services.resourceexplorer2.resourceexplorer2_service.ResourceExplorer2", new=resourceexplorer2_client, diff --git a/tests/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks_test.py b/tests/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks_test.py index ddf7b358..9cf5f3d3 100644 --- a/tests/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks_test.py +++ b/tests/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1, set_mocked_aws_audit_info, @@ -54,7 +53,10 @@ class Test_s3_account_level_public_access_blocks: == f"Block Public Access is configured for the account {AWS_ACCOUNT_NUMBER}." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:s3:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:account" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws @@ -99,7 +101,10 @@ class Test_s3_account_level_public_access_blocks: == f"Block Public Access is not configured for the account {AWS_ACCOUNT_NUMBER}." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:s3:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:account" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws diff --git a/tests/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access_test.py b/tests/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access_test.py index 9246b5f7..1e0b5919 100644 --- a/tests/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access_test.py +++ b/tests/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access_test.py @@ -5,7 +5,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1, set_mocked_aws_audit_info, @@ -85,7 +84,10 @@ class Test_s3_bucket_public_access: == "All S3 public access blocked at account level." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:s3:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:account" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws @@ -135,7 +137,10 @@ class Test_s3_bucket_public_access: == "All S3 public access blocked at account level." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:s3:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:account" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws diff --git a/tests/providers/aws/services/s3/s3_bucket_public_list_acl/s3_bucket_public_list_acl_test.py b/tests/providers/aws/services/s3/s3_bucket_public_list_acl/s3_bucket_public_list_acl_test.py index 25f635f1..314b3317 100644 --- a/tests/providers/aws/services/s3/s3_bucket_public_list_acl/s3_bucket_public_list_acl_test.py +++ b/tests/providers/aws/services/s3/s3_bucket_public_list_acl/s3_bucket_public_list_acl_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1, set_mocked_aws_audit_info, @@ -84,7 +83,10 @@ class Test_s3_bucket_public_list_acl: == "All S3 public access blocked at account level." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:s3:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:account" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws @@ -134,7 +136,10 @@ class Test_s3_bucket_public_list_acl: == "All S3 public access blocked at account level." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:s3:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:account" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws diff --git a/tests/providers/aws/services/s3/s3_bucket_public_write_acl/s3_bucket_public_write_acl_test.py b/tests/providers/aws/services/s3/s3_bucket_public_write_acl/s3_bucket_public_write_acl_test.py index 29a64469..5232d473 100644 --- a/tests/providers/aws/services/s3/s3_bucket_public_write_acl/s3_bucket_public_write_acl_test.py +++ b/tests/providers/aws/services/s3/s3_bucket_public_write_acl/s3_bucket_public_write_acl_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1, set_mocked_aws_audit_info, @@ -84,7 +83,10 @@ class Test_s3_bucket_public_write_acl: == "All S3 public access blocked at account level." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:s3:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:account" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws @@ -134,7 +136,10 @@ class Test_s3_bucket_public_write_acl: == "All S3 public access blocked at account level." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:s3:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:account" + ) assert result[0].region == AWS_REGION_US_EAST_1 @mock_aws diff --git a/tests/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans_test.py b/tests/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans_test.py index 63e2f444..e21e159f 100644 --- a/tests/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans_test.py +++ b/tests/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans_test.py @@ -17,10 +17,15 @@ class Test_ssmincidents_enabled_with_plans: def test_ssmincidents_no_replicationset(self): ssmincidents_client = mock.MagicMock ssmincidents_client.audited_account = AWS_ACCOUNT_NUMBER + ssmincidents_client.audited_partition = "aws" ssmincidents_client.audited_account_arn = ( f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" ) ssmincidents_client.region = AWS_REGION_US_EAST_1 + ssmincidents_client.replication_set_arn_template = f"arn:{ssmincidents_client.audited_partition}:ssm-incidents:{ssmincidents_client.region}:{ssmincidents_client.audited_account}:replication-set" + ssmincidents_client.__get_replication_set_arn_template__ = mock.MagicMock( + return_value=ssmincidents_client.replication_set_arn_template + ) ssmincidents_client.replication_set = [] with mock.patch( "prowler.providers.aws.services.ssmincidents.ssmincidents_service.SSMIncidents", @@ -40,7 +45,10 @@ class Test_ssmincidents_enabled_with_plans: result[0].status_extended == "No SSM Incidents replication set exists." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + assert ( + result[0].resource_arn + == f"arn:{ssmincidents_client.audited_partition}:ssm-incidents:{ssmincidents_client.region}:{ssmincidents_client.audited_account}:replication-set" + ) assert result[0].region == AWS_REGION_US_EAST_1 def test_ssmincidents_replicationset_not_active(self): @@ -53,6 +61,11 @@ class Test_ssmincidents_enabled_with_plans: ssmincidents_client.replication_set = [ ReplicationSet(arn=REPLICATION_SET_ARN, status="CREATING") ] + ssmincidents_client.audited_partition = "aws" + ssmincidents_client.replication_set_arn_template = f"arn:{ssmincidents_client.audited_partition}:ssm-incidents:{ssmincidents_client.region}:{ssmincidents_client.audited_account}:replication-set" + ssmincidents_client.__get_replication_set_arn_template__ = mock.MagicMock( + return_value=ssmincidents_client.replication_set_arn_template + ) with mock.patch( "prowler.providers.aws.services.ssmincidents.ssmincidents_service.SSMIncidents", new=ssmincidents_client, @@ -85,6 +98,11 @@ class Test_ssmincidents_enabled_with_plans: ssmincidents_client.replication_set = [ ReplicationSet(arn=REPLICATION_SET_ARN, status="ACTIVE") ] + ssmincidents_client.audited_partition = "aws" + ssmincidents_client.replication_set_arn_template = f"arn:{ssmincidents_client.audited_partition}:ssm-incidents:{ssmincidents_client.region}:{ssmincidents_client.audited_account}:replication-set" + ssmincidents_client.__get_replication_set_arn_template__ = mock.MagicMock( + return_value=ssmincidents_client.replication_set_arn_template + ) ssmincidents_client.response_plans = [] with mock.patch( "prowler.providers.aws.services.ssmincidents.ssmincidents_service.SSMIncidents", @@ -123,6 +141,11 @@ class Test_ssmincidents_enabled_with_plans: arn=RESPONSE_PLAN_ARN, name="test", region=AWS_REGION_US_EAST_1 ) ] + ssmincidents_client.audited_partition = "aws" + ssmincidents_client.replication_set_arn_template = f"arn:{ssmincidents_client.audited_partition}:ssm-incidents:{ssmincidents_client.region}:{ssmincidents_client.audited_account}:replication-set" + ssmincidents_client.__get_replication_set_arn_template__ = mock.MagicMock( + return_value=ssmincidents_client.replication_set_arn_template + ) with mock.patch( "prowler.providers.aws.services.ssmincidents.ssmincidents_service.SSMIncidents", new=ssmincidents_client, diff --git a/tests/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings_test.py b/tests/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings_test.py index 207fa246..f4b8bdd6 100644 --- a/tests/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings_test.py +++ b/tests/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings_test.py @@ -11,6 +11,7 @@ from tests.providers.aws.audit_info_utils import ( ) CHECK_NAME = "test-check" +CHECK_ARN = "arn:aws:trusted-advisor:::check/test-check" class Test_trustedadvisor_errors_and_warnings: @@ -20,7 +21,12 @@ class Test_trustedadvisor_errors_and_warnings: trustedadvisor_client.premium_support = PremiumSupport(enabled=False) trustedadvisor_client.audited_account = AWS_ACCOUNT_NUMBER trustedadvisor_client.audited_account_arn = AWS_ACCOUNT_ARN + trustedadvisor_client.audited_partition = "aws" trustedadvisor_client.region = AWS_REGION_US_EAST_1 + trustedadvisor_client.account_arn_template = f"arn:{trustedadvisor_client.audited_partition}:trusted-advisor:{trustedadvisor_client.region}:{trustedadvisor_client.audited_account}:account" + trustedadvisor_client.__get_account_arn_template__ = mock.MagicMock( + return_value=trustedadvisor_client.account_arn_template + ) with mock.patch( "prowler.providers.aws.services.trustedadvisor.trustedadvisor_service.TrustedAdvisor", trustedadvisor_client, @@ -39,7 +45,10 @@ class Test_trustedadvisor_errors_and_warnings: ) assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:trusted-advisor:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:account" + ) def test_trustedadvisor_all_passed_checks(self): trustedadvisor_client = mock.MagicMock @@ -51,6 +60,7 @@ class Test_trustedadvisor_errors_and_warnings: Check( id=CHECK_NAME, name=CHECK_NAME, + arn=CHECK_ARN, region=AWS_REGION_US_EAST_1, status="ok", ) @@ -84,6 +94,7 @@ class Test_trustedadvisor_errors_and_warnings: Check( id=CHECK_NAME, name=CHECK_NAME, + arn=CHECK_ARN, region=AWS_REGION_US_EAST_1, status="error", ) @@ -117,6 +128,7 @@ class Test_trustedadvisor_errors_and_warnings: Check( id=CHECK_NAME, name=CHECK_NAME, + arn=CHECK_ARN, region=AWS_REGION_US_EAST_1, status="not_available", ) diff --git a/tests/providers/aws/services/trustedadvisor/trustedadvisor_premium_support_plan_subscribed/trustedadvisor_premium_support_plan_subscribed_test.py b/tests/providers/aws/services/trustedadvisor/trustedadvisor_premium_support_plan_subscribed/trustedadvisor_premium_support_plan_subscribed_test.py index 595dabc2..b7f2187f 100644 --- a/tests/providers/aws/services/trustedadvisor/trustedadvisor_premium_support_plan_subscribed/trustedadvisor_premium_support_plan_subscribed_test.py +++ b/tests/providers/aws/services/trustedadvisor/trustedadvisor_premium_support_plan_subscribed/trustedadvisor_premium_support_plan_subscribed_test.py @@ -17,11 +17,15 @@ class Test_trustedadvisor_premium_support_plan_subscribed: trustedadvisor_client.premium_support = PremiumSupport(enabled=False) trustedadvisor_client.audited_account = AWS_ACCOUNT_NUMBER trustedadvisor_client.audited_account_arn = AWS_ACCOUNT_ARN + trustedadvisor_client.audited_partition = "aws" trustedadvisor_client.region = AWS_REGION_US_EAST_1 # Set verify_premium_support_plans config trustedadvisor_client.audit_config = {"verify_premium_support_plans": True} - + trustedadvisor_client.account_arn_template = f"arn:{trustedadvisor_client.audited_partition}:trusted-advisor:{trustedadvisor_client.region}:{trustedadvisor_client.audited_account}:account" + trustedadvisor_client.__get_account_arn_template__ = mock.MagicMock( + return_value=trustedadvisor_client.account_arn_template + ) with mock.patch( "prowler.providers.aws.services.trustedadvisor.trustedadvisor_service.TrustedAdvisor", trustedadvisor_client, @@ -40,7 +44,10 @@ class Test_trustedadvisor_premium_support_plan_subscribed: ) assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:trusted-advisor:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:account" + ) def test_premium_support_susbcribed(self): trustedadvisor_client = mock.MagicMock @@ -48,11 +55,15 @@ class Test_trustedadvisor_premium_support_plan_subscribed: trustedadvisor_client.premium_support = PremiumSupport(enabled=True) trustedadvisor_client.audited_account = AWS_ACCOUNT_NUMBER trustedadvisor_client.audited_account_arn = AWS_ACCOUNT_ARN + trustedadvisor_client.audited_partition = "aws" trustedadvisor_client.region = AWS_REGION_US_EAST_1 # Set verify_premium_support_plans config trustedadvisor_client.audit_config = {"verify_premium_support_plans": True} - + trustedadvisor_client.account_arn_template = f"arn:{trustedadvisor_client.audited_partition}:trusted-advisor:{trustedadvisor_client.region}:{trustedadvisor_client.audited_account}:account" + trustedadvisor_client.__get_account_arn_template__ = mock.MagicMock( + return_value=trustedadvisor_client.account_arn_template + ) with mock.patch( "prowler.providers.aws.services.trustedadvisor.trustedadvisor_service.TrustedAdvisor", trustedadvisor_client, @@ -71,4 +82,7 @@ class Test_trustedadvisor_premium_support_plan_subscribed: ) assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:trusted-advisor:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:account" + ) diff --git a/tests/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions_test.py b/tests/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions_test.py index 4fd860f6..4e25d2fd 100644 --- a/tests/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions_test.py +++ b/tests/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions_test.py @@ -4,7 +4,6 @@ from boto3 import client from moto import mock_aws from tests.providers.aws.audit_info_utils import ( - AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1, @@ -80,7 +79,10 @@ class Test_vpc_different_regions: result[0].status_extended == "VPCs found in more than one region." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:ec2:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:vpc" + ) assert result[0].resource_tags == [] @mock_aws @@ -116,5 +118,8 @@ class Test_vpc_different_regions: assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].status_extended == "VPCs found only in one region." assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == f"arn:aws:ec2:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:vpc" + ) assert result[0].resource_tags == []