chore(arn): improve resource ARNs in checks (#3388)

Co-authored-by: Pepe Fagoaga <pepe@prowler.com>

docs/developer-guide/checks.md

@@ -125,7 +125,7 @@ All the checks MUST fill the `report.resource_id` and `report.resource_arn` with
     - Resource ARN -- `report.resource_arn`
         - AWS Account --> Root ARN `arn:aws:iam::123456789012:root`
         - AWS Resource --> Resource ARN
-        - Root resource --> Root ARN `arn:aws:iam::123456789012:root`
+        - Root resource --> Resource Type ARN `f"arn:{service_client.audited_partition}:<service_name>:{service_client.region}:{service_client.audited_account}:<resource_type>"`
 - GCP
     - Resource ID -- `report.resource_id`
         - GCP Resource --> Resource ID

prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py

@@ -17,7 +17,7 @@ class backup_plans_exist(Check):
             report = Check_Report_AWS(self.metadata())
             report.status = "FAIL"
             report.status_extended = "No Backup Plan exist."
-            report.resource_arn = backup_client.audited_account_arn
+            report.resource_arn = backup_client.backup_plan_arn_template
             report.resource_id = backup_client.audited_account
             report.region = backup_client.region
             findings.append(report)

prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.py

@@ -10,7 +10,7 @@ class backup_reportplans_exist(Check):
             report = Check_Report_AWS(self.metadata())
             report.status = "FAIL"
             report.status_extended = "No Backup Report Plan exist."
-            report.resource_arn = backup_client.audited_account_arn
+            report.resource_arn = backup_client.report_plan_arn_template
             report.resource_id = backup_client.audited_account
             report.region = backup_client.region
             if backup_client.backup_report_plans:

prowler/providers/aws/services/backup/backup_service.py

@@ -13,6 +13,9 @@ class Backup(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info)
+        self.backup_plan_arn_template = f"arn:{self.audited_partition}:backup:{self.region}:{self.audited_account}:backup-plan"
+        self.report_plan_arn_template = f"arn:{self.audited_partition}:backup:{self.region}:{self.audited_account}:report-plan"
+        self.backup_vault_arn_template = f"arn:{self.audited_partition}:backup:{self.region}:{self.audited_account}:backup-vault"
         self.backup_vaults = []
         self.__threading_call__(self.__list_backup_vaults__)
         self.backup_plans = []

prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py

@@ -8,7 +8,7 @@ class backup_vaults_exist(Check):
         report = Check_Report_AWS(self.metadata())
         report.status = "FAIL"
         report.status_extended = "No Backup Vault exist."
-        report.resource_arn = backup_client.audited_account_arn
+        report.resource_arn = backup_client.backup_vault_arn_template
         report.resource_id = backup_client.audited_account
         report.region = backup_client.region
         if backup_client.backup_vaults:

prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.py

@@ -32,7 +32,9 @@ class cloudtrail_multi_region_enabled(Check):
                         report.status_extended = (
                             "No CloudTrail trails enabled and logging were found."
                         )
-                        report.resource_arn = cloudtrail_client.audited_account_arn
+                        report.resource_arn = (
+                            cloudtrail_client.__get_trail_arn_template__(region)
+                        )
                         report.resource_id = cloudtrail_client.audited_account
             # If there are no trails logging it is needed to store the FAIL once all the trails have been checked
             if report.status == "FAIL":

prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events.py

@@ -14,7 +14,7 @@ class cloudtrail_multi_region_enabled_logging_management_events(Check):
         )
         report.region = cloudtrail_client.region
         report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = cloudtrail_client.trail_arn_template
 
         for trail in cloudtrail_client.trails:
             if trail.is_logging:

prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py

@@ -54,7 +54,7 @@ class cloudtrail_s3_dataevents_read_enabled(Check):
         ):
             report = Check_Report_AWS(self.metadata())
             report.region = cloudtrail_client.region
-            report.resource_arn = cloudtrail_client.audited_account_arn
+            report.resource_arn = cloudtrail_client.trail_arn_template
             report.resource_id = cloudtrail_client.audited_account
             report.status = "FAIL"
             report.status_extended = "No CloudTrail trails have a data event to record all S3 object-level API operations."

prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py

@@ -54,7 +54,7 @@ class cloudtrail_s3_dataevents_write_enabled(Check):
         ):
             report = Check_Report_AWS(self.metadata())
             report.region = cloudtrail_client.region
-            report.resource_arn = cloudtrail_client.audited_account_arn
+            report.resource_arn = cloudtrail_client.trail_arn_template
             report.resource_id = cloudtrail_client.audited_account
             report.status = "FAIL"
             report.status_extended = "No CloudTrail trails have a data event to record all S3 object-level API operations."

prowler/providers/aws/services/cloudtrail/cloudtrail_service.py

@@ -14,6 +14,7 @@ class Cloudtrail(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info)
+        self.trail_arn_template = f"arn:{self.audited_partition}:cloudtrail:{self.region}:{self.audited_account}:trail"
         self.trails = []
         self.__threading_call__(self.__get_trails__)
         self.__get_trail_status__()
@@ -21,6 +22,13 @@ class Cloudtrail(AWSService):
         self.__get_event_selectors__()
         self.__list_tags_for_resource__()
 
+    def __get_trail_arn_template__(self, region):
+        return (
+            f"arn:{self.audited_partition}:cloudtrail:{region}:{self.audited_account}:trail"
+            if region
+            else f"arn:{self.audited_partition}:cloudtrail:{self.region}:{self.audited_account}:trail"
+        )
+
     def __get_trails__(self, regional_client):
         logger.info("Cloudtrail - Getting trails...")
         try:

prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py

@@ -20,9 +20,9 @@ class cloudwatch_changes_to_network_acls_alarm_configured(Check):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
+        report.region = logs_client.region
-        report.resource_id = cloudtrail_client.audited_account
+        report.resource_id = logs_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py

@@ -20,9 +20,9 @@ class cloudwatch_changes_to_network_gateways_alarm_configured(Check):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
+        report.region = logs_client.region
-        report.resource_id = cloudtrail_client.audited_account
+        report.resource_id = logs_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py

@@ -20,9 +20,9 @@ class cloudwatch_changes_to_network_route_tables_alarm_configured(Check):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
+        report.region = logs_client.region
-        report.resource_id = cloudtrail_client.audited_account
+        report.resource_id = logs_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py

@@ -20,9 +20,9 @@ class cloudwatch_changes_to_vpcs_alarm_configured(Check):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
+        report.region = logs_client.region
-        report.resource_id = cloudtrail_client.audited_account
+        report.resource_id = logs_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py

@@ -8,7 +8,7 @@ class cloudwatch_cross_account_sharing_disabled(Check):
         report = Check_Report_AWS(self.metadata())
         report.status = "PASS"
         report.status_extended = "CloudWatch doesn't allow cross-account sharing."
-        report.resource_arn = iam_client.audited_account_arn
+        report.resource_arn = iam_client.role_arn_template
         report.resource_id = iam_client.audited_account
         report.region = iam_client.region
         for role in iam_client.roles:

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py

@@ -22,9 +22,9 @@ class cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_change
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
+        report.region = logs_client.region
-        report.resource_id = cloudtrail_client.audited_account
+        report.resource_id = logs_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py

@@ -22,9 +22,9 @@ class cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_change
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
+        report.region = logs_client.region
-        report.resource_id = cloudtrail_client.audited_account
+        report.resource_id = logs_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py

@@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_authentication_failures(Check):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
+        report.region = logs_client.region
-        report.resource_id = cloudtrail_client.audited_account
+        report.resource_id = logs_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py

@@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_aws_organizations_changes(Check):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
+        report.region = logs_client.region
-        report.resource_id = cloudtrail_client.audited_account
+        report.resource_id = logs_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py

@@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk(Chec
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
+        report.region = logs_client.region
-        report.resource_id = cloudtrail_client.audited_account
+        report.resource_id = logs_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py

@@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_for_s3_bucket_policy_changes(Check):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
+        report.region = logs_client.region
-        report.resource_id = cloudtrail_client.audited_account
+        report.resource_id = logs_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = logs_client.log_group_arn_template
 
         report = check_cloudwatch_log_metric_filter(
             pattern,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py

@@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_policy_changes(Check):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
+        report.region = logs_client.region
-        report.resource_id = cloudtrail_client.audited_account
+        report.resource_id = logs_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py

@@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_root_usage(Check):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
+        report.region = logs_client.region
-        report.resource_id = cloudtrail_client.audited_account
+        report.resource_id = logs_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py

@@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_security_group_changes(Check):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
+        report.region = logs_client.region
-        report.resource_id = cloudtrail_client.audited_account
+        report.resource_id = logs_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py

@@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_sign_in_without_mfa(Check):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
+        report.region = logs_client.region
-        report.resource_id = cloudtrail_client.audited_account
+        report.resource_id = logs_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py

@@ -20,9 +20,9 @@ class cloudwatch_log_metric_filter_unauthorized_api_calls(Check):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
+        report.region = logs_client.region
-        report.resource_id = cloudtrail_client.audited_account
+        report.resource_id = logs_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_service.py

@@ -67,6 +67,7 @@ class Logs(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info)
+        self.log_group_arn_template = f"arn:{self.audited_partition}:logs:{self.region}:{self.audited_account}:log-group"
         self.metric_filters = []
         self.log_groups = []
         self.__threading_call__(self.__describe_metric_filters__)

prowler/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled.py

@@ -8,9 +8,9 @@ class config_recorder_all_regions_enabled(Check):
         for recorder in config_client.recorders:
             report = Check_Report_AWS(self.metadata())
             report.region = recorder.region
-            report.resource_arn = (
+            report.resource_arn = config_client.__get_recorder_arn_template__(
-                config_client.audited_account_arn
+                recorder.region
-            )  # Config Recorders do not have ARNs
+            )
             report.resource_id = (
                 config_client.audited_account if not recorder.name else recorder.name
             )

prowler/providers/aws/services/config/config_service.py

@@ -15,6 +15,9 @@ class Config(AWSService):
         self.recorders = []
         self.__threading_call__(self.__describe_configuration_recorder_status__)
 
+    def __get_recorder_arn_template__(self, region):
+        return f"arn:{self.audited_partition}:config:{region}:{self.audited_account}:recorder"
+
     def __describe_configuration_recorder_status__(self, regional_client):
         logger.info("Config - Listing Recorders...")
         try:

prowler/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists.py

@@ -16,7 +16,9 @@ class dlm_ebs_snapshot_lifecycle_policy_exists(Check):
                 report.status_extended = "No EBS Snapshot lifecycle policies found."
                 report.region = region
                 report.resource_id = dlm_client.audited_account
-                report.resource_arn = dlm_client.audited_account_arn
+                report.resource_arn = dlm_client.__get_lifecycle_policy_arn_template__(
+                    region
+                )
                 if dlm_client.lifecycle_policies[region]:
                     report.status = "PASS"
                     report.status_extended = "EBS snapshot lifecycle policies found."

prowler/providers/aws/services/dlm/dlm_service.py

@@ -9,9 +9,15 @@ class DLM(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info)
+        self.lifecycle_policy_arn_template = f"arn:{self.audited_partition}:dlm:{self.region}:{self.audited_account}:policy"
         self.lifecycle_policies = {}
         self.__threading_call__(self.__get_lifecycle_policies__)
 
+    def __get_lifecycle_policy_arn_template__(self, region):
+        return (
+            f"arn:{self.audited_partition}:dlm:{region}:{self.audited_account}:policy"
+        )
+
     def __get_lifecycle_policies__(self, regional_client):
         logger.info("DLM - Getting EBS Snapshots Lifecycle Policies...")
         try:

prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.py

@@ -11,7 +11,9 @@ class drs_job_exist(Check):
             report.status_extended = "DRS is not enabled for this region."
             report.region = drs.region
             report.resource_tags = []
-            report.resource_arn = drs_client.audited_account_arn
+            report.resource_arn = drs_client.__get_recovery_job_arn_template__(
+                drs.region
+            )
             report.resource_id = drs_client.audited_account
             if drs.status == "ENABLED":
                 report.status_extended = "DRS is enabled for this region without jobs."

prowler/providers/aws/services/drs/drs_service.py

@@ -11,9 +11,13 @@ class DRS(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info)
+        self.recovery_job_arn_template = f"arn:{self.audited_partition}:drs:{self.region}:{self.audited_account}:recovery-job"
         self.drs_services = []
         self.__threading_call__(self.__describe_jobs__)
 
+    def __get_recovery_job_arn_template__(self, region):
+        return f"arn:{self.audited_partition}:drs:{region}:{self.audited_account}:recovery-job"
+
     def __describe_jobs__(self, regional_client):
         logger.info("DRS - Describe Jobs...")
         try:

prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.py

@@ -8,7 +8,9 @@ class ec2_ebs_default_encryption(Check):
         for ebs_encryption in ec2_client.ebs_encryption_by_default:
             report = Check_Report_AWS(self.metadata())
             report.region = ebs_encryption.region
-            report.resource_arn = ec2_client.audited_account_arn
+            report.resource_arn = ec2_client.__get_volume_arn_template__(
+                ebs_encryption.region
+            )
             report.resource_id = ec2_client.audited_account
             if ebs_encryption.status:
                 report.status = "PASS"

prowler/providers/aws/services/ec2/ec2_service.py

@@ -15,6 +15,7 @@ class EC2(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info)
+        self.volume_arn_template = f"arn:{self.audited_partition}:ec2:{self.region}:{self.audited_account}:volume"
         self.instances = []
         self.__threading_call__(self.__describe_instances__)
         self.__threading_call__(self.__get_instance_user_data__, self.instances)
@@ -40,6 +41,11 @@ class EC2(AWSService):
         self.elastic_ips = []
         self.__threading_call__(self.__describe_ec2_addresses__)
 
+    def __get_volume_arn_template__(self, region):
+        return (
+            f"arn:{self.audited_partition}:ec2:{region}:{self.audited_account}:volume"
+        )
+
     def __describe_instances__(self, regional_client):
         try:
             describe_instances_paginator = regional_client.get_paginator(

prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.py

@@ -9,7 +9,7 @@ class emr_cluster_account_public_block_enabled(Check):
             report = Check_Report_AWS(self.metadata())
             report.region = region
             report.resource_id = emr_client.audited_account
-            report.resource_arn = emr_client.audited_account_arn
+            report.resource_arn = emr_client.__get_cluster_arn_template__(region)
             if emr_client.block_public_access_configuration[
                 region
             ].block_public_security_group_rules:

prowler/providers/aws/services/emr/emr_service.py

@@ -14,12 +14,16 @@ class EMR(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info)
+        self.cluster_arn_template = f"arn:{self.audited_partition}:elasticmapreduce:{self.region}:{self.audited_account}:cluster"
         self.clusters = {}
         self.block_public_access_configuration = {}
         self.__threading_call__(self.__list_clusters__)
         self.__threading_call__(self.__describe_cluster__)
         self.__threading_call__(self.__get_block_public_access_configuration__)
 
+    def __get_cluster_arn_template__(self, region):
+        return f"arn:{self.audited_partition}:elasticmapreduce:{region}:{self.audited_account}:cluster"
+
     def __list_clusters__(self, regional_client):
         logger.info("EMR - Listing Clusters...")
         try:

prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py

@@ -7,7 +7,7 @@ class fms_policy_compliant(Check):
         findings = []
         if fms_client.fms_admin_account:
             report = Check_Report_AWS(self.metadata())
-            report.resource_arn = fms_client.audited_account_arn
+            report.resource_arn = fms_client.policy_arn_template
             report.resource_id = fms_client.audited_account
             report.region = fms_client.region
             report.status = "PASS"

prowler/providers/aws/services/fms/fms_service.py

@@ -11,6 +11,7 @@ class FMS(AWSService):
     def __init__(self, audit_info):
         # # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info, global_service=True)
+        self.policy_arn_template = f"arn:{self.audited_partition}:fms:{self.region}:{self.audited_account}:policy"
         self.fms_admin_account = True
         self.fms_policies = []
         self.__list_policies__()

prowler/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.py

@@ -10,7 +10,9 @@ class glue_data_catalogs_connection_passwords_encryption_enabled(Check):
             if encryption.tables or not glue_client.audit_info.ignore_unused_services:
                 report = Check_Report_AWS(self.metadata())
                 report.resource_id = glue_client.audited_account
-                report.resource_arn = glue_client.audited_account_arn
+                report.resource_arn = glue_client.__get_data_catalog_arn_template__(
+                    encryption.region
+                )
                 report.region = encryption.region
                 report.status = "FAIL"
                 report.status_extended = (

prowler/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.py

@@ -10,7 +10,9 @@ class glue_data_catalogs_metadata_encryption_enabled(Check):
             if encryption.tables or not glue_client.audit_info.ignore_unused_services:
                 report = Check_Report_AWS(self.metadata())
                 report.resource_id = glue_client.audited_account
-                report.resource_arn = glue_client.audited_account_arn
+                report.resource_arn = glue_client.__get_data_catalog_arn_template__(
+                    encryption.region
+                )
                 report.region = encryption.region
                 report.status = "FAIL"
                 report.status_extended = (

prowler/providers/aws/services/glue/glue_service.py

@@ -25,6 +25,9 @@ class Glue(AWSService):
         self.jobs = []
         self.__threading_call__(self.__get_jobs__)
 
+    def __get_data_catalog_arn_template__(self, region):
+        return f"arn:{self.audited_partition}:glue:{region}:{self.audited_account}:data-catalog"
+
     def __get_connections__(self, regional_client):
         logger.info("Glue - Getting connections...")
         try:

prowler/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less.py

@@ -7,7 +7,7 @@ class iam_password_policy_expires_passwords_within_90_days_or_less(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = iam_client.region
-        report.resource_arn = iam_client.audited_account_arn
+        report.resource_arn = iam_client.password_policy_arn_template
         report.resource_id = iam_client.audited_account
         # Check if password policy exists
         if iam_client.password_policy:

prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase.py

@@ -7,7 +7,7 @@ class iam_password_policy_lowercase(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = iam_client.region
-        report.resource_arn = iam_client.audited_account_arn
+        report.resource_arn = iam_client.password_policy_arn_template
         report.resource_id = iam_client.audited_account
         # Check if password policy exists
         if iam_client.password_policy:

prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14.py

@@ -7,7 +7,7 @@ class iam_password_policy_minimum_length_14(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = iam_client.region
-        report.resource_arn = iam_client.audited_account_arn
+        report.resource_arn = iam_client.password_policy_arn_template
         report.resource_id = iam_client.audited_account
         # Check if password policy exists
         if iam_client.password_policy:

prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number.py

@@ -7,7 +7,7 @@ class iam_password_policy_number(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = iam_client.region
-        report.resource_arn = iam_client.audited_account_arn
+        report.resource_arn = iam_client.password_policy_arn_template
         report.resource_id = iam_client.audited_account
         # Check if password policy exists
         if iam_client.password_policy:

prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24.py

@@ -7,7 +7,7 @@ class iam_password_policy_reuse_24(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = iam_client.region
-        report.resource_arn = iam_client.audited_account_arn
+        report.resource_arn = iam_client.password_policy_arn_template
         report.resource_id = iam_client.audited_account
         # Check if password policy exists
         if iam_client.password_policy:

prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol.py

@@ -7,7 +7,7 @@ class iam_password_policy_symbol(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = iam_client.region
-        report.resource_arn = iam_client.audited_account_arn
+        report.resource_arn = iam_client.password_policy_arn_template
         report.resource_id = iam_client.audited_account
         # Check if password policy exists
         if iam_client.password_policy:

prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase.py

@@ -7,7 +7,7 @@ class iam_password_policy_uppercase(Check):
         findings = []
         report = Check_Report_AWS(self.metadata())
         report.region = iam_client.region
-        report.resource_arn = iam_client.audited_account_arn
+        report.resource_arn = iam_client.password_policy_arn_template
         report.resource_id = iam_client.audited_account
         # Check if password policy exists
         if iam_client.password_policy:

prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py

@@ -12,7 +12,7 @@ class iam_root_hardware_mfa_enabled(Check):
                 report = Check_Report_AWS(self.metadata())
                 report.region = iam_client.region
                 report.resource_id = "<root_account>"
-                report.resource_arn = iam_client.audited_account_arn
+                report.resource_arn = iam_client.mfa_arn_template
 
                 if iam_client.account_summary["SummaryMap"]["AccountMFAEnabled"] > 0:
                     virtual_mfas = iam_client.virtual_mfa_devices

prowler/providers/aws/services/iam/iam_service.py

@@ -51,6 +51,11 @@ class IAM(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info)
+        self.role_arn_template = f"arn:{self.audited_partition}:iam:{self.region}:{self.audited_account}:role"
+        self.password_policy_arn_template = f"arn:{self.audited_partition}:iam:{self.region}:{self.audited_account}:password-policy"
+        self.mfa_arn_template = (
+            f"arn:{self.audited_partition}:iam:{self.region}:{self.audited_account}:mfa"
+        )
         self.users = self.__get_users__()
         self.roles = self.__get_roles__()
         self.account_summary = self.__get_account_summary__()

prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.py

@@ -9,7 +9,9 @@ class macie_is_enabled(Check):
         for session in macie_client.sessions:
             report = Check_Report_AWS(self.metadata())
             report.region = session.region
-            report.resource_arn = macie_client.audited_account_arn
+            report.resource_arn = macie_client.__get_session_arn_template__(
+                session.region
+            )
             report.resource_id = macie_client.audited_account
             if session.status == "ENABLED":
                 report.status = "PASS"

prowler/providers/aws/services/macie/macie_service.py

@@ -12,6 +12,9 @@ class Macie(AWSService):
         self.sessions = []
         self.__threading_call__(self.__get_macie_session__)
 
+    def __get_session_arn_template__(self, region):
+        return f"arn:{self.audited_partition}:macie:{region}:{self.audited_account}:session"
+
     def __get_macie_session__(self, regional_client):
         logger.info("Macie - Get Macie Session...")
         try:

prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py

@@ -13,7 +13,7 @@ class resourceexplorer2_indexes_found(Check):
         report.region = resource_explorer_2_client.region
         report.resource_arn = "NoResourceExplorer"
         report.resource_id = resource_explorer_2_client.audited_account
-        report.resource_arn = resource_explorer_2_client.audited_account_arn
+        report.resource_arn = resource_explorer_2_client.index_arn_template
         if resource_explorer_2_client.indexes:
             report.region = resource_explorer_2_client.indexes[0].region
             report.resource_arn = resource_explorer_2_client.indexes[0].arn

prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_service.py

@@ -10,6 +10,7 @@ class ResourceExplorer2(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__("resource-explorer-2", audit_info)
+        self.index_arn_template = f"arn:{self.audited_partition}:resource-explorer:{self.region}:{self.audited_account}:index"
         self.indexes = []
         self.__threading_call__(self.__list_indexes__)
 

prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks.py

@@ -16,14 +16,14 @@ class s3_account_level_public_access_blocks(Check):
             report.status_extended = f"Block Public Access is configured for the account {s3control_client.audited_account}."
             report.region = s3control_client.region
             report.resource_id = s3control_client.audited_account
-            report.resource_arn = s3control_client.audited_account_arn
+            report.resource_arn = s3_client.account_arn_template
             findings.append(report)
         elif s3_client.buckets or not s3_client.audit_info.ignore_unused_services:
             report.status = "FAIL"
             report.status_extended = f"Block Public Access is not configured for the account {s3control_client.audited_account}."
             report.region = s3control_client.region
             report.resource_id = s3control_client.audited_account
-            report.resource_arn = s3control_client.audited_account_arn
+            report.resource_arn = s3_client.account_arn_template
             findings.append(report)
 
         return findings

prowler/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access.py

@@ -17,7 +17,7 @@ class s3_bucket_public_access(Check):
             report.status_extended = "All S3 public access blocked at account level."
             report.region = s3control_client.region
             report.resource_id = s3_client.audited_account
-            report.resource_arn = s3_client.audited_account_arn
+            report.resource_arn = s3_client.account_arn_template
             findings.append(report)
         else:
             # 2. If public access is not blocked at account level, check it at each bucket level

prowler/providers/aws/services/s3/s3_bucket_public_list_acl/s3_bucket_public_list_acl.py

@@ -17,7 +17,7 @@ class s3_bucket_public_list_acl(Check):
             report.status_extended = "All S3 public access blocked at account level."
             report.region = s3control_client.region
             report.resource_id = s3_client.audited_account
-            report.resource_arn = s3_client.audited_account_arn
+            report.resource_arn = s3_client.account_arn_template
             findings.append(report)
         else:
             # 2. If public access is not blocked at account level, check it at each bucket level

prowler/providers/aws/services/s3/s3_bucket_public_write_acl/s3_bucket_public_write_acl.py

@@ -17,7 +17,7 @@ class s3_bucket_public_write_acl(Check):
             report.status_extended = "All S3 public access blocked at account level."
             report.region = s3control_client.region
             report.resource_id = s3_client.audited_account
-            report.resource_arn = s3_client.audited_account_arn
+            report.resource_arn = s3_client.account_arn_template
             findings.append(report)
         else:
             # 2. If public access is not blocked at account level, check it at each bucket level

prowler/providers/aws/services/s3/s3_service.py

@@ -15,6 +15,7 @@ class S3(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info)
+        self.account_arn_template = f"arn:{self.audited_partition}:s3:{self.region}:{self.audited_account}:account"
         self.regions_with_buckets = []
         self.buckets = self.__list_buckets__(audit_info)
         self.__threading_call__(self.__get_bucket_versioning__)

prowler/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans.py

@@ -10,7 +10,7 @@ class ssmincidents_enabled_with_plans(Check):
         report = Check_Report_AWS(self.metadata())
         report.status = "FAIL"
         report.status_extended = "No SSM Incidents replication set exists."
-        report.resource_arn = ssmincidents_client.audited_account_arn
+        report.resource_arn = ssmincidents_client.replication_set_arn_template
         report.resource_id = ssmincidents_client.audited_account
         report.region = ssmincidents_client.region
         if ssmincidents_client.replication_set:

prowler/providers/aws/services/ssmincidents/ssmincidents_service.py

@@ -17,6 +17,7 @@ class SSMIncidents(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__("ssm-incidents", audit_info)
+        self.replication_set_arn_template = f"arn:{self.audited_partition}:ssm-incidents:{self.region}:{self.audited_account}:replication-set"
         self.replication_set = []
         self.__list_replication_sets__()
         self.__get_replication_set__()

prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py

@@ -16,6 +16,7 @@ class trustedadvisor_errors_and_warnings(Check):
                         report = Check_Report_AWS(self.metadata())
                         report.region = check.region
                         report.resource_id = check.id
+                        report.resource_arn = check.arn
                         report.status = "FAIL"
                         report.status_extended = f"Trusted Advisor check {check.name} is in state {check.status}."
                         if check.status == "ok":
@@ -26,7 +27,7 @@ class trustedadvisor_errors_and_warnings(Check):
             report.status = "INFO"
             report.status_extended = "Amazon Web Services Premium Support Subscription is required to use this service."
             report.resource_id = trustedadvisor_client.audited_account
-            report.resource_arn = trustedadvisor_client.audited_account_arn
+            report.resource_arn = trustedadvisor_client.account_arn_template
             report.region = trustedadvisor_client.region
             findings.append(report)
 

prowler/providers/aws/services/trustedadvisor/trustedadvisor_premium_support_plan_subscribed/trustedadvisor_premium_support_plan_subscribed.py

@@ -15,7 +15,7 @@ class trustedadvisor_premium_support_plan_subscribed(Check):
             )
             report.region = trustedadvisor_client.region
             report.resource_id = trustedadvisor_client.audited_account
-            report.resource_arn = trustedadvisor_client.audited_account_arn
+            report.resource_arn = trustedadvisor_client.account_arn_template
             if trustedadvisor_client.premium_support.enabled:
                 report.status = "PASS"
                 report.status_extended = (

prowler/providers/aws/services/trustedadvisor/trustedadvisor_service.py

@@ -12,6 +12,7 @@ class TrustedAdvisor(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__("support", audit_info)
+        self.account_arn_template = f"arn:{self.audited_partition}:trusted-advisor:{self.region}:{self.audited_account}:account"
         self.checks = []
         self.premium_support = PremiumSupport(enabled=False)
         # Support API is not available in China Partition
@@ -37,10 +38,12 @@ class TrustedAdvisor(AWSService):
             for check in self.client.describe_trusted_advisor_checks(language="en").get(
                 "checks", []
             ):
+                check_arn = f"arn:{self.audited_partition}:trusted-advisor:{self.client.region}:{self.audited_account}:check/{check['id']}"
                 self.checks.append(
                     Check(
                         id=check["id"],
                         name=check["name"],
+                        arn=check_arn,
                         region=self.client.region,
                     )
                 )
@@ -117,6 +120,7 @@ class TrustedAdvisor(AWSService):
 class Check(BaseModel):
     id: str
     name: str
+    arn: str
     status: Optional[str]
     region: str
 

prowler/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions.py

@@ -14,7 +14,7 @@ class vpc_different_regions(Check):
             report = Check_Report_AWS(self.metadata())
             report.region = vpc_client.region
             report.resource_id = vpc_client.audited_account
-            report.resource_arn = vpc_client.audited_account_arn
+            report.resource_arn = vpc_client.vpc_arn_template
 
             report.status = "FAIL"
             report.status_extended = "VPCs found only in one region."

prowler/providers/aws/services/vpc/vpc_service.py

@@ -14,6 +14,9 @@ class VPC(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__("ec2", audit_info)
+        self.vpc_arn_template = (
+            f"arn:{self.audited_partition}:ec2:{self.region}:{self.audited_account}:vpc"
+        )
         self.vpcs = {}
         self.vpc_peering_connections = []
         self.vpc_endpoints = []

tests/providers/aws/services/backup/backup_plans_exist/backup_plans_exist_test.py

@@ -13,7 +13,12 @@ class Test_backup_plans_exist:
         backup_client = mock.MagicMock
         backup_client.audited_account = AWS_ACCOUNT_NUMBER
         backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+        backup_client.audited_partition = "aws"
         backup_client.region = AWS_REGION
+        backup_client.backup_plan_arn_template = f"arn:{backup_client.audited_partition}:backup:{backup_client.region}:{backup_client.audited_account}:backup-plan"
+        backup_client.__get_backup_plan_arn_template__ = mock.MagicMock(
+            return_value=backup_client.backup_plan_arn_template
+        )
         backup_client.backup_plans = []
         backup_client.backup_vaults = ["vault"]
         with mock.patch(
@@ -32,7 +37,10 @@ class Test_backup_plans_exist:
             assert result[0].status == "FAIL"
             assert result[0].status_extended == "No Backup Plan exist."
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:backup:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:backup-plan"
+            )
             assert result[0].region == AWS_REGION
 
     def test_no_backup_plans_not_vaults(self):

tests/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist_test.py

@@ -35,6 +35,11 @@ class Test_backup_reportplans_exist:
         backup_client.audited_account = AWS_ACCOUNT_NUMBER
         backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         backup_client.region = AWS_REGION
+        backup_client.audited_partition = "aws"
+        backup_client.report_plan_arn_template = f"arn:{backup_client.audited_partition}:backup:{backup_client.region}:{backup_client.audited_account}:report-plan"
+        backup_client.__get_report_plan_arn_template__ = mock.MagicMock(
+            return_value=backup_client.report_plan_arn_template
+        )
         backup_plan_id = str(uuid4()).upper()
         backup_plan_arn = (
             f"arn:aws:backup:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:plan:{backup_plan_id}"
@@ -67,7 +72,10 @@ class Test_backup_reportplans_exist:
             assert result[0].status == "FAIL"
             assert result[0].status_extended == "No Backup Report Plan exist."
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:backup:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:report-plan"
+            )
             assert result[0].region == AWS_REGION
 
     def test_one_backup_report_plan(self):
@@ -75,6 +83,11 @@ class Test_backup_reportplans_exist:
         backup_client.audited_account = AWS_ACCOUNT_NUMBER
         backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         backup_client.region = AWS_REGION
+        backup_client.audited_partition = "aws"
+        backup_client.report_plan_arn_template = f"arn:{backup_client.audited_partition}:backup:{backup_client.region}:{backup_client.audited_account}:report-plan"
+        backup_client.__get_report_plan_arn_template__ = mock.MagicMock(
+            return_value=backup_client.report_plan_arn_template
+        )
         backup_plan_id = str(uuid4()).upper()
         backup_plan_arn = (
             f"arn:aws:backup:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:plan:{backup_plan_id}"

tests/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist_test.py

@@ -12,6 +12,11 @@ class Test_backup_vaults_exist:
         backup_client.audited_account = AWS_ACCOUNT_NUMBER
         backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         backup_client.region = AWS_REGION
+        backup_client.audited_partition = "aws"
+        backup_client.backup_vault_arn_template = f"arn:{backup_client.audited_partition}:backup:{backup_client.region}:{backup_client.audited_account}:backup-vault"
+        backup_client.__get_backup_vault_arn_template__ = mock.MagicMock(
+            return_value=backup_client.backup_vault_arn_template
+        )
         backup_client.backup_vaults = []
         with mock.patch(
             "prowler.providers.aws.services.backup.backup_service.Backup",
@@ -29,7 +34,10 @@ class Test_backup_vaults_exist:
             assert result[0].status == "FAIL"
             assert result[0].status_extended == "No Backup Vault exist."
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:backup:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:backup-vault"
+            )
             assert result[0].region == AWS_REGION
 
     def test_one_backup_vault(self):
@@ -37,6 +45,11 @@ class Test_backup_vaults_exist:
         backup_client.audited_account = AWS_ACCOUNT_NUMBER
         backup_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         backup_client.region = AWS_REGION
+        backup_client.audited_partition = "aws"
+        backup_client.backup_vault_arn_template = f"arn:{backup_client.audited_partition}:backup:{backup_client.region}:{backup_client.audited_account}:backup-vault"
+        backup_client.__get_backup_vault_arn_template__ = mock.MagicMock(
+            return_value=backup_client.backup_vault_arn_template
+        )
         backup_vault_arn = f"arn:aws:backup:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:backup-vault:MyBackupVault"
         backup_client.backup_vaults = [
             BackupVault(

tests/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled_test.py

@@ -49,7 +49,7 @@ class Test_cloudtrail_multi_region_enabled:
                         assert report.resource_id == AWS_ACCOUNT_NUMBER
                         assert (
                             report.resource_arn
-                            == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+                            == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail"
                         )
                         assert report.resource_tags == []
                     elif report.region == AWS_REGION_EU_WEST_1:
@@ -61,7 +61,7 @@ class Test_cloudtrail_multi_region_enabled:
                         assert report.resource_id == AWS_ACCOUNT_NUMBER
                         assert (
                             report.resource_arn
-                            == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+                            == f"arn:aws:cloudtrail:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:trail"
                         )
                         assert report.resource_tags == []
 
@@ -125,7 +125,7 @@ class Test_cloudtrail_multi_region_enabled:
                         assert report.resource_id == AWS_ACCOUNT_NUMBER
                         assert (
                             report.resource_arn
-                            == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+                            == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail"
                         )
                         assert report.resource_tags == []
                     elif report.region == AWS_REGION_EU_WEST_1:
@@ -137,7 +137,7 @@ class Test_cloudtrail_multi_region_enabled:
                         assert report.resource_id == AWS_ACCOUNT_NUMBER
                         assert (
                             report.resource_arn
-                            == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+                            == f"arn:aws:cloudtrail:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:trail"
                         )
                         assert report.resource_tags == []
 
@@ -213,7 +213,7 @@ class Test_cloudtrail_multi_region_enabled:
                         assert report.resource_id == AWS_ACCOUNT_NUMBER
                         assert (
                             report.resource_arn
-                            == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+                            == f"arn:aws:cloudtrail:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:trail"
                         )
                         assert report.resource_tags == []
                         assert report.region == AWS_REGION_EU_WEST_1

tests/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_US_EAST_1,
     set_mocked_aws_audit_info,
@@ -37,7 +36,10 @@ class Test_cloudtrail_multi_region_enabled_logging_management_events:
                 result = check.execute()
                 assert len(result) == 1
                 assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-                assert result[0].resource_arn == AWS_ACCOUNT_ARN
+                assert (
+                    result[0].resource_arn
+                    == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail"
+                )
                 assert result[0].region == AWS_REGION_US_EAST_1
                 assert result[0].status == "FAIL"
                 assert (
@@ -149,7 +151,10 @@ class Test_cloudtrail_multi_region_enabled_logging_management_events:
                 check = cloudtrail_multi_region_enabled_logging_management_events()
                 result = check.execute()
                 assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-                assert result[0].resource_arn == AWS_ACCOUNT_ARN
+                assert (
+                    result[0].resource_arn
+                    == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail"
+                )
                 assert result[0].region == AWS_REGION_US_EAST_1
                 assert result[0].status == "FAIL"
                 assert (
@@ -258,7 +263,10 @@ class Test_cloudtrail_multi_region_enabled_logging_management_events:
                 check = cloudtrail_multi_region_enabled_logging_management_events()
                 result = check.execute()
                 assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-                assert result[0].resource_arn == AWS_ACCOUNT_ARN
+                assert (
+                    result[0].resource_arn
+                    == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail"
+                )
                 assert result[0].region == AWS_REGION_US_EAST_1
                 assert result[0].status == "FAIL"
                 assert (

tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled_test.py

@@ -56,7 +56,10 @@ class Test_cloudtrail_s3_dataevents_read_enabled:
                 == "No CloudTrail trails have a data event to record all S3 object-level API operations."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail"
+            )
             assert result[0].resource_tags == []
             assert result[0].region == AWS_REGION_US_EAST_1
 
@@ -129,7 +132,10 @@ class Test_cloudtrail_s3_dataevents_read_enabled:
                 == "No CloudTrail trails have a data event to record all S3 object-level API operations."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail"
+            )
             assert result[0].resource_tags == []
             assert result[0].region == AWS_REGION_US_EAST_1
 
@@ -190,7 +196,10 @@ class Test_cloudtrail_s3_dataevents_read_enabled:
                 == "No CloudTrail trails have a data event to record all S3 object-level API operations."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail"
+            )
             assert result[0].resource_tags == []
             assert result[0].region == AWS_REGION_US_EAST_1
 

tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled_test.py

@@ -56,7 +56,10 @@ class Test_cloudtrail_s3_dataevents_write_enabled:
                 == "No CloudTrail trails have a data event to record all S3 object-level API operations."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail"
+            )
             assert result[0].resource_tags == []
             assert result[0].region == AWS_REGION_US_EAST_1
 
@@ -117,7 +120,10 @@ class Test_cloudtrail_s3_dataevents_write_enabled:
                 == "No CloudTrail trails have a data event to record all S3 object-level API operations."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail"
+            )
             assert result[0].resource_tags == []
             assert result[0].region == AWS_REGION_US_EAST_1
 
@@ -189,7 +195,10 @@ class Test_cloudtrail_s3_dataevents_write_enabled:
                 == "No CloudTrail trails have a data event to record all S3 object-level API operations."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:cloudtrail:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:trail"
+            )
             assert result[0].resource_tags == []
             assert result[0].region == AWS_REGION_US_EAST_1
 

tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_WEST_1,
     AWS_REGION_US_EAST_1,
@@ -65,7 +64,10 @@ class Test_cloudwatch_changes_to_network_acls_alarm_configured:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -125,7 +127,10 @@ class Test_cloudwatch_changes_to_network_acls_alarm_configured:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_US_EAST_1
 
     @mock_aws
@@ -191,7 +196,10 @@ class Test_cloudwatch_changes_to_network_acls_alarm_configured:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_US_EAST_1
 
     @mock_aws

tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_WEST_1,
     AWS_REGION_US_EAST_1,
@@ -65,7 +64,10 @@ class Test_cloudwatch_changes_to_network_gateways_alarm_configured:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -125,7 +127,10 @@ class Test_cloudwatch_changes_to_network_gateways_alarm_configured:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -191,7 +196,10 @@ class Test_cloudwatch_changes_to_network_gateways_alarm_configured:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws

tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_WEST_1,
     AWS_REGION_US_EAST_1,
@@ -65,7 +64,10 @@ class Test_cloudwatch_changes_to_network_route_tables_alarm_configured:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -125,7 +127,10 @@ class Test_cloudwatch_changes_to_network_route_tables_alarm_configured:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -191,7 +196,10 @@ class Test_cloudwatch_changes_to_network_route_tables_alarm_configured:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws

tests/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_WEST_1,
     AWS_REGION_US_EAST_1,
@@ -65,7 +64,10 @@ class Test_cloudwatch_changes_to_vpcs_alarm_configured:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -125,7 +127,10 @@ class Test_cloudwatch_changes_to_vpcs_alarm_configured:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -191,7 +196,10 @@ class Test_cloudwatch_changes_to_vpcs_alarm_configured:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws

tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_WEST_1,
     AWS_REGION_US_EAST_1,
@@ -67,7 +66,10 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_c
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -129,7 +131,10 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_c
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -197,7 +202,10 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_c
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws

tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_WEST_1,
     AWS_REGION_US_EAST_1,
@@ -67,7 +66,10 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_c
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -129,7 +131,10 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_c
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -197,7 +202,10 @@ class Test_cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_c
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws

tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_WEST_1,
     AWS_REGION_US_EAST_1,
@@ -65,7 +64,10 @@ class Test_cloudwatch_log_metric_filter_authentication_failures:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -125,7 +127,10 @@ class Test_cloudwatch_log_metric_filter_authentication_failures:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -191,7 +196,10 @@ class Test_cloudwatch_log_metric_filter_authentication_failures:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws

tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_WEST_1,
     AWS_REGION_US_EAST_1,
@@ -65,7 +64,10 @@ class Test_cloudwatch_log_metric_filter_aws_organizations_changes:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -125,7 +127,10 @@ class Test_cloudwatch_log_metric_filter_aws_organizations_changes:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -191,7 +196,10 @@ class Test_cloudwatch_log_metric_filter_aws_organizations_changes:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws

tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_WEST_1,
     AWS_REGION_US_EAST_1,
@@ -67,7 +66,10 @@ class Test_cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -129,7 +131,10 @@ class Test_cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -197,7 +202,10 @@ class Test_cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws

tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_WEST_1,
     AWS_REGION_US_EAST_1,
@@ -65,7 +64,10 @@ class Test_cloudwatch_log_metric_filter_for_s3_bucket_policy_changes:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -125,7 +127,10 @@ class Test_cloudwatch_log_metric_filter_for_s3_bucket_policy_changes:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -191,7 +196,10 @@ class Test_cloudwatch_log_metric_filter_for_s3_bucket_policy_changes:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws

tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_WEST_1,
     AWS_REGION_US_EAST_1,
@@ -65,7 +64,10 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -125,7 +127,10 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -191,7 +196,10 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws

tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_WEST_1,
     AWS_REGION_US_EAST_1,
@@ -65,7 +64,10 @@ class Test_cloudwatch_log_metric_filter_root_usage:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -125,7 +127,10 @@ class Test_cloudwatch_log_metric_filter_root_usage:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -191,7 +196,10 @@ class Test_cloudwatch_log_metric_filter_root_usage:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws

tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_WEST_1,
     AWS_REGION_US_EAST_1,
@@ -65,7 +64,11 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -125,7 +128,11 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -191,7 +198,11 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws

tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_WEST_1,
     AWS_REGION_US_EAST_1,
@@ -65,7 +64,10 @@ class Test_cloudwatch_log_metric_filter_sign_in_without_mfa:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -125,7 +127,10 @@ class Test_cloudwatch_log_metric_filter_sign_in_without_mfa:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -191,7 +196,10 @@ class Test_cloudwatch_log_metric_filter_sign_in_without_mfa:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws

tests/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_WEST_1,
     AWS_REGION_US_EAST_1,
@@ -65,7 +64,10 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -125,7 +127,10 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws
@@ -191,7 +196,10 @@ class Test_cloudwatch_log_metric_filter_unauthorized_api_calls:
                 == "No CloudWatch log groups found with metric filters or alarms associated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:logs:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:log-group"
+            )
             assert result[0].region == AWS_REGION_EU_WEST_1
 
     @mock_aws

tests/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled_test.py

@@ -4,7 +4,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_EU_SOUTH_2,
     AWS_REGION_EU_WEST_1,
@@ -35,18 +34,33 @@ class Test_config_recorder_all_regions_enabled:
             )
 
             check = config_recorder_all_regions_enabled()
-            result = check.execute()
+            results = check.execute()
 
+            assert len(results) == 2
+            for result in results:
+                if result.region == AWS_REGION_EU_WEST_1:
+
+                    assert result.status == "FAIL"
                     assert (
-                len(result) == 2
+                        result.status_extended
-            )  # One fail result per region, since there are no recorders
-            assert result[0].status == "FAIL"
-            assert (
-                result[0].status_extended
                         == f"AWS Config recorder {AWS_ACCOUNT_NUMBER} is disabled."
                     )
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+                    assert (
-            assert result[0].resource_id == AWS_ACCOUNT_NUMBER
+                        result.resource_arn
+                        == f"arn:aws:config:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:recorder"
+                    )
+                    assert result.resource_id == AWS_ACCOUNT_NUMBER
+                if result.region == AWS_REGION_EU_WEST_1:
+                    assert result.status == "FAIL"
+                    assert (
+                        result.status_extended
+                        == f"AWS Config recorder {AWS_ACCOUNT_NUMBER} is disabled."
+                    )
+                    assert (
+                        result.resource_arn
+                        == f"arn:aws:config:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:recorder"
+                    )
+                    assert result.resource_id == AWS_ACCOUNT_NUMBER
 
     @mock_aws
     def test_config_one_recoder_disabled(self):
@@ -84,7 +98,10 @@ class Test_config_recorder_all_regions_enabled:
                         == "AWS Config recorder default is disabled."
                     )
                     assert recorder.resource_id == "default"
-                    assert recorder.resource_arn == AWS_ACCOUNT_ARN
+                    assert (
+                        recorder.resource_arn
+                        == f"arn:aws:config:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:recorder"
+                    )
                     assert recorder.region == AWS_REGION_US_EAST_1
 
     @mock_aws
@@ -128,7 +145,10 @@ class Test_config_recorder_all_regions_enabled:
                         == "AWS Config recorder default is enabled."
                     )
                     assert recorder.resource_id == "default"
-                    assert recorder.resource_arn == AWS_ACCOUNT_ARN
+                    assert (
+                        recorder.resource_arn
+                        == f"arn:aws:config:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:recorder"
+                    )
                     assert recorder.region == AWS_REGION_US_EAST_1
 
     @mock_aws
@@ -171,7 +191,10 @@ class Test_config_recorder_all_regions_enabled:
                         == f"AWS Config recorder {AWS_ACCOUNT_NUMBER} is disabled."
                     )
                     assert recorder.resource_id == AWS_ACCOUNT_NUMBER
-                    assert recorder.resource_arn == AWS_ACCOUNT_ARN
+                    assert (
+                        recorder.resource_arn
+                        == f"arn:aws:config:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:recorder"
+                    )
                     assert recorder.region == AWS_REGION_US_EAST_1
                 else:
                     assert recorder.status == "FAIL"
@@ -180,5 +203,8 @@ class Test_config_recorder_all_regions_enabled:
                         == f"AWS Config recorder {AWS_ACCOUNT_NUMBER} is disabled."
                     )
                     assert recorder.resource_id == AWS_ACCOUNT_NUMBER
-                    assert recorder.resource_arn == AWS_ACCOUNT_ARN
+                    assert (
-                    assert recorder.region == "eu-south-2"
+                        recorder.resource_arn
+                        == f"arn:aws:config:{AWS_REGION_EU_SOUTH_2}:{AWS_ACCOUNT_NUMBER}:recorder"
+                    )
+                    assert recorder.region == AWS_REGION_EU_SOUTH_2

tests/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists_test.py

@@ -75,6 +75,8 @@ class Test_dlm_ebs_snapshot_lifecycle_policy_exists:
         dlm_client = mock.MagicMock
         dlm_client.audited_account = AWS_ACCOUNT_NUMBER
         dlm_client.audited_account_arn = AWS_ACCOUNT_ARN
+        dlm_client.region = AWS_REGION_US_EAST_1
+        dlm_client.audited_partition = "aws"
         dlm_client.lifecycle_policies = {
             AWS_REGION_US_EAST_1: {
                 LIFECYCLE_POLICY_ID: LifecyclePolicy(
@@ -85,7 +87,10 @@ class Test_dlm_ebs_snapshot_lifecycle_policy_exists:
                 )
             }
         }
-
+        dlm_client.lifecycle_policy_arn_template = f"arn:{dlm_client.audited_partition}:dlm:{dlm_client.region}:{dlm_client.audited_account}:policy"
+        dlm_client.__get_lifecycle_policy_arn_template__ = mock.MagicMock(
+            return_value=dlm_client.lifecycle_policy_arn_template
+        )
         audit_info = set_mocked_aws_audit_info([AWS_REGION_US_EAST_1])
 
         from prowler.providers.aws.services.ec2.ec2_service import EC2
@@ -111,7 +116,10 @@ class Test_dlm_ebs_snapshot_lifecycle_policy_exists:
             assert result[0].status_extended == "EBS snapshot lifecycle policies found."
             assert result[0].region == AWS_REGION_US_EAST_1
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:dlm:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:policy"
+            )
 
     @mock_aws
     def test_one_ebs_snapshot_and_no_dlm_lifecycle_policy(self):

tests/providers/aws/services/drs/drs_job_exist/drs_job_exist_test.py

@@ -13,6 +13,7 @@ class Test_drs_job_exist:
         drs_client.audited_account = AWS_ACCOUNT_NUMBER
         drs_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         drs_client.region = AWS_REGION
+        drs_client.audited_partition = "aws"
         drs_client.drs_services = [
             DRSservice(
                 id="DRS",
@@ -29,6 +30,10 @@ class Test_drs_job_exist:
                 ],
             )
         ]
+        drs_client.recovery_job_arn_template = f"arn:{drs_client.audited_partition}:drs:{drs_client.region}:{drs_client.audited_account}:recovery-job"
+        drs_client.__get_recovery_job_arn_template__ = mock.MagicMock(
+            return_value=drs_client.recovery_job_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.drs.drs_service.DRS",
             new=drs_client,
@@ -47,7 +52,10 @@ class Test_drs_job_exist:
                 result[0].status_extended == "DRS is enabled for this region with jobs."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:drs:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:recovery-job"
+            )
             assert result[0].region == AWS_REGION
             assert result[0].resource_tags == []
 
@@ -56,6 +64,7 @@ class Test_drs_job_exist:
         drs_client.audited_account = AWS_ACCOUNT_NUMBER
         drs_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         drs_client.region = AWS_REGION
+        drs_client.audited_partition = "aws"
         drs_client.drs_services = [
             DRSservice(
                 id="DRS",
@@ -64,6 +73,10 @@ class Test_drs_job_exist:
                 jobs=[],
             )
         ]
+        drs_client.recovery_job_arn_template = f"arn:{drs_client.audited_partition}:drs:{drs_client.region}:{drs_client.audited_account}:recovery-job"
+        drs_client.__get_recovery_job_arn_template__ = mock.MagicMock(
+            return_value=drs_client.recovery_job_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.drs.drs_service.DRS",
             new=drs_client,
@@ -83,7 +96,10 @@ class Test_drs_job_exist:
                 == "DRS is enabled for this region without jobs."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:drs:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:recovery-job"
+            )
             assert result[0].region == AWS_REGION
             assert result[0].resource_tags == []
 
@@ -92,6 +108,7 @@ class Test_drs_job_exist:
         drs_client.audited_account = AWS_ACCOUNT_NUMBER
         drs_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         drs_client.region = AWS_REGION
+        drs_client.audited_partition = "aws"
         drs_client.drs_services = [
             DRSservice(
                 id="DRS",
@@ -100,6 +117,10 @@ class Test_drs_job_exist:
                 jobs=[],
             )
         ]
+        drs_client.recovery_job_arn_template = f"arn:{drs_client.audited_partition}:drs:{drs_client.region}:{drs_client.audited_account}:recovery-job"
+        drs_client.__get_recovery_job_arn_template__ = mock.MagicMock(
+            return_value=drs_client.recovery_job_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.drs.drs_service.DRS",
             new=drs_client,
@@ -116,7 +137,10 @@ class Test_drs_job_exist:
             assert result[0].status == "FAIL"
             assert result[0].status_extended == "DRS is not enabled for this region."
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:drs:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:recovery-job"
+            )
             assert result[0].region == AWS_REGION
             assert result[0].resource_tags == []
 
@@ -125,6 +149,7 @@ class Test_drs_job_exist:
         drs_client.audit_config = {"allowlist_non_default_regions": True}
         drs_client.audited_account = AWS_ACCOUNT_NUMBER
         drs_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+        drs_client.audited_partition = "aws"
         drs_client.region = "eu-west-2"
         drs_client.drs_services = [
             DRSservice(
@@ -134,6 +159,10 @@ class Test_drs_job_exist:
                 jobs=[],
             )
         ]
+        drs_client.recovery_job_arn_template = f"arn:{drs_client.audited_partition}:drs:{drs_client.region}:{drs_client.audited_account}:recovery-job"
+        drs_client.__get_recovery_job_arn_template__ = mock.MagicMock(
+            return_value=drs_client.recovery_job_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.drs.drs_service.DRS",
             new=drs_client,
@@ -150,6 +179,9 @@ class Test_drs_job_exist:
             assert result[0].status == "WARNING"
             assert result[0].status_extended == "DRS is not enabled for this region."
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:drs:eu-west-2:{AWS_ACCOUNT_NUMBER}:recovery-job"
+            )
             assert result[0].region == AWS_REGION
             assert result[0].resource_tags == []

tests/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_test.py

@@ -51,7 +51,19 @@ class Test_ec2_ebs_default_encryption:
                     )
                     assert result.resource_id == AWS_ACCOUNT_NUMBER
                     assert (
-                        result.resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+                        result.resource_arn
+                        == f"arn:aws:ec2:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:volume"
+                    )
+                if result.region == AWS_REGION_EU_WEST_1:
+                    assert result.status == "FAIL"
+                    assert (
+                        result.status_extended
+                        == "EBS Default Encryption is not activated."
+                    )
+                    assert result.resource_id == AWS_ACCOUNT_NUMBER
+                    assert (
+                        result.resource_arn
+                        == f"arn:aws:ec2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:volume"
                     )
 
     @mock_aws
@@ -75,16 +87,33 @@ class Test_ec2_ebs_default_encryption:
             )
 
             check = ec2_ebs_default_encryption()
-            result = check.execute()
+            results = check.execute()
 
             # One result per region
-            assert len(result) == 2
+            assert len(results) == 2
-            assert result[0].status == "FAIL"
+            for result in results:
+                if result.region == AWS_REGION_US_EAST_1:
+                    assert result.status == "FAIL"
                     assert (
-                result[0].status_extended == "EBS Default Encryption is not activated."
+                        result.status_extended
+                        == "EBS Default Encryption is not activated."
+                    )
+                    assert result.resource_id == AWS_ACCOUNT_NUMBER
+                    assert (
+                        result.resource_arn
+                        == f"arn:aws:ec2:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:volume"
+                    )
+                if result.region == AWS_REGION_EU_WEST_1:
+                    assert result.status == "FAIL"
+                    assert (
+                        result.status_extended
+                        == "EBS Default Encryption is not activated."
+                    )
+                    assert result.resource_id == AWS_ACCOUNT_NUMBER
+                    assert (
+                        result.resource_arn
+                        == f"arn:aws:ec2:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:volume"
                     )
-            assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
 
     @mock_aws
     def test_ec2_ebs_encryption_disabled_ignored(self):
@@ -148,4 +177,7 @@ class Test_ec2_ebs_default_encryption:
                 result[0].status_extended == "EBS Default Encryption is not activated."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:ec2:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:volume"
+            )

tests/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled_test.py

@@ -18,6 +18,12 @@ class Test_emr_cluster_account_public_block_enabled:
                 block_public_security_group_rules=True
             )
         }
+        emr_client.region = AWS_REGION_EU_WEST_1
+        emr_client.audited_partition = "aws"
+        emr_client.cluster_arn_template = f"arn:{emr_client.audited_partition}:elasticmapreduce:{emr_client.region}:{emr_client.audited_account}:cluster"
+        emr_client.__get_cluster_arn_template__ = mock.MagicMock(
+            return_value=emr_client.cluster_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.emr.emr_service.EMR",
             new=emr_client,
@@ -47,6 +53,12 @@ class Test_emr_cluster_account_public_block_enabled:
                 block_public_security_group_rules=False
             )
         }
+        emr_client.region = AWS_REGION_EU_WEST_1
+        emr_client.audited_partition = "aws"
+        emr_client.cluster_arn_template = f"arn:{emr_client.audited_partition}:elasticmapreduce:{emr_client.region}:{emr_client.audited_account}:cluster"
+        emr_client.__get_cluster_arn_template__ = mock.MagicMock(
+            return_value=emr_client.cluster_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.emr.emr_service.EMR",
             new=emr_client,

tests/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant_test.py

@@ -34,11 +34,12 @@ class Test_fms_policy_compliant:
         fms_client.audited_account = AWS_ACCOUNT_NUMBER
         fms_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         fms_client.region = AWS_REGION_US_EAST_1
+        fms_client.audited_partition = "aws"
         fms_client.fms_admin_account = True
         fms_client.fms_policies = [
             Policy(
-                arn="arn:aws:fms:us-east-1:12345678901",
+                arn=f"arn:aws:fms:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:policy",
-                id="12345678901",
+                id=AWS_ACCOUNT_NUMBER,
                 name="test",
                 resource_type="AWS::EC2::Instance",
                 service_type="WAF",
@@ -46,13 +47,17 @@ class Test_fms_policy_compliant:
                 delete_unused_managed_resources=True,
                 compliance_status=[
                     PolicyAccountComplianceStatus(
-                        account_id="12345678901",
+                        account_id=AWS_ACCOUNT_NUMBER,
-                        policy_id="12345678901",
+                        policy_id=AWS_ACCOUNT_NUMBER,
                         status="NON_COMPLIANT",
                     )
                 ],
             )
         ]
+        fms_client.policy_arn_template = f"arn:{fms_client.audited_partition}:fms:{fms_client.region}:{fms_client.audited_account}:policy"
+        fms_client.__get_policy_arn_template__ = mock.MagicMock(
+            return_value=fms_client.policy_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.fms.fms_service.FMS",
             new=fms_client,
@@ -71,8 +76,11 @@ class Test_fms_policy_compliant:
                 result[0].status_extended
                 == f"FMS with non-compliant policy {fms_client.fms_policies[0].name} for account {fms_client.fms_policies[0].compliance_status[0].account_id}."
             )
-            assert result[0].resource_id == "12345678901"
+            assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == "arn:aws:fms:us-east-1:12345678901"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:fms:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:policy"
+            )
             assert result[0].region == AWS_REGION_US_EAST_1
 
     def test_fms_admin_with_compliant_policies(self):
@@ -80,6 +88,7 @@ class Test_fms_policy_compliant:
         fms_client.audited_account = AWS_ACCOUNT_NUMBER
         fms_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         fms_client.region = AWS_REGION_US_EAST_1
+        fms_client.audited_partition = "aws"
         fms_client.fms_admin_account = True
         fms_client.fms_policies = [
             Policy(
@@ -99,6 +108,10 @@ class Test_fms_policy_compliant:
                 ],
             )
         ]
+        fms_client.policy_arn_template = f"arn:{fms_client.audited_partition}:fms:{fms_client.region}:{fms_client.audited_account}:policy"
+        fms_client.__get_policy_arn_template__ = mock.MagicMock(
+            return_value=fms_client.policy_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.fms.fms_service.FMS",
             new=fms_client,
@@ -117,18 +130,22 @@ class Test_fms_policy_compliant:
                 result[0].status_extended == "FMS enabled with all compliant accounts."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:fms:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:policy"
+            )
             assert result[0].region == AWS_REGION_US_EAST_1
 
     def test_fms_admin_with_non_and_compliant_policies(self):
         fms_client = mock.MagicMock
         fms_client.audited_account = AWS_ACCOUNT_NUMBER
         fms_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+        fms_client.audited_partition = "aws"
         fms_client.region = AWS_REGION_US_EAST_1
         fms_client.fms_admin_account = True
         fms_client.fms_policies = [
             Policy(
-                arn="arn:aws:fms:us-east-1:12345678901",
+                arn=f"arn:aws:fms:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:policy",
                 id="12345678901",
                 name="test",
                 resource_type="AWS::EC2::Instance",
@@ -149,6 +166,10 @@ class Test_fms_policy_compliant:
                 ],
             )
         ]
+        fms_client.policy_arn_template = f"arn:{fms_client.audited_partition}:fms:{fms_client.region}:{fms_client.audited_account}:policy"
+        fms_client.__get_policy_arn_template__ = mock.MagicMock(
+            return_value=fms_client.policy_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.fms.fms_service.FMS",
             new=fms_client,
@@ -168,7 +189,10 @@ class Test_fms_policy_compliant:
                 == f"FMS with non-compliant policy {fms_client.fms_policies[0].name} for account {fms_client.fms_policies[0].compliance_status[0].account_id}."
             )
             assert result[0].resource_id == "12345678901"
-            assert result[0].resource_arn == "arn:aws:fms:us-east-1:12345678901"
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:fms:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:policy"
+            )
             assert result[0].region == AWS_REGION_US_EAST_1
 
     def test_fms_admin_without_policies(self):
@@ -176,8 +200,13 @@ class Test_fms_policy_compliant:
         fms_client.audited_account = AWS_ACCOUNT_NUMBER
         fms_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
         fms_client.region = AWS_REGION_US_EAST_1
+        fms_client.audited_partition = "aws"
         fms_client.fms_admin_account = True
         fms_client.fms_policies = []
+        fms_client.policy_arn_template = f"arn:{fms_client.audited_partition}:fms:{fms_client.region}:{fms_client.audited_account}:policy"
+        fms_client.__get_policy_arn_template__ = mock.MagicMock(
+            return_value=fms_client.policy_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.fms.fms_service.FMS",
             new=fms_client,
@@ -197,13 +226,17 @@ class Test_fms_policy_compliant:
                 == f"FMS without any compliant policy for account {AWS_ACCOUNT_NUMBER}."
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == fms_client.audited_account_arn
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:fms:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:policy"
+            )
             assert result[0].region == AWS_REGION_US_EAST_1
 
     def test_fms_admin_with_policy_with_null_status(self):
         fms_client = mock.MagicMock
         fms_client.audited_account = AWS_ACCOUNT_NUMBER
         fms_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+        fms_client.audited_partition = "aws"
         fms_client.region = AWS_REGION_US_EAST_1
         fms_client.fms_admin_account = True
         fms_client.fms_policies = [
@@ -224,6 +257,10 @@ class Test_fms_policy_compliant:
                 ],
             )
         ]
+        fms_client.policy_arn_template = f"arn:{fms_client.audited_partition}:fms:{fms_client.region}:{fms_client.audited_account}:policy"
+        fms_client.__get_policy_arn_template__ = mock.MagicMock(
+            return_value=fms_client.policy_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.fms.fms_service.FMS",
             new=fms_client,

tests/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled_test.py

@@ -41,7 +41,12 @@ class Test_glue_data_catalogs_connection_passwords_encryption_enabled:
             )
         ]
         glue_client.audited_account = "12345678912"
-
+        glue_client.audited_partition = "aws"
+        glue_client.region = AWS_REGION_US_EAST_1
+        glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog"
+        glue_client.__get_data_catalog_arn_template__ = mock.MagicMock(
+            return_value=glue_client.data_catalog_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.glue.glue_service.Glue",
             glue_client,
@@ -77,6 +82,12 @@ class Test_glue_data_catalogs_connection_passwords_encryption_enabled:
             )
         ]
         glue_client.audited_account = "12345678912"
+        glue_client.audited_partition = "aws"
+        glue_client.region = AWS_REGION_US_EAST_1
+        glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog"
+        glue_client.__get_data_catalog_arn_template__ = mock.MagicMock(
+            return_value=glue_client.data_catalog_arn_template
+        )
         glue_client.audit_info.ignore_unused_services = True
         with mock.patch(
             "prowler.providers.aws.services.glue.glue_service.Glue",
@@ -106,6 +117,12 @@ class Test_glue_data_catalogs_connection_passwords_encryption_enabled:
             )
         ]
         glue_client.audited_account = "12345678912"
+        glue_client.audited_partition = "aws"
+        glue_client.region = AWS_REGION_US_EAST_1
+        glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog"
+        glue_client.__get_data_catalog_arn_template__ = mock.MagicMock(
+            return_value=glue_client.data_catalog_arn_template
+        )
         glue_client.audit_info.ignore_unused_services = True
         with mock.patch(
             "prowler.providers.aws.services.glue.glue_service.Glue",

tests/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled_test.py

@@ -42,7 +42,12 @@ class Test_glue_data_catalogs_metadata_encryption_enabled:
             )
         ]
         glue_client.audited_account = "12345678912"
-
+        glue_client.audited_partition = "aws"
+        glue_client.region = AWS_REGION_US_EAST_1
+        glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog"
+        glue_client.__get_data_catalog_arn_template__ = mock.MagicMock(
+            return_value=glue_client.data_catalog_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.glue.glue_service.Glue",
             glue_client,
@@ -79,7 +84,12 @@ class Test_glue_data_catalogs_metadata_encryption_enabled:
         ]
         glue_client.audited_account = "12345678912"
         glue_client.audit_info.ignore_unused_services = True
-
+        glue_client.audited_partition = "aws"
+        glue_client.region = AWS_REGION_US_EAST_1
+        glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog"
+        glue_client.__get_data_catalog_arn_template__ = mock.MagicMock(
+            return_value=glue_client.data_catalog_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.glue.glue_service.Glue",
             glue_client,
@@ -109,7 +119,12 @@ class Test_glue_data_catalogs_metadata_encryption_enabled:
         ]
         glue_client.audited_account = "12345678912"
         glue_client.audit_info.ignore_unused_services = True
-
+        glue_client.audited_partition = "aws"
+        glue_client.region = AWS_REGION_US_EAST_1
+        glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog"
+        glue_client.__get_data_catalog_arn_template__ = mock.MagicMock(
+            return_value=glue_client.data_catalog_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.glue.glue_service.Glue",
             glue_client,
@@ -145,7 +160,12 @@ class Test_glue_data_catalogs_metadata_encryption_enabled:
             )
         ]
         glue_client.audited_account = "12345678912"
-
+        glue_client.audited_partition = "aws"
+        glue_client.region = AWS_REGION_US_EAST_1
+        glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog"
+        glue_client.__get_data_catalog_arn_template__ = mock.MagicMock(
+            return_value=glue_client.data_catalog_arn_template
+        )
         with mock.patch(
             "prowler.providers.aws.services.glue.glue_service.Glue",
             glue_client,

tests/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_test.py

@@ -4,7 +4,6 @@ from unittest import mock
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_US_EAST_1,
     set_mocked_aws_audit_info,
@@ -47,7 +46,10 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
                 assert len(result) == 1
                 assert result[0].status == "PASS"
                 assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-                assert result[0].resource_arn == AWS_ACCOUNT_ARN
+                assert (
+                    result[0].resource_arn
+                    == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy"
+                )
                 assert result[0].region == AWS_REGION_US_EAST_1
                 assert search(
                     "Password expiration is set lower than 90 days",
@@ -89,7 +91,10 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
                 assert len(result) == 1
                 assert result[0].status == "FAIL"
                 assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-                assert result[0].resource_arn == AWS_ACCOUNT_ARN
+                assert (
+                    result[0].resource_arn
+                    == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy"
+                )
                 assert result[0].region == AWS_REGION_US_EAST_1
                 assert search(
                     "Password expiration is set greater than 90 days",
@@ -131,7 +136,10 @@ class Test_iam_password_policy_expires_passwords_within_90_days_or_less:
                 assert len(result) == 1
                 assert result[0].status == "PASS"
                 assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-                assert result[0].resource_arn == AWS_ACCOUNT_ARN
+                assert (
+                    result[0].resource_arn
+                    == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy"
+                )
                 assert result[0].region == AWS_REGION_US_EAST_1
                 assert search(
                     "Password expiration is set lower than 90 days",

tests/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_test.py

@@ -5,7 +5,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_US_EAST_1,
     set_mocked_aws_audit_info,
@@ -44,7 +43,10 @@ class Test_iam_password_policy_lowercase:
                 result[0].status_extended,
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy"
+            )
             assert result[0].region == AWS_REGION_US_EAST_1
 
     @mock_aws
@@ -78,5 +80,8 @@ class Test_iam_password_policy_lowercase:
                 result[0].status_extended,
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy"
+            )
             assert result[0].region == AWS_REGION_US_EAST_1

tests/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_test.py

@@ -5,7 +5,6 @@ from boto3 import client
 from moto import mock_aws
 
 from tests.providers.aws.audit_info_utils import (
-    AWS_ACCOUNT_ARN,
     AWS_ACCOUNT_NUMBER,
     AWS_REGION_US_EAST_1,
     set_mocked_aws_audit_info,
@@ -51,7 +50,10 @@ class Test_iam_password_policy_minimum_length_14:
                 result[0].status_extended,
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy"
+            )
             assert result[0].region == AWS_REGION_US_EAST_1
 
     @mock_aws
@@ -85,7 +87,10 @@ class Test_iam_password_policy_minimum_length_14:
                 result[0].status_extended,
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy"
+            )
             assert result[0].region == AWS_REGION_US_EAST_1
 
     @mock_aws
@@ -119,5 +124,8 @@ class Test_iam_password_policy_minimum_length_14:
                 result[0].status_extended,
             )
             assert result[0].resource_id == AWS_ACCOUNT_NUMBER
-            assert result[0].resource_arn == AWS_ACCOUNT_ARN
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:iam:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:password-policy"
+            )
             assert result[0].region == AWS_REGION_US_EAST_1