feat(allowlist): allowlist non-default regions configuration (#2974)

2026-02-10 14:55:00 +00:00 · 2023-10-30 17:51:49 +01:00
parent fcc56ad6f7
commit fcb979aae1
10 changed files with 216 additions and 2 deletions
--- a/tests/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled_test.py
+++ b/tests/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled_test.py
@@ -39,6 +39,7 @@ class Test_config_recorder_all_regions_enabled:
                completed_checks=0,
                audit_progress=0,
            ),
+            audit_config={},
        )

        return audit_info
@@ -159,3 +160,54 @@ class Test_config_recorder_all_regions_enabled:
                    assert recorder.resource_id == "default"
                    assert recorder.resource_arn == AWS_ACCOUNT_ARN
                    assert recorder.region == AWS_REGION
+
+    @mock_config
+    def test_config_one_recorder_disabled_allowlisted(self):
+        # Create Config Mocked Resources
+        config_client = client("config", region_name=AWS_REGION)
+        # Create Config Recorder
+        config_client.put_configuration_recorder(
+            ConfigurationRecorder={"name": AWS_ACCOUNT_NUMBER, "roleARN": "somearn"}
+        )
+        from prowler.providers.aws.services.config.config_service import Config
+
+        current_audit_info = self.set_mocked_audit_info()
+        current_audit_info.profile_region = "eu-south-2"
+        current_audit_info.audited_regions = ["eu-south-2", AWS_REGION]
+        current_audit_info.audit_config = {"allowlist_non_default_regions": True}
+
+        with mock.patch(
+            "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
+            new=current_audit_info,
+        ), mock.patch(
+            "prowler.providers.aws.services.config.config_recorder_all_regions_enabled.config_recorder_all_regions_enabled.config_client",
+            new=Config(current_audit_info),
+        ):
+            # Test Check
+            from prowler.providers.aws.services.config.config_recorder_all_regions_enabled.config_recorder_all_regions_enabled import (
+                config_recorder_all_regions_enabled,
+            )
+
+            check = config_recorder_all_regions_enabled()
+            result = check.execute()
+            assert len(result) == 2
+            # Search for the recorder just created
+            for recorder in result:
+                if recorder.region == AWS_REGION:
+                    assert recorder.status == "WARNING"
+                    assert (
+                        recorder.status_extended
+                        == f"AWS Config recorder {AWS_ACCOUNT_NUMBER} is disabled."
+                    )
+                    assert recorder.resource_id == AWS_ACCOUNT_NUMBER
+                    assert recorder.resource_arn == AWS_ACCOUNT_ARN
+                    assert recorder.region == AWS_REGION
+                else:
+                    assert recorder.status == "FAIL"
+                    assert (
+                        recorder.status_extended
+                        == f"AWS Config recorder {AWS_ACCOUNT_NUMBER} is disabled."
+                    )
+                    assert recorder.resource_id == AWS_ACCOUNT_NUMBER
+                    assert recorder.resource_arn == AWS_ACCOUNT_ARN
+                    assert recorder.region == "eu-south-2"
--- a/tests/providers/aws/services/drs/drs_job_exist/drs_job_exist_test.py
+++ b/tests/providers/aws/services/drs/drs_job_exist/drs_job_exist_test.py
@@ -119,3 +119,37 @@ class Test_drs_job_exist:
            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
            assert result[0].region == AWS_REGION
            assert result[0].resource_tags == []
+
+    def test_drs_disabled_allowlisted(self):
+        drs_client = mock.MagicMock
+        drs_client.audit_config = {"allowlist_non_default_regions": True}
+        drs_client.audited_account = AWS_ACCOUNT_NUMBER
+        drs_client.audited_account_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+        drs_client.region = "eu-west-2"
+        drs_client.drs_services = [
+            DRSservice(
+                id="DRS",
+                status="DISABLED",
+                region=AWS_REGION,
+                jobs=[],
+            )
+        ]
+        with mock.patch(
+            "prowler.providers.aws.services.drs.drs_service.DRS",
+            new=drs_client,
+        ):
+            # Test Check
+            from prowler.providers.aws.services.drs.drs_job_exist.drs_job_exist import (
+                drs_job_exist,
+            )
+
+            check = drs_job_exist()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "WARNING"
+            assert result[0].status_extended == "DRS is not enabled for this region."
+            assert result[0].resource_id == AWS_ACCOUNT_NUMBER
+            assert result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
+            assert result[0].region == AWS_REGION
+            assert result[0].resource_tags == []
--- a/tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py
+++ b/tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py
@@ -15,6 +15,7 @@ detector_arn = f"arn:aws:guardduty:{AWS_REGION}:{AWS_ACCOUNT_ID}:detector/{detec
 class Test_guardduty_is_enabled:
    def test_no_detectors(self):
        guardduty_client = mock.MagicMock
+        guardduty_client.region = AWS_REGION
        guardduty_client.detectors = []
        guardduty_client.detectors.append(
            Detector(
@@ -71,6 +72,7 @@ class Test_guardduty_is_enabled:

    def test_guardduty_configured_but_suspended(self):
        guardduty_client = mock.MagicMock
+        guardduty_client.region = AWS_REGION
        guardduty_client.detectors = []
        guardduty_client.detectors.append(
            Detector(
@@ -100,6 +102,7 @@ class Test_guardduty_is_enabled:
    def test_guardduty_not_configured(self):
        guardduty_client = mock.MagicMock
        guardduty_client.detectors = []
+        guardduty_client.region = AWS_REGION
        guardduty_client.detectors.append(
            Detector(
                id=detector_id,
@@ -123,3 +126,35 @@ class Test_guardduty_is_enabled:
            assert result[0].resource_id == detector_id
            assert result[0].resource_arn == detector_arn
            assert result[0].region == AWS_REGION
+
+    def test_guardduty_not_configured_allowlisted(self):
+        guardduty_client = mock.MagicMock
+        guardduty_client.audit_config = {"allowlist_non_default_regions": True}
+        guardduty_client.region = "eu-south-2"
+        guardduty_client.detectors = []
+        guardduty_client.detectors.append(
+            Detector(
+                id=detector_id,
+                arn=detector_arn,
+                region=AWS_REGION,
+            )
+        )
+        with mock.patch(
+            "prowler.providers.aws.services.guardduty.guardduty_service.GuardDuty",
+            guardduty_client,
+        ):
+            from prowler.providers.aws.services.guardduty.guardduty_is_enabled.guardduty_is_enabled import (
+                guardduty_is_enabled,
+            )
+
+            check = guardduty_is_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "WARNING"
+            assert (
+                result[0].status_extended
+                == f"GuardDuty detector {detector_id} not configured."
+            )
+            assert result[0].resource_id == detector_id
+            assert result[0].resource_arn == detector_arn
+            assert result[0].region == AWS_REGION
--- a/tests/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled_test.py
+++ b/tests/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled_test.py
@@ -12,6 +12,7 @@ AWS_ACCOUNT_ARN = f"arn:aws:iam::{AWS_ACCOUNT_ID}:root"
 class Test_securityhub_enabled:
    def test_securityhub_hub_inactive(self):
        securityhub_client = mock.MagicMock
+        securityhub_client.region = AWS_REGION
        securityhub_client.securityhubs = [
            SecurityHubHub(
                arn=AWS_ACCOUNT_ARN,
@@ -114,6 +115,7 @@ class Test_securityhub_enabled:

    def test_securityhub_hub_active_without_integrations_or_standards(self):
        securityhub_client = mock.MagicMock
+        securityhub_client.region = AWS_REGION
        securityhub_client.securityhubs = [
            SecurityHubHub(
                arn="arn:aws:securityhub:us-east-1:0123456789012:hub/default",
@@ -147,3 +149,41 @@ class Test_securityhub_enabled:
                == "arn:aws:securityhub:us-east-1:0123456789012:hub/default"
            )
            assert result[0].region == AWS_REGION
+
+    def test_securityhub_hub_active_without_integrations_or_standards_allowlisted(self):
+        securityhub_client = mock.MagicMock
+        securityhub_client.audit_config = {"allowlist_non_default_regions": True}
+        securityhub_client.region = AWS_REGION
+        securityhub_client.securityhubs = [
+            SecurityHubHub(
+                arn="arn:aws:securityhub:us-east-1:0123456789012:hub/default",
+                id="default",
+                status="ACTIVE",
+                standards="",
+                integrations="",
+                region="eu-south-2",
+            )
+        ]
+        with mock.patch(
+            "prowler.providers.aws.services.securityhub.securityhub_service.SecurityHub",
+            new=securityhub_client,
+        ):
+            # Test Check
+            from prowler.providers.aws.services.securityhub.securityhub_enabled.securityhub_enabled import (
+                securityhub_enabled,
+            )
+
+            check = securityhub_enabled()
+            result = check.execute()
+
+            assert result[0].status == "WARNING"
+            assert (
+                result[0].status_extended
+                == "Security Hub is enabled but without any standard or integration."
+            )
+            assert result[0].resource_id == "default"
+            assert (
+                result[0].resource_arn
+                == "arn:aws:securityhub:us-east-1:0123456789012:hub/default"
+            )
+            assert result[0].region == "eu-south-2"