From df9a396703452f859588a66107417b3768742ce0 Mon Sep 17 00:00:00 2001 From: pedrooot Date: Mon, 11 Nov 2024 11:16:16 +0100 Subject: [PATCH] feat(arn): refactor arn for unknown resources --- .../accessanalyzer_enabled.py | 1 + ...edrock_model_invocation_logging_enabled.py | 3 ++- ...odel_invocation_logs_encryption_enabled.py | 3 +++ .../guardduty_is_enabled.py | 3 +++ .../iam_check_saml_providers_sts.py | 1 + ...nizations_account_part_of_organizations.py | 3 ++- ...rganizations_opt_out_ai_services_policy.py | 3 ++- .../organizations_scp_check_deny_regions.py | 4 +++- ...ions_tags_policies_enabled_and_attached.py | 3 ++- .../securityhub_enabled.py | 2 ++ .../accessanalyzer_enabled_test.py | 21 ++++++++++++++++--- ...k_model_invocation_logging_enabled_test.py | 10 +++++++-- ...invocation_logs_encryption_enabled_test.py | 15 ++++++++++--- .../guardduty_is_enabled_test.py | 6 +++--- .../iam_check_saml_providers_sts_test.py | 3 ++- ...ions_account_part_of_organizations_test.py | 11 +++++----- ...zations_opt_out_ai_services_policy_test.py | 17 ++++++++++++--- ...ganizations_scp_check_deny_regions_test.py | 16 ++++++++++---- ...tags_policies_enabled_and_attached_test.py | 11 ++++++++-- .../securityhub_enabled_test.py | 13 +++++++++--- 20 files changed, 114 insertions(+), 35 deletions(-) diff --git a/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.py b/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.py index 3c5516aabeb..b81fd16f8a2 100644 --- a/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.py +++ b/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.py @@ -20,6 +20,7 @@ def execute(self): ) else: + report.resource_arn = f"arn:{accessanalyzer_client.audited_partition}:accessanalyzer:{analyzer.region}:{accessanalyzer_client.audited_account}:unknown" if analyzer.status == "NOT_AVAILABLE": report.status = "FAIL" report.status_extended = f"IAM Access Analyzer in account {analyzer.name} is not enabled." diff --git a/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logging_enabled/bedrock_model_invocation_logging_enabled.py b/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logging_enabled/bedrock_model_invocation_logging_enabled.py index 7edabcf3cec..ab83eb92fb4 100644 --- a/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logging_enabled/bedrock_model_invocation_logging_enabled.py +++ b/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logging_enabled/bedrock_model_invocation_logging_enabled.py @@ -9,12 +9,13 @@ def execute(self): report = Check_Report_AWS(self.metadata()) report.region = region report.resource_id = bedrock_client.audited_account - report.resource_arn = bedrock_client.audited_account_arn + report.resource_arn = f"arn:{bedrock_client.audited_partition}:bedrock:{region}:{bedrock_client.audited_account}:unknown" report.status = "FAIL" report.status_extended = "Bedrock Model Invocation Logging is disabled." if logging.enabled: report.status = "PASS" report.status_extended = "Bedrock Model Invocation Logging is enabled" + report.resource_arn = bedrock_client.audited_account_arn if logging.cloudwatch_log_group and logging.s3_bucket: report.status_extended += f" in CloudWatch Log Group: {logging.cloudwatch_log_group} and S3 Bucket: {logging.s3_bucket}." elif logging.cloudwatch_log_group: diff --git a/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logs_encryption_enabled/bedrock_model_invocation_logs_encryption_enabled.py b/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logs_encryption_enabled/bedrock_model_invocation_logs_encryption_enabled.py index 76ca16cba2d..e53a4e89560 100644 --- a/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logs_encryption_enabled/bedrock_model_invocation_logs_encryption_enabled.py +++ b/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logs_encryption_enabled/bedrock_model_invocation_logs_encryption_enabled.py @@ -37,12 +37,15 @@ def execute(self): ): cloudwatch_encryption = False if not s3_encryption and not cloudwatch_encryption: + report.resource_arn = f"arn:{bedrock_client.audited_partition}:bedrock:{bedrock_client.region}:{bedrock_client.audited_account}:unknown" report.status = "FAIL" report.status_extended = f"Bedrock Model Invocation logs are not encrypted in S3 bucket: {logging.s3_bucket} and CloudWatch Log Group: {logging.cloudwatch_log_group}." elif not s3_encryption: + report.resource_arn = f"arn:{bedrock_client.audited_partition}:bedrock:{bedrock_client.region}:{bedrock_client.audited_account}:unknown" report.status = "FAIL" report.status_extended = f"Bedrock Model Invocation logs are not encrypted in S3 bucket: {logging.s3_bucket}." elif not cloudwatch_encryption: + report.resource_arn = f"arn:{bedrock_client.audited_partition}:bedrock:{bedrock_client.region}:{bedrock_client.audited_account}:unknown" report.status = "FAIL" report.status_extended = f"Bedrock Model Invocation logs are not encrypted in CloudWatch Log Group: {logging.cloudwatch_log_group}." diff --git a/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py b/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py index 610eb4a0ce1..e1a5b27979d 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py +++ b/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py @@ -15,14 +15,17 @@ def execute(self): report.status_extended = f"GuardDuty detector {detector.id} enabled." if not detector.enabled_in_account: + report.resource_arn = f"arn:{guardduty_client.audited_partition}:guardduty:{guardduty_client.region}:{guardduty_client.audited_account}:unknown" report.status = "FAIL" report.status_extended = "GuardDuty is not enabled." elif detector.status is None: + report.resource_arn = f"arn:{guardduty_client.audited_partition}:guardduty:{guardduty_client.region}:{guardduty_client.audited_account}:unknown" report.status = "FAIL" report.status_extended = ( f"GuardDuty detector {detector.id} not configured." ) elif not detector.status: + report.resource_arn = f"arn:{guardduty_client.audited_partition}:guardduty:{guardduty_client.region}:{guardduty_client.audited_account}:unknown" report.status = "FAIL" report.status_extended = ( f"GuardDuty detector {detector.id} configured but suspended." diff --git a/prowler/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts.py b/prowler/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts.py index ea5c74fe78e..6792c04dc62 100644 --- a/prowler/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts.py +++ b/prowler/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts.py @@ -9,6 +9,7 @@ def execute(self) -> Check_Report_AWS: report = Check_Report_AWS(self.metadata()) report.resource_id = iam_client.audited_account report.resource_arn = iam_client.audited_account_arn + report.resource_arn = f"arn:{iam_client.audited_partition}:accessanalyzer:{iam_client.region}:{iam_client.audited_account}:unknown" report.region = iam_client.region report.status = "FAIL" report.status_extended = "No SAML Providers found." diff --git a/prowler/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations.py b/prowler/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations.py index 65204057455..7dbfec32710 100644 --- a/prowler/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations.py +++ b/prowler/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations.py @@ -14,14 +14,15 @@ def execute(self): report.status_extended = ( f"AWS Organization {org.id} contains this AWS account." ) + report.resource_arn = org.arn else: report.status = "FAIL" report.status_extended = ( "AWS Organizations is not in-use for this AWS Account." ) + report.resource_arn = f"arn:{organizations_client.audited_partition}:organizations:{organizations_client.region}:{organizations_client.audited_account}:unknown" report.region = organizations_client.region report.resource_id = org.id - report.resource_arn = org.arn findings.append(report) return findings diff --git a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py index ca178aa826d..7793c8815fa 100644 --- a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py +++ b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py @@ -12,7 +12,7 @@ def execute(self): if org.policies is not None: # Access Denied to list_policies report = Check_Report_AWS(self.metadata()) report.resource_id = org.id - report.resource_arn = org.arn + report.resource_arn = f"arn:{organizations_client.audited_partition}:organizations:{organizations_client.region}:{organizations_client.audited_account}:unknown" report.region = organizations_client.region report.status = "FAIL" report.status_extended = ( @@ -28,6 +28,7 @@ def execute(self): .get("@@assign") == "optOut" ): + report.resource_arn = org.arn report.status = "PASS" report.status_extended = f"AWS Organization {org.id} has opted out of all AI services, not granting consent for AWS to access its data." break diff --git a/prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.py b/prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.py index 39b341bc0b7..c8f91a22fd8 100644 --- a/prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.py +++ b/prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.py @@ -15,7 +15,7 @@ def execute(self): if org.policies is not None: # Access denied to list policies report = Check_Report_AWS(self.metadata()) report.resource_id = org.id - report.resource_arn = org.arn + report.resource_arn = f"arn:{organizations_client.audited_partition}:organizations:{organizations_client.region}:{organizations_client.audited_account}:unknown" report.region = organizations_client.region report.status = "FAIL" report.status_extended = ( @@ -53,6 +53,7 @@ def execute(self): for region in organizations_enabled_regions ): # All defined regions are restricted, we exit here, no need to continue. + report.resource_arn = org.arn report.status = "PASS" report.status_extended = f"AWS Organization {org.id} has SCP policy {policy.id} restricting all configured regions found." findings.append(report) @@ -79,6 +80,7 @@ def execute(self): for region in organizations_enabled_regions ): # All defined regions are restricted, we exit here, no need to continue. + report.resource_arn = org.arn report.status = "PASS" report.status_extended = f"AWS Organization {org.id} has SCP policy {policy.id} restricting all configured regions found." findings.append(report) diff --git a/prowler/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached.py b/prowler/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached.py index 80d6b3e052c..84762638dbd 100644 --- a/prowler/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached.py +++ b/prowler/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached.py @@ -12,7 +12,7 @@ def execute(self): if org.policies is not None: # Access Denied to list_policies report = Check_Report_AWS(self.metadata()) report.resource_id = org.id - report.resource_arn = org.arn + report.resource_arn = f"arn:{organizations_client.audited_partition}:organizations:{organizations_client.region}:{organizations_client.audited_account}:unknown" report.region = organizations_client.region report.status = "FAIL" report.status_extended = ( @@ -26,6 +26,7 @@ def execute(self): for policy in org.policies.get("TAG_POLICY", []): report.status_extended = f"AWS Organization {org.id} has tag policies enabled but not attached." if policy.targets: + report.resource_arn = org.arn report.status = "PASS" report.status_extended = f"AWS Organization {org.id} has tag policies enabled and attached to an AWS account." diff --git a/prowler/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled.py b/prowler/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled.py index 0c81f4a9d90..9c665fb98c9 100644 --- a/prowler/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled.py +++ b/prowler/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled.py @@ -20,9 +20,11 @@ def execute(self): elif securityhub.integrations: report.status_extended = f"Security Hub is enabled without standards but with integrations: {securityhub.integrations}." else: + report.resource_arn = f"arn:{securityhub_client.audited_partition}:securityhub:{securityhub_client.region}:{securityhub_client.audited_account}:unknown" report.status = "FAIL" report.status_extended = "Security Hub is enabled but without any standard or integration." else: + report.resource_arn = f"arn:{securityhub_client.audited_partition}:securityhub:{securityhub_client.region}:{securityhub_client.audited_account}:unknown" report.status = "FAIL" report.status_extended = "Security Hub is not enabled." diff --git a/tests/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled_test.py b/tests/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled_test.py index 8588ef5e3d9..89e6c6a5076 100644 --- a/tests/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled_test.py +++ b/tests/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled_test.py @@ -34,6 +34,8 @@ def test_one_analyzer_not_available(self): # Include analyzers to check accessanalyzer_client = mock.MagicMock accessanalyzer_client.region = AWS_REGION_1 + accessanalyzer_client.audited_partition = "aws" + accessanalyzer_client.audited_account = AWS_ACCOUNT_NUMBER accessanalyzer_client.analyzers = [ Analyzer( arn=AWS_ACCOUNT_ARN, @@ -62,7 +64,10 @@ def test_one_analyzer_not_available(self): == f"IAM Access Analyzer in account {AWS_ACCOUNT_NUMBER} is not enabled." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == "arn:aws:accessanalyzer:eu-west-1:123456789012:unknown" + ) assert result[0].region == AWS_REGION_1 assert result[0].resource_tags == [] @@ -71,6 +76,8 @@ def test_one_analyzer_not_available_muted(self): accessanalyzer_client = mock.MagicMock accessanalyzer_client.region = AWS_REGION_2 accessanalyzer_client.audit_config = {"mute_non_default_regions": True} + accessanalyzer_client.audited_partition = "aws" + accessanalyzer_client.audited_account = AWS_ACCOUNT_NUMBER accessanalyzer_client.analyzers = [ Analyzer( arn=AWS_ACCOUNT_ARN, @@ -100,13 +107,18 @@ def test_one_analyzer_not_available_muted(self): == f"IAM Access Analyzer in account {AWS_ACCOUNT_NUMBER} is not enabled." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == "arn:aws:accessanalyzer:eu-west-1:123456789012:unknown" + ) assert result[0].region == AWS_REGION_1 assert result[0].resource_tags == [] def test_two_analyzers(self): accessanalyzer_client = mock.MagicMock accessanalyzer_client.region = AWS_REGION_1 + accessanalyzer_client.audited_partition = "aws" + accessanalyzer_client.audited_account = AWS_ACCOUNT_NUMBER accessanalyzer_client.analyzers = [ Analyzer( arn=AWS_ACCOUNT_ARN, @@ -147,7 +159,10 @@ def test_two_analyzers(self): == f"IAM Access Analyzer in account {AWS_ACCOUNT_NUMBER} is not enabled." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == "arn:aws:accessanalyzer:eu-west-1:123456789012:unknown" + ) assert result[0].resource_tags == [] assert result[0].region == AWS_REGION_1 diff --git a/tests/providers/aws/services/bedrock/bedrock_model_invocation_logging_enabled/bedrock_model_invocation_logging_enabled_test.py b/tests/providers/aws/services/bedrock/bedrock_model_invocation_logging_enabled/bedrock_model_invocation_logging_enabled_test.py index 9d934f69bc4..fbba5f94eeb 100644 --- a/tests/providers/aws/services/bedrock/bedrock_model_invocation_logging_enabled/bedrock_model_invocation_logging_enabled_test.py +++ b/tests/providers/aws/services/bedrock/bedrock_model_invocation_logging_enabled/bedrock_model_invocation_logging_enabled_test.py @@ -42,7 +42,10 @@ def test_no_loggings(self): == "Bedrock Model Invocation Logging is disabled." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == "arn:aws:bedrock:us-east-1:123456789012:unknown" + ) assert result[0].resource_tags == [] assert result[1].status == "FAIL" assert ( @@ -50,7 +53,10 @@ def test_no_loggings(self): == "Bedrock Model Invocation Logging is disabled." ) assert result[1].resource_id == AWS_ACCOUNT_NUMBER - assert result[1].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[1].resource_arn + == "arn:aws:bedrock:eu-west-1:123456789012:unknown" + ) assert result[1].resource_tags == [] @mock_aws diff --git a/tests/providers/aws/services/bedrock/bedrock_model_invocation_logs_encryption_enabled/bedrock_model_invocation_logs_encryption_enabled_test.py b/tests/providers/aws/services/bedrock/bedrock_model_invocation_logs_encryption_enabled/bedrock_model_invocation_logs_encryption_enabled_test.py index d215b62b9a4..9cc7c5d49ae 100644 --- a/tests/providers/aws/services/bedrock/bedrock_model_invocation_logs_encryption_enabled/bedrock_model_invocation_logs_encryption_enabled_test.py +++ b/tests/providers/aws/services/bedrock/bedrock_model_invocation_logs_encryption_enabled/bedrock_model_invocation_logs_encryption_enabled_test.py @@ -97,7 +97,10 @@ def test_s3_and_cloudwatch_logging_not_encrypted(self): == "Bedrock Model Invocation logs are not encrypted in S3 bucket: testconfigbucket and CloudWatch Log Group: Test." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == "arn:aws:bedrock:us-east-1:123456789012:unknown" + ) assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].resource_tags == [] @@ -147,7 +150,10 @@ def test_s3_logging_not_encrypted(self): == "Bedrock Model Invocation logs are not encrypted in S3 bucket: testconfigbucket." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == "arn:aws:bedrock:us-east-1:123456789012:unknown" + ) assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].resource_tags == [] @@ -199,7 +205,10 @@ def test_cloudwatch_logging_not_encrypted(self): == "Bedrock Model Invocation logs are not encrypted in CloudWatch Log Group: Test." ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == "arn:aws:bedrock:us-east-1:123456789012:unknown" + ) assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].resource_tags == [] diff --git a/tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py b/tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py index 25e6aaa18d9..de67054b5da 100644 --- a/tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py +++ b/tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py @@ -110,7 +110,7 @@ def test_guardduty_configured_but_suspended(self): assert result.resource_id == detector_id assert ( result.resource_arn - == f"arn:aws:guardduty:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:detector/{detector_id}" + == "arn:aws:guardduty:us-east-1:123456789012:unknown" ) assert result.resource_tags == [] @@ -152,7 +152,7 @@ def test_guardduty_not_configured(self): assert result.resource_id == detector_id assert ( result.resource_arn - == f"arn:aws:guardduty:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:detector/{detector_id}" + == "arn:aws:guardduty:us-east-1:123456789012:unknown" ) assert result.resource_tags == [] @@ -193,7 +193,7 @@ def test_guardduty_not_configured_muted(self): assert result.resource_id == detector_id assert ( result.resource_arn - == f"arn:aws:guardduty:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:detector/{detector_id}" + == "arn:aws:guardduty:us-east-1:123456789012:unknown" ) assert result.resource_tags == [] assert result.muted diff --git a/tests/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts_test.py b/tests/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts_test.py index a7dd4871a9e..61ec690d469 100644 --- a/tests/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts_test.py +++ b/tests/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts_test.py @@ -121,7 +121,8 @@ def test_iam_check_saml_providers_sts_no_saml_providers(self): assert result[0].status == "FAIL" assert result[0].resource_id == AWS_ACCOUNT_NUMBER assert ( - result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" + result[0].resource_arn + == "arn:aws:accessanalyzer:us-east-1:123456789012:unknown" ) assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].status_extended == "No SAML Providers found." diff --git a/tests/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations_test.py b/tests/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations_test.py index fc7b444a123..d6b4072f8aa 100644 --- a/tests/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations_test.py +++ b/tests/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations_test.py @@ -6,11 +6,7 @@ from prowler.providers.aws.services.organizations.organizations_service import ( Organizations, ) -from tests.providers.aws.utils import ( - AWS_ACCOUNT_ARN, - AWS_REGION_EU_WEST_1, - set_mocked_aws_provider, -) +from tests.providers.aws.utils import AWS_REGION_EU_WEST_1, set_mocked_aws_provider class Test_organizations_account_part_of_organizations: @@ -43,7 +39,10 @@ def test_no_organization(self): == "AWS Organizations is not in-use for this AWS Account." ) assert result[0].resource_id == "AWS Organization" - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == "arn:aws:organizations:eu-west-1:123456789012:unknown" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws diff --git a/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py b/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py index 5d94c363003..3867554e292 100644 --- a/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py +++ b/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py @@ -15,6 +15,8 @@ class Test_organizations_tags_policies_enabled_and_attached: def test_organization_no_organization(self): organizations_client = mock.MagicMock organizations_client.region = AWS_REGION_EU_WEST_1 + organizations_client.audited_partition = "aws" + organizations_client.audited_account = "0123456789012" organizations_client.organizations = [ Organization( arn=AWS_ACCOUNT_ARN, @@ -49,12 +51,17 @@ def test_organization_no_organization(self): == "AWS Organizations is not in-use for this AWS Account." ) assert result[0].resource_id == "AWS Organization" - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == "arn:aws:organizations:eu-west-1:0123456789012:unknown" + ) assert result[0].region == AWS_REGION_EU_WEST_1 def test_organization_with_AI_optout_no_policies(self): organizations_client = mock.MagicMock organizations_client.region = AWS_REGION_EU_WEST_1 + organizations_client.audited_partition = "aws" + organizations_client.audited_account = "0123456789012" organizations_client.organizations = [ Organization( id="o-1234567890", @@ -93,13 +100,15 @@ def test_organization_with_AI_optout_no_policies(self): assert result[0].resource_id == "o-1234567890" assert ( result[0].resource_arn - == "arn:aws:organizations::1234567890:organization/o-1234567890" + == "arn:aws:organizations:eu-west-1:0123456789012:unknown" ) assert result[0].region == AWS_REGION_EU_WEST_1 def test_organization_with_AI_optout_policy(self): organizations_client = mock.MagicMock organizations_client.region = AWS_REGION_EU_WEST_1 + organizations_client.audited_partition = "aws" + organizations_client.audited_account = "0123456789012" organizations_client.organizations = [ Organization( id="o-1234567890", @@ -162,6 +171,8 @@ def test_organization_with_AI_optout_policy(self): def test_organization_with_AI_optout_policy_no_content(self): organizations_client = mock.MagicMock organizations_client.region = AWS_REGION_EU_WEST_1 + organizations_client.audited_partition = "aws" + organizations_client.audited_account = "0123456789012" organizations_client.organizations = [ Organization( id="o-1234567890", @@ -211,6 +222,6 @@ def test_organization_with_AI_optout_policy_no_content(self): assert result[0].resource_id == "o-1234567890" assert ( result[0].resource_arn - == "arn:aws:organizations::1234567890:organization/o-1234567890" + == "arn:aws:organizations:eu-west-1:0123456789012:unknown" ) assert result[0].region == AWS_REGION_EU_WEST_1 diff --git a/tests/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions_test.py b/tests/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions_test.py index 645c0c9170d..1c489bbe036 100644 --- a/tests/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions_test.py +++ b/tests/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions_test.py @@ -7,7 +7,6 @@ Organizations, ) from tests.providers.aws.utils import ( - AWS_ACCOUNT_ARN, AWS_REGION_EU_CENTRAL_1, AWS_REGION_EU_WEST_1, set_mocked_aws_provider, @@ -50,7 +49,10 @@ def test_no_organization(self): == "AWS Organizations is not in-use for this AWS Account." ) assert result[0].resource_id == "AWS Organization" - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == "arn:aws:organizations:eu-west-1:123456789012:unknown" + ) assert result[0].region == AWS_REGION_EU_WEST_1 @mock_aws @@ -84,7 +86,10 @@ def test_organization_without_scp_deny_regions(self): assert len(result) == 1 assert result[0].status == "FAIL" assert result[0].resource_id == response["Organization"]["Id"] - assert result[0].resource_arn == response["Organization"]["Arn"] + assert ( + result[0].resource_arn + == "arn:aws:organizations:eu-west-1:123456789012:unknown" + ) assert ( result[0].status_extended == f"AWS Organization {org_id} has SCP policies but don't restrict AWS Regions." @@ -176,7 +181,10 @@ def test_organization_with_scp_deny_regions_not_valid(self): assert len(result) == 1 assert result[0].status == "FAIL" assert result[0].resource_id == response["Organization"]["Id"] - assert result[0].resource_arn == response["Organization"]["Arn"] + assert ( + result[0].resource_arn + == "arn:aws:organizations:eu-west-1:123456789012:unknown" + ) assert ( result[0].status_extended == f"AWS Organization {org_id} has SCP policies {policy_id} restricting some AWS Regions, but not all the configured ones, please check config." diff --git a/tests/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached_test.py b/tests/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached_test.py index 9a90c9f61c8..a6b8b3bd9e2 100644 --- a/tests/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached_test.py +++ b/tests/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached_test.py @@ -15,6 +15,8 @@ class Test_organizations_tags_policies_enabled_and_attached: def test_organization_no_organization(self): organizations_client = mock.MagicMock organizations_client.region = AWS_REGION_EU_WEST_1 + organizations_client.audited_partition = "aws" + organizations_client.audited_account = "0123456789012" organizations_client.organizations = [ Organization( arn=AWS_ACCOUNT_ARN, @@ -49,12 +51,17 @@ def test_organization_no_organization(self): == "AWS Organizations is not in-use for this AWS Account." ) assert result[0].resource_id == "AWS Organization" - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == "arn:aws:organizations:eu-west-1:0123456789012:unknown" + ) assert result[0].region == AWS_REGION_EU_WEST_1 def test_organization_with_tag_policies_not_attached(self): organizations_client = mock.MagicMock organizations_client.region = AWS_REGION_EU_WEST_1 + organizations_client.audited_partition = "aws" + organizations_client.audited_account = "0123456789012" organizations_client.organizations = [ Organization( id="o-1234567890", @@ -104,7 +111,7 @@ def test_organization_with_tag_policies_not_attached(self): assert result[0].resource_id == "o-1234567890" assert ( result[0].resource_arn - == "arn:aws:organizations::1234567890:organization/o-1234567890" + == "arn:aws:organizations:eu-west-1:0123456789012:unknown" ) assert result[0].region == AWS_REGION_EU_WEST_1 diff --git a/tests/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled_test.py b/tests/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled_test.py index 8d601ae7cc3..1f85f1688f4 100644 --- a/tests/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled_test.py +++ b/tests/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled_test.py @@ -36,7 +36,10 @@ def test_securityhub_hub_inactive(self): assert result[0].status == "FAIL" assert result[0].status_extended == "Security Hub is not enabled." assert result[0].resource_id == "Security Hub" - assert result[0].resource_arn == AWS_ACCOUNT_ARN + assert ( + result[0].resource_arn + == "arn:aws:securityhub:eu-west-1:0123456789012:unknown" + ) assert result[0].region == AWS_REGION_EU_WEST_1 assert result[0].resource_tags == [{"test_key": "test_value"}] @@ -119,6 +122,8 @@ def test_securityhub_hub_active_with_integrations(self): def test_securityhub_hub_active_without_integrations_or_standards(self): securityhub_client = mock.MagicMock securityhub_client.region = AWS_REGION_EU_WEST_1 + securityhub_client.audited_partition = "aws" + securityhub_client.audited_account = "0123456789012" securityhub_client.securityhubs = [ SecurityHubHub( arn="arn:aws:securityhub:us-east-1:0123456789012:hub/default", @@ -150,7 +155,7 @@ def test_securityhub_hub_active_without_integrations_or_standards(self): assert result[0].resource_id == "default" assert ( result[0].resource_arn - == "arn:aws:securityhub:us-east-1:0123456789012:hub/default" + == "arn:aws:securityhub:eu-west-1:0123456789012:unknown" ) assert result[0].region == AWS_REGION_EU_WEST_1 assert result[0].resource_tags == [{"test_key": "test_value"}] @@ -159,6 +164,8 @@ def test_securityhub_hub_active_without_integrations_or_standards_muted(self): securityhub_client = mock.MagicMock securityhub_client.audit_config = {"mute_non_default_regions": True} securityhub_client.region = AWS_REGION_EU_WEST_1 + securityhub_client.audited_partition = "aws" + securityhub_client.audited_account = "0123456789012" securityhub_client.securityhubs = [ SecurityHubHub( arn="arn:aws:securityhub:us-east-1:0123456789012:hub/default", @@ -191,7 +198,7 @@ def test_securityhub_hub_active_without_integrations_or_standards_muted(self): assert result[0].resource_id == "default" assert ( result[0].resource_arn - == "arn:aws:securityhub:us-east-1:0123456789012:hub/default" + == "arn:aws:securityhub:eu-west-1:0123456789012:unknown" ) assert result[0].region == "eu-south-2" assert result[0].resource_tags == []