Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(arn): refactor arn for unknown resources #5712

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat(arn): refactor arn for unknown resources #5712

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions ...er/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ def execute(self):
)

else:
report.resource_arn = f"arn:{accessanalyzer_client.audited_partition}:accessanalyzer:{analyzer.region}:{accessanalyzer_client.audited_account}:unknown"
if analyzer.status == "NOT_AVAILABLE":
report.status = "FAIL"
report.status_extended = f"IAM Access Analyzer in account {analyzer.name} is not enabled."
Expand Down
3 changes: 2 additions & 1 deletion ...rock/bedrock_model_invocation_logging_enabled/bedrock_model_invocation_logging_enabled.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,13 @@ def execute(self):
report = Check_Report_AWS(self.metadata())
report.region = region
report.resource_id = bedrock_client.audited_account
report.resource_arn = bedrock_client.audited_account_arn
report.resource_arn = f"arn:{bedrock_client.audited_partition}:bedrock:{region}:{bedrock_client.audited_account}:unknown"
report.status = "FAIL"
report.status_extended = "Bedrock Model Invocation Logging is disabled."
if logging.enabled:
report.status = "PASS"
report.status_extended = "Bedrock Model Invocation Logging is enabled"
report.resource_arn = bedrock_client.audited_account_arn
if logging.cloudwatch_log_group and logging.s3_bucket:
report.status_extended += f" in CloudWatch Log Group: {logging.cloudwatch_log_group} and S3 Bucket: {logging.s3_bucket}."
elif logging.cloudwatch_log_group:
Expand Down
3 changes: 3 additions & 0 deletions ...el_invocation_logs_encryption_enabled/bedrock_model_invocation_logs_encryption_enabled.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,15 @@ def execute(self):
):
cloudwatch_encryption = False
if not s3_encryption and not cloudwatch_encryption:
report.resource_arn = f"arn:{bedrock_client.audited_partition}:bedrock:{bedrock_client.region}:{bedrock_client.audited_account}:unknown"
report.status = "FAIL"
report.status_extended = f"Bedrock Model Invocation logs are not encrypted in S3 bucket: {logging.s3_bucket} and CloudWatch Log Group: {logging.cloudwatch_log_group}."
elif not s3_encryption:
report.resource_arn = f"arn:{bedrock_client.audited_partition}:bedrock:{bedrock_client.region}:{bedrock_client.audited_account}:unknown"
report.status = "FAIL"
report.status_extended = f"Bedrock Model Invocation logs are not encrypted in S3 bucket: {logging.s3_bucket}."
elif not cloudwatch_encryption:
report.resource_arn = f"arn:{bedrock_client.audited_partition}:bedrock:{bedrock_client.region}:{bedrock_client.audited_account}:unknown"
report.status = "FAIL"
report.status_extended = f"Bedrock Model Invocation logs are not encrypted in CloudWatch Log Group: {logging.cloudwatch_log_group}."

Expand Down
3 changes: 3 additions & 0 deletions prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,17 @@ def execute(self):
report.status_extended = f"GuardDuty detector {detector.id} enabled."

if not detector.enabled_in_account:
report.resource_arn = f"arn:{guardduty_client.audited_partition}:guardduty:{guardduty_client.region}:{guardduty_client.audited_account}:unknown"
report.status = "FAIL"
report.status_extended = "GuardDuty is not enabled."
elif detector.status is None:
report.resource_arn = f"arn:{guardduty_client.audited_partition}:guardduty:{guardduty_client.region}:{guardduty_client.audited_account}:unknown"
report.status = "FAIL"
report.status_extended = (
f"GuardDuty detector {detector.id} not configured."
)
elif not detector.status:
report.resource_arn = f"arn:{guardduty_client.audited_partition}:guardduty:{guardduty_client.region}:{guardduty_client.audited_account}:unknown"
report.status = "FAIL"
report.status_extended = (
f"GuardDuty detector {detector.id} configured but suspended."
Expand Down
1 change: 1 addition & 0 deletions ...r/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ def execute(self) -> Check_Report_AWS:
report = Check_Report_AWS(self.metadata())
report.resource_id = iam_client.audited_account
report.resource_arn = iam_client.audited_account_arn
report.resource_arn = f"arn:{iam_client.audited_partition}:accessanalyzer:{iam_client.region}:{iam_client.audited_account}:unknown"
report.region = iam_client.region
report.status = "FAIL"
report.status_extended = "No SAML Providers found."
Expand Down
3 changes: 2 additions & 1 deletion ...rganizations_account_part_of_organizations/organizations_account_part_of_organizations.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,15 @@ def execute(self):
report.status_extended = (
f"AWS Organization {org.id} contains this AWS account."
)
report.resource_arn = org.arn
else:
report.status = "FAIL"
report.status_extended = (
"AWS Organizations is not in-use for this AWS Account."
)
report.resource_arn = f"arn:{organizations_client.audited_partition}:organizations:{organizations_client.region}:{organizations_client.audited_account}:unknown"
report.region = organizations_client.region
report.resource_id = org.id
report.resource_arn = org.arn
findings.append(report)

return findings
3 changes: 2 additions & 1 deletion ...ions/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ def execute(self):
if org.policies is not None: # Access Denied to list_policies
report = Check_Report_AWS(self.metadata())
report.resource_id = org.id
report.resource_arn = org.arn
report.resource_arn = f"arn:{organizations_client.audited_partition}:organizations:{organizations_client.region}:{organizations_client.audited_account}:unknown"
report.region = organizations_client.region
report.status = "FAIL"
report.status_extended = (
Expand All @@ -28,6 +28,7 @@ def execute(self):
.get("@@assign")
== "optOut"
):
report.resource_arn = org.arn
report.status = "PASS"
report.status_extended = f"AWS Organization {org.id} has opted out of all AI services, not granting consent for AWS to access its data."
break
Expand Down
4 changes: 3 additions & 1 deletion ...rganizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
if org.policies is not None: # Access denied to list policies
report = Check_Report_AWS(self.metadata())
report.resource_id = org.id
report.resource_arn = org.arn
report.resource_arn = f"arn:{organizations_client.audited_partition}:organizations:{organizations_client.region}:{organizations_client.audited_account}:unknown"
report.region = organizations_client.region
report.status = "FAIL"
report.status_extended = (
Expand Down Expand Up @@ -53,6 +53,7 @@
for region in organizations_enabled_regions
):
# All defined regions are restricted, we exit here, no need to continue.
report.resource_arn = org.arn
report.status = "PASS"
report.status_extended = f"AWS Organization {org.id} has SCP policy {policy.id} restricting all configured regions found."
findings.append(report)
Expand All @@ -79,6 +80,7 @@
for region in organizations_enabled_regions
):
# All defined regions are restricted, we exit here, no need to continue.
report.resource_arn = org.arn

Check warning on line 83 in prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.py

View check run for this annotation

Codecov / codecov/patch

prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.py#L83 

Added line #L83 was not covered by tests
report.status = "PASS"
report.status_extended = f"AWS Organization {org.id} has SCP policy {policy.id} restricting all configured regions found."
findings.append(report)
Expand Down
3 changes: 2 additions & 1 deletion ...ns_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ def execute(self):
if org.policies is not None: # Access Denied to list_policies
report = Check_Report_AWS(self.metadata())
report.resource_id = org.id
report.resource_arn = org.arn
report.resource_arn = f"arn:{organizations_client.audited_partition}:organizations:{organizations_client.region}:{organizations_client.audited_account}:unknown"
report.region = organizations_client.region
report.status = "FAIL"
report.status_extended = (
Expand All @@ -26,6 +26,7 @@ def execute(self):
for policy in org.policies.get("TAG_POLICY", []):
report.status_extended = f"AWS Organization {org.id} has tag policies enabled but not attached."
if policy.targets:
report.resource_arn = org.arn
report.status = "PASS"
report.status_extended = f"AWS Organization {org.id} has tag policies enabled and attached to an AWS account."

Expand Down
2 changes: 2 additions & 0 deletions prowler/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,11 @@ def execute(self):
elif securityhub.integrations:
report.status_extended = f"Security Hub is enabled without standards but with integrations: {securityhub.integrations}."
else:
report.resource_arn = f"arn:{securityhub_client.audited_partition}:securityhub:{securityhub_client.region}:{securityhub_client.audited_account}:unknown"
report.status = "FAIL"
report.status_extended = "Security Hub is enabled but without any standard or integration."
else:
report.resource_arn = f"arn:{securityhub_client.audited_partition}:securityhub:{securityhub_client.region}:{securityhub_client.audited_account}:unknown"
report.status = "FAIL"
report.status_extended = "Security Hub is not enabled."

Expand Down
21 changes: 18 additions & 3 deletions ...oviders/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ def test_one_analyzer_not_available(self):
# Include analyzers to check
accessanalyzer_client = mock.MagicMock
accessanalyzer_client.region = AWS_REGION_1
accessanalyzer_client.audited_partition = "aws"
accessanalyzer_client.audited_account = AWS_ACCOUNT_NUMBER
accessanalyzer_client.analyzers = [
Analyzer(
arn=AWS_ACCOUNT_ARN,
Expand Down Expand Up @@ -62,7 +64,10 @@ def test_one_analyzer_not_available(self):
== f"IAM Access Analyzer in account {AWS_ACCOUNT_NUMBER} is not enabled."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert (
result[0].resource_arn
== "arn:aws:accessanalyzer:eu-west-1:123456789012:unknown"
)
assert result[0].region == AWS_REGION_1
assert result[0].resource_tags == []

Expand All @@ -71,6 +76,8 @@ def test_one_analyzer_not_available_muted(self):
accessanalyzer_client = mock.MagicMock
accessanalyzer_client.region = AWS_REGION_2
accessanalyzer_client.audit_config = {"mute_non_default_regions": True}
accessanalyzer_client.audited_partition = "aws"
accessanalyzer_client.audited_account = AWS_ACCOUNT_NUMBER
accessanalyzer_client.analyzers = [
Analyzer(
arn=AWS_ACCOUNT_ARN,
Expand Down Expand Up @@ -100,13 +107,18 @@ def test_one_analyzer_not_available_muted(self):
== f"IAM Access Analyzer in account {AWS_ACCOUNT_NUMBER} is not enabled."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert (
result[0].resource_arn
== "arn:aws:accessanalyzer:eu-west-1:123456789012:unknown"
)
assert result[0].region == AWS_REGION_1
assert result[0].resource_tags == []

def test_two_analyzers(self):
accessanalyzer_client = mock.MagicMock
accessanalyzer_client.region = AWS_REGION_1
accessanalyzer_client.audited_partition = "aws"
accessanalyzer_client.audited_account = AWS_ACCOUNT_NUMBER
accessanalyzer_client.analyzers = [
Analyzer(
arn=AWS_ACCOUNT_ARN,
Expand Down Expand Up @@ -147,7 +159,10 @@ def test_two_analyzers(self):
== f"IAM Access Analyzer in account {AWS_ACCOUNT_NUMBER} is not enabled."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert (
result[0].resource_arn
== "arn:aws:accessanalyzer:eu-west-1:123456789012:unknown"
)
assert result[0].resource_tags == []
assert result[0].region == AWS_REGION_1

Expand Down
10 changes: 8 additions & 2 deletions ...bedrock_model_invocation_logging_enabled/bedrock_model_invocation_logging_enabled_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,15 +42,21 @@ def test_no_loggings(self):
== "Bedrock Model Invocation Logging is disabled."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert (
result[0].resource_arn
== "arn:aws:bedrock:us-east-1:123456789012:unknown"
)
assert result[0].resource_tags == []
assert result[1].status == "FAIL"
assert (
result[1].status_extended
== "Bedrock Model Invocation Logging is disabled."
)
assert result[1].resource_id == AWS_ACCOUNT_NUMBER
assert result[1].resource_arn == AWS_ACCOUNT_ARN
assert (
result[1].resource_arn
== "arn:aws:bedrock:eu-west-1:123456789012:unknown"
)
assert result[1].resource_tags == []

@mock_aws
Expand Down
15 changes: 12 additions & 3 deletions ...vocation_logs_encryption_enabled/bedrock_model_invocation_logs_encryption_enabled_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,10 @@ def test_s3_and_cloudwatch_logging_not_encrypted(self):
== "Bedrock Model Invocation logs are not encrypted in S3 bucket: testconfigbucket and CloudWatch Log Group: Test."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert (
result[0].resource_arn
== "arn:aws:bedrock:us-east-1:123456789012:unknown"
)
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == []

Expand Down Expand Up @@ -147,7 +150,10 @@ def test_s3_logging_not_encrypted(self):
== "Bedrock Model Invocation logs are not encrypted in S3 bucket: testconfigbucket."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert (
result[0].resource_arn
== "arn:aws:bedrock:us-east-1:123456789012:unknown"
)
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == []

Expand Down Expand Up @@ -199,7 +205,10 @@ def test_cloudwatch_logging_not_encrypted(self):
== "Bedrock Model Invocation logs are not encrypted in CloudWatch Log Group: Test."
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert (
result[0].resource_arn
== "arn:aws:bedrock:us-east-1:123456789012:unknown"
)
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].resource_tags == []

Expand Down
6 changes: 3 additions & 3 deletions tests/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ def test_guardduty_configured_but_suspended(self):
assert result.resource_id == detector_id
assert (
result.resource_arn
== f"arn:aws:guardduty:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:detector/{detector_id}"
== "arn:aws:guardduty:us-east-1:123456789012:unknown"
)
assert result.resource_tags == []

Expand Down Expand Up @@ -152,7 +152,7 @@ def test_guardduty_not_configured(self):
assert result.resource_id == detector_id
assert (
result.resource_arn
== f"arn:aws:guardduty:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:detector/{detector_id}"
== "arn:aws:guardduty:us-east-1:123456789012:unknown"
)
assert result.resource_tags == []

Expand Down Expand Up @@ -193,7 +193,7 @@ def test_guardduty_not_configured_muted(self):
assert result.resource_id == detector_id
assert (
result.resource_arn
== f"arn:aws:guardduty:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:detector/{detector_id}"
== "arn:aws:guardduty:us-east-1:123456789012:unknown"
)
assert result.resource_tags == []
assert result.muted
3 changes: 2 additions & 1 deletion ...viders/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,8 @@ def test_iam_check_saml_providers_sts_no_saml_providers(self):
assert result[0].status == "FAIL"
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn == f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
result[0].resource_arn
== "arn:aws:accessanalyzer:us-east-1:123456789012:unknown"
)
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].status_extended == "No SAML Providers found."
11 changes: 5 additions & 6 deletions ...zations_account_part_of_organizations/organizations_account_part_of_organizations_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,7 @@
from prowler.providers.aws.services.organizations.organizations_service import (
Organizations,
)
from tests.providers.aws.utils import (
AWS_ACCOUNT_ARN,
AWS_REGION_EU_WEST_1,
set_mocked_aws_provider,
)
from tests.providers.aws.utils import AWS_REGION_EU_WEST_1, set_mocked_aws_provider


class Test_organizations_account_part_of_organizations:
Expand Down Expand Up @@ -43,7 +39,10 @@ def test_no_organization(self):
== "AWS Organizations is not in-use for this AWS Account."
)
assert result[0].resource_id == "AWS Organization"
assert result[0].resource_arn == AWS_ACCOUNT_ARN
assert (
result[0].resource_arn
== "arn:aws:organizations:eu-west-1:123456789012:unknown"
)
assert result[0].region == AWS_REGION_EU_WEST_1

@mock_aws
Expand Down
Loading
Loading