From 0b6aa0ddcd54abb577faea148117991cb71ed7e6 Mon Sep 17 00:00:00 2001 From: Felix Dreissig Date: Fri, 18 Apr 2025 22:25:44 +0200 Subject: [PATCH] fix(aws): remove `SHA-1` from ACM insecure key algorithms (#7547) --- contrib/k8s/helm/prowler-api/values.yaml | 1 - prowler/config/config.yaml | 1 - .../acm_certificates_with_secure_key_algorithms.py | 2 +- tests/config/config_test.py | 1 - tests/config/fixtures/config.yaml | 1 - 5 files changed, 1 insertion(+), 5 deletions(-) diff --git a/contrib/k8s/helm/prowler-api/values.yaml b/contrib/k8s/helm/prowler-api/values.yaml index 16cd48058c..40a7fda298 100644 --- a/contrib/k8s/helm/prowler-api/values.yaml +++ b/contrib/k8s/helm/prowler-api/values.yaml @@ -399,7 +399,6 @@ mainConfig: [ "RSA-1024", "P-192", - "SHA-1", ] # AWS EKS Configuration diff --git a/prowler/config/config.yaml b/prowler/config/config.yaml index c8a2ee7e50..26b196e178 100644 --- a/prowler/config/config.yaml +++ b/prowler/config/config.yaml @@ -327,7 +327,6 @@ aws: [ "RSA-1024", "P-192", - "SHA-1", ] # AWS EKS Configuration diff --git a/prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.py b/prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.py index f2135cf77a..2ac5dd9199 100644 --- a/prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.py +++ b/prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.py @@ -14,7 +14,7 @@ class acm_certificates_with_secure_key_algorithms(Check): report.status = "PASS" report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} uses a secure key algorithm ({certificate.key_algorithm})." if certificate.key_algorithm in acm_client.audit_config.get( - "insecure_key_algorithms", ["RSA-1024", "P-192", "SHA-1"] + "insecure_key_algorithms", ["RSA-1024", "P-192"] ): report.status = "FAIL" report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} does not use a secure key algorithm ({certificate.key_algorithm})." diff --git a/tests/config/config_test.py b/tests/config/config_test.py index d796bfde1a..465d16a05a 100644 --- a/tests/config/config_test.py +++ b/tests/config/config_test.py @@ -297,7 +297,6 @@ config_aws = { "insecure_key_algorithms": [ "RSA-1024", "P-192", - "SHA-1", ], "eks_required_log_types": [ "api", diff --git a/tests/config/fixtures/config.yaml b/tests/config/fixtures/config.yaml index e9a4e6fad2..4d528e97da 100644 --- a/tests/config/fixtures/config.yaml +++ b/tests/config/fixtures/config.yaml @@ -317,7 +317,6 @@ aws: [ "RSA-1024", "P-192", - "SHA-1", ] # AWS EKS Configuration