mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
fix(aws): review checks with wrong attributes (#5503)
This commit is contained in:
+3
-3
@@ -1,4 +1,4 @@
|
||||
from prowler.lib.check.models import Check, Check_Report_AWS
|
||||
from prowler.lib.check.models import Check, Check_Report_AWS, Severity
|
||||
from prowler.providers.aws.services.acm.acm_client import acm_client
|
||||
|
||||
|
||||
@@ -22,10 +22,10 @@ class acm_certificates_expiration_check(Check):
|
||||
report.status = "FAIL"
|
||||
if certificate.expiration_days < 0:
|
||||
report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has expired ({abs(certificate.expiration_days)} days ago)."
|
||||
report.check_metadata.Severity = "high"
|
||||
report.check_metadata.Severity = Severity.high
|
||||
else:
|
||||
report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is about to expire in {certificate.expiration_days} days."
|
||||
report.check_metadata.Severity = "medium"
|
||||
report.check_metadata.Severity = Severity.medium
|
||||
|
||||
report.resource_id = certificate.id
|
||||
report.resource_details = certificate.name
|
||||
|
||||
+2
-2
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "codebuild_project_no_secrets_in_variables",
|
||||
"CheckTitle": "Ensure CodeBuild projects do not contain secrets on plaintext environmet variables",
|
||||
"CheckTitle": "Ensure CodeBuild projects do not contain secrets on plaintext environment variables",
|
||||
"CheckType": [
|
||||
"Security Best Practices"
|
||||
],
|
||||
@@ -21,7 +21,7 @@
|
||||
"Terraform": ""
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "",
|
||||
"Text": "Do not store secrets in plaintext environment variables. Use AWS Secrets Manager or AWS Systems Manager Parameter Store to securely store and retrieve sensitive information.",
|
||||
"Url": "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html"
|
||||
}
|
||||
},
|
||||
|
||||
+2
-2
@@ -1,4 +1,4 @@
|
||||
from prowler.lib.check.models import Check, Check_Report_AWS
|
||||
from prowler.lib.check.models import Check, Check_Report_AWS, Severity
|
||||
from prowler.providers.aws.services.documentdb.documentdb_client import (
|
||||
documentdb_client,
|
||||
)
|
||||
@@ -25,7 +25,7 @@ class documentdb_cluster_backup_enabled(Check):
|
||||
else:
|
||||
if cluster.backup_retention_period > 0:
|
||||
report.status = "FAIL"
|
||||
report.check_metadata.Severity = "low"
|
||||
report.check_metadata.Severity = Severity.low
|
||||
report.status_extended = f"DocumentDB Cluster {cluster.id} has backup enabled with retention period {cluster.backup_retention_period} days. Recommended to increase the backup retention period to a minimum of 7 days."
|
||||
|
||||
findings.append(report)
|
||||
|
||||
+2
-2
@@ -1,4 +1,4 @@
|
||||
from prowler.lib.check.models import Check, Check_Report_AWS
|
||||
from prowler.lib.check.models import Check, Check_Report_AWS, Severity
|
||||
from prowler.providers.aws.services.documentdb.documentdb_client import (
|
||||
documentdb_client,
|
||||
)
|
||||
@@ -27,7 +27,7 @@ class documentdb_cluster_cloudwatch_log_export(Check):
|
||||
or "profiler" in cluster.cloudwatch_logs
|
||||
):
|
||||
report.status = "FAIL"
|
||||
report.check_metadata.Severity = "low"
|
||||
report.check_metadata.Severity = Severity.low
|
||||
report.status_extended = f"DocumentDB Cluster {cluster.id} is only shipping {' '.join(cluster.cloudwatch_logs)} to CloudWatch Logs. Recommended to ship both Audit and Profiler logs."
|
||||
|
||||
findings.append(report)
|
||||
|
||||
+1
-2
@@ -11,8 +11,7 @@ class ecr_registry_scan_images_on_push_enabled(Check):
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = registry.region
|
||||
report.resource_id = registry.id
|
||||
# A registry cannot have tags
|
||||
report.resource_tags = []
|
||||
report.resource_arn = registry.arn
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"ECR registry {registry.id} has {registry.scan_type} scanning without scan on push enabled."
|
||||
if registry.rules:
|
||||
|
||||
@@ -58,6 +58,7 @@ class ECR(AWSService):
|
||||
# The default ECR registry is assumed
|
||||
self.registries[regional_client.region] = Registry(
|
||||
id=self.registry_id,
|
||||
arn=f"arn:{self.audited_partition}:ecr:{regional_client.region}:registry/{self.registry_id}",
|
||||
region=regional_client.region,
|
||||
repositories=regional_registry_repositories,
|
||||
)
|
||||
@@ -389,6 +390,7 @@ class ScanningRule(BaseModel):
|
||||
|
||||
class Registry(BaseModel):
|
||||
id: str
|
||||
arn: str
|
||||
region: str
|
||||
repositories: list[Repository]
|
||||
scan_type: Optional[str]
|
||||
|
||||
+2
-2
@@ -1,4 +1,4 @@
|
||||
from prowler.lib.check.models import Check, Check_Report_AWS
|
||||
from prowler.lib.check.models import Check, Check_Report_AWS, Severity
|
||||
from prowler.providers.aws.services.elasticache.elasticache_client import (
|
||||
elasticache_client,
|
||||
)
|
||||
@@ -23,7 +23,7 @@ class elasticache_redis_cluster_backup_enabled(Check):
|
||||
else:
|
||||
if repl_group.snapshot_retention > 0:
|
||||
report.status = "FAIL"
|
||||
report.check_metadata.Severity = "low"
|
||||
report.check_metadata.Severity = Severity.low
|
||||
report.status_extended = f"Elasticache Redis cache cluster {repl_group.id} has automated snapshot backups enabled with retention period {repl_group.snapshot_retention} days. Recommended to increase the snapshot retention period to a minimum of 7 days."
|
||||
|
||||
findings.append(report)
|
||||
|
||||
+1
-1
@@ -9,7 +9,7 @@
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:aws:guardduty:region:account-id/detector-id",
|
||||
"Severity": "high",
|
||||
"ResourceType": "",
|
||||
"ResourceType": "AwsGuardDutyDetector",
|
||||
"Description": "GuardDuty Lambda Protection helps you identify potential security threats when an AWS Lambda function gets invoked. After you enable Lambda Protection, GuardDuty starts monitoring Lambda network activity logs associated with the Lambda functions in your AWS account.",
|
||||
"Risk": "If Lambda Protection is not enabled, GuardDuty will not be able to monitor Lambda network activity logs and may miss potential security threats.",
|
||||
"RelatedUrl": "https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection.html",
|
||||
|
||||
+2
-2
@@ -1,4 +1,4 @@
|
||||
from prowler.lib.check.models import Check, Check_Report_AWS
|
||||
from prowler.lib.check.models import Check, Check_Report_AWS, Severity
|
||||
from prowler.providers.aws.services.neptune.neptune_client import neptune_client
|
||||
|
||||
|
||||
@@ -23,7 +23,7 @@ class neptune_cluster_backup_enabled(Check):
|
||||
else:
|
||||
if cluster.backup_retention_period > 0:
|
||||
report.status = "FAIL"
|
||||
report.check_metadata.Severity = "low"
|
||||
report.check_metadata.Severity = Severity.low
|
||||
report.status_extended = f"Neptune Cluster {cluster.name} has backup enabled with retention period {cluster.backup_retention_period} days. Recommended to increase the backup retention period to a minimum of 7 days."
|
||||
|
||||
findings.append(report)
|
||||
|
||||
@@ -116,9 +116,13 @@ class Organizations(AWSService):
|
||||
except ClientError as error:
|
||||
if error.response["Error"]["Code"] == "AccessDeniedException":
|
||||
policies = None
|
||||
logger.error(
|
||||
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
||||
)
|
||||
logger.warning(
|
||||
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
||||
)
|
||||
else:
|
||||
logger.error(
|
||||
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
||||
)
|
||||
|
||||
except Exception as error:
|
||||
logger.error(
|
||||
|
||||
+12
-12
@@ -3,7 +3,7 @@ from datetime import datetime
|
||||
from dateutil import relativedelta
|
||||
from pytz import utc
|
||||
|
||||
from prowler.lib.check.models import Check, Check_Report_AWS
|
||||
from prowler.lib.check.models import Check, Check_Report_AWS, Severity
|
||||
from prowler.providers.aws.services.rds.rds_client import rds_client
|
||||
|
||||
|
||||
@@ -21,7 +21,7 @@ class rds_instance_certificate_expiration(Check):
|
||||
report.resource_arn = db_instance_arn
|
||||
report.resource_tags = db_instance.tags
|
||||
report.status = "FAIL"
|
||||
report.check_metadata.Severity = "critical"
|
||||
report.check_metadata.Severity = Severity.critical
|
||||
report.status_extended = (
|
||||
f"RDS Instance {db_instance.id} certificate has expired."
|
||||
)
|
||||
@@ -33,7 +33,7 @@ class rds_instance_certificate_expiration(Check):
|
||||
utc
|
||||
) + relativedelta.relativedelta(months=6):
|
||||
report.status = "PASS"
|
||||
report.check_metadata.Severity = "informational"
|
||||
report.check_metadata.Severity = Severity.informational
|
||||
report.status_extended = f"RDS Instance {db_instance.id} certificate has over 6 months of validity left."
|
||||
elif cert.valid_till < datetime.now(
|
||||
utc
|
||||
@@ -45,7 +45,7 @@ class rds_instance_certificate_expiration(Check):
|
||||
months=3
|
||||
):
|
||||
report.status = "PASS"
|
||||
report.check_metadata.Severity = "low"
|
||||
report.check_metadata.Severity = Severity.low
|
||||
report.status_extended = f"RDS Instance {db_instance.id} certificate has between 3 and 6 months of validity."
|
||||
elif cert.valid_till < datetime.now(
|
||||
utc
|
||||
@@ -57,7 +57,7 @@ class rds_instance_certificate_expiration(Check):
|
||||
months=1
|
||||
):
|
||||
report.status = "FAIL"
|
||||
report.check_metadata.Severity = "medium"
|
||||
report.check_metadata.Severity = Severity.medium
|
||||
report.status_extended = f"RDS Instance {db_instance.id} certificate less than 3 months of validity."
|
||||
elif cert.valid_till < datetime.now(
|
||||
utc
|
||||
@@ -67,11 +67,11 @@ class rds_instance_certificate_expiration(Check):
|
||||
utc
|
||||
):
|
||||
report.status = "FAIL"
|
||||
report.check_metadata.Severity = "high"
|
||||
report.check_metadata.Severity = Severity.high
|
||||
report.status_extended = f"RDS Instance {db_instance.id} certificate less than 1 month of validity."
|
||||
else:
|
||||
report.status = "FAIL"
|
||||
report.check_metadata.Severity = "critical"
|
||||
report.check_metadata.Severity = Severity.critical
|
||||
report.status_extended = (
|
||||
f"RDS Instance {db_instance.id} certificate has expired."
|
||||
)
|
||||
@@ -80,7 +80,7 @@ class rds_instance_certificate_expiration(Check):
|
||||
utc
|
||||
) + relativedelta.relativedelta(months=6):
|
||||
report.status = "PASS"
|
||||
report.check_metadata.Severity = "informational"
|
||||
report.check_metadata.Severity = Severity.informational
|
||||
report.status_extended = f"RDS Instance {db_instance.id} custom certificate has over 6 months of validity left."
|
||||
elif cert.valid_till < datetime.now(
|
||||
utc
|
||||
@@ -92,7 +92,7 @@ class rds_instance_certificate_expiration(Check):
|
||||
months=3
|
||||
):
|
||||
report.status = "PASS"
|
||||
report.check_metadata.Severity = "low"
|
||||
report.check_metadata.Severity = Severity.low
|
||||
report.status_extended = f"RDS Instance {db_instance.id} custom certificate has between 3 and 6 months of validity."
|
||||
elif cert.valid_till < datetime.now(
|
||||
utc
|
||||
@@ -104,7 +104,7 @@ class rds_instance_certificate_expiration(Check):
|
||||
months=1
|
||||
):
|
||||
report.status = "FAIL"
|
||||
report.check_metadata.Severity = "medium"
|
||||
report.check_metadata.Severity = Severity.medium
|
||||
report.status_extended = f"RDS Instance {db_instance.id} custom certificate less than 3 months of validity."
|
||||
elif cert.valid_till < datetime.now(
|
||||
utc
|
||||
@@ -114,11 +114,11 @@ class rds_instance_certificate_expiration(Check):
|
||||
utc
|
||||
):
|
||||
report.status = "FAIL"
|
||||
report.check_metadata.Severity = "high"
|
||||
report.check_metadata.Severity = Severity.high
|
||||
report.status_extended = f"RDS Instance {db_instance.id} custom certificate less than 1 month of validity."
|
||||
else:
|
||||
report.status = "FAIL"
|
||||
report.check_metadata.Severity = "critical"
|
||||
report.check_metadata.Severity = Severity.critical
|
||||
report.status_extended = f"RDS Instance {db_instance.id} custom certificate has expired."
|
||||
findings.append(report)
|
||||
|
||||
|
||||
+1
-1
@@ -21,7 +21,7 @@
|
||||
"Terraform": ""
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "",
|
||||
"Text": "Create a backup plan for the RDS instance to protect it from data loss, accidental deletion, or corruption.",
|
||||
"Url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html"
|
||||
}
|
||||
},
|
||||
|
||||
+1
@@ -11,6 +11,7 @@ class route53_domains_privacy_protection_enabled(Check):
|
||||
for domain in route53domains_client.domains.values():
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.resource_id = domain.name
|
||||
report.resource_arn = domain.arn
|
||||
report.region = domain.region
|
||||
report.resource_tags = domain.tags
|
||||
if domain.admin_privacy:
|
||||
|
||||
+1
@@ -11,6 +11,7 @@ class route53_domains_transferlock_enabled(Check):
|
||||
for domain in route53domains_client.domains.values():
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.resource_id = domain.name
|
||||
report.resource_arn = domain.arn
|
||||
report.region = domain.region
|
||||
report.resource_tags = domain.tags
|
||||
if domain.status_list and "clientTransferProhibited" in domain.status_list:
|
||||
|
||||
@@ -161,7 +161,9 @@ class Route53Domains(AWSService):
|
||||
domain_name = domain["DomainName"]
|
||||
|
||||
self.domains[domain_name] = Domain(
|
||||
name=domain_name, region=self.region
|
||||
name=domain_name,
|
||||
arn=f"arn:{self.audited_partition}:route53:::domain/{domain_name}",
|
||||
region=self.region,
|
||||
)
|
||||
|
||||
except Exception as error:
|
||||
@@ -198,6 +200,7 @@ class Route53Domains(AWSService):
|
||||
|
||||
class Domain(BaseModel):
|
||||
name: str
|
||||
arn: str
|
||||
region: str
|
||||
admin_privacy: bool = False
|
||||
status_list: list[str] = None
|
||||
|
||||
@@ -14,15 +14,21 @@ class WAF(AWSService):
|
||||
self.rules = {}
|
||||
self.rule_groups = {}
|
||||
self.web_acls = {}
|
||||
self._list_rules()
|
||||
self.__threading_call__(self._get_rule, self.rules.values())
|
||||
self._list_rule_groups()
|
||||
self.__threading_call__(
|
||||
self._list_activated_rules_in_rule_group, self.rule_groups.values()
|
||||
)
|
||||
self._list_web_acls()
|
||||
self.__threading_call__(self._get_web_acl, self.web_acls.values())
|
||||
self.__threading_call__(self._get_logging_configuration, self.web_acls.values())
|
||||
if self.audited_partition == "aws":
|
||||
# AWS WAF is available globally for CloudFront distributions, but you must use the Region US East (N. Virginia) to create your web ACL and any resources used in the web ACL, such as rule groups, IP sets, and regex pattern sets.
|
||||
self.region = "us-east-1"
|
||||
self.client = self.session.client(self.service, self.region)
|
||||
self._list_rules()
|
||||
self.__threading_call__(self._get_rule, self.rules.values())
|
||||
self._list_rule_groups()
|
||||
self.__threading_call__(
|
||||
self._list_activated_rules_in_rule_group, self.rule_groups.values()
|
||||
)
|
||||
self._list_web_acls()
|
||||
self.__threading_call__(self._get_web_acl, self.web_acls.values())
|
||||
self.__threading_call__(
|
||||
self._get_logging_configuration, self.web_acls.values()
|
||||
)
|
||||
|
||||
def _list_rules(self):
|
||||
logger.info("WAF - Listing Global Rules...")
|
||||
|
||||
+20
@@ -7,6 +7,7 @@ from prowler.providers.aws.services.ecr.ecr_service import (
|
||||
ScanningRule,
|
||||
)
|
||||
from tests.providers.aws.utils import (
|
||||
AWS_ACCOUNT_ARN,
|
||||
AWS_ACCOUNT_NUMBER,
|
||||
AWS_REGION_EU_WEST_1,
|
||||
set_mocked_aws_provider,
|
||||
@@ -43,6 +44,7 @@ class Test_ecr_registry_scan_images_on_push_enabled:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[],
|
||||
@@ -66,9 +68,11 @@ class Test_ecr_registry_scan_images_on_push_enabled:
|
||||
|
||||
def test_registry_scan_on_push_enabled(self):
|
||||
ecr_client = mock.MagicMock
|
||||
ecr_client.audited_account_arn = AWS_ACCOUNT_ARN
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
@@ -107,13 +111,19 @@ class Test_ecr_registry_scan_images_on_push_enabled:
|
||||
assert result[0].status == "PASS"
|
||||
assert search("with scan on push", result[0].status_extended)
|
||||
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
|
||||
assert (
|
||||
result[0].resource_arn
|
||||
== f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}"
|
||||
)
|
||||
assert result[0].region == AWS_REGION_EU_WEST_1
|
||||
|
||||
def test_scan_on_push_enabled_with_filters(self):
|
||||
ecr_client = mock.MagicMock
|
||||
ecr_client.audited_account_arn = AWS_ACCOUNT_ARN
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
@@ -155,13 +165,19 @@ class Test_ecr_registry_scan_images_on_push_enabled:
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
|
||||
assert (
|
||||
result[0].resource_arn
|
||||
== f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}"
|
||||
)
|
||||
assert result[0].region == AWS_REGION_EU_WEST_1
|
||||
|
||||
def test_scan_on_push_disabled(self):
|
||||
ecr_client = mock.MagicMock
|
||||
ecr_client.audited_account_arn = AWS_ACCOUNT_ARN
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
@@ -195,4 +211,8 @@ class Test_ecr_registry_scan_images_on_push_enabled:
|
||||
assert result[0].status == "FAIL"
|
||||
assert search("scanning without scan on push", result[0].status_extended)
|
||||
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
|
||||
assert (
|
||||
result[0].resource_arn
|
||||
== f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}"
|
||||
)
|
||||
assert result[0].region == AWS_REGION_EU_WEST_1
|
||||
|
||||
+3
@@ -51,6 +51,7 @@ class Test_ecr_repositories_lifecycle_policy_enabled:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[],
|
||||
@@ -77,6 +78,7 @@ class Test_ecr_repositories_lifecycle_policy_enabled:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
rules=[],
|
||||
@@ -121,6 +123,7 @@ class Test_ecr_repositories_lifecycle_policy_enabled:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
rules=[],
|
||||
|
||||
+4
@@ -63,6 +63,7 @@ class Test_ecr_repositories_not_publicly_accessible:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[],
|
||||
@@ -91,6 +92,7 @@ class Test_ecr_repositories_not_publicly_accessible:
|
||||
ecr_client.audited_account = AWS_ACCOUNT_NUMBER
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
@@ -134,6 +136,7 @@ class Test_ecr_repositories_not_publicly_accessible:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
@@ -179,6 +182,7 @@ class Test_ecr_repositories_not_publicly_accessible:
|
||||
ecr_client.audited_account = AWS_ACCOUNT_NUMBER
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
|
||||
+3
@@ -51,6 +51,7 @@ class Test_ecr_repositories_scan_images_on_push_enabled:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[],
|
||||
@@ -77,6 +78,7 @@ class Test_ecr_repositories_scan_images_on_push_enabled:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
@@ -120,6 +122,7 @@ class Test_ecr_repositories_scan_images_on_push_enabled:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
|
||||
+11
@@ -62,6 +62,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[],
|
||||
@@ -89,6 +90,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
@@ -126,6 +128,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
@@ -184,6 +187,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
@@ -242,6 +246,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
@@ -304,6 +309,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
@@ -366,6 +372,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
@@ -428,6 +435,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
@@ -490,6 +498,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
@@ -552,6 +561,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
@@ -610,6 +620,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[
|
||||
|
||||
+3
@@ -51,6 +51,7 @@ class Test_ecr_repositories_tag_immutability:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
repositories=[],
|
||||
@@ -77,6 +78,7 @@ class Test_ecr_repositories_tag_immutability:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
rules=[],
|
||||
@@ -122,6 +124,7 @@ class Test_ecr_repositories_tag_immutability:
|
||||
ecr_client.registries = {}
|
||||
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
|
||||
id=AWS_ACCOUNT_NUMBER,
|
||||
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
|
||||
region=AWS_REGION_EU_WEST_1,
|
||||
scan_type="BASIC",
|
||||
rules=[],
|
||||
|
||||
+72
@@ -197,6 +197,78 @@ class Test_rds_instance_certificate_expiration:
|
||||
)
|
||||
assert result[0].resource_tags == []
|
||||
|
||||
def test_rds_certificate_less_than_one_month(self):
|
||||
valid_from = datetime.now(utc) - relativedelta.relativedelta(months=7)
|
||||
valid_till = datetime.now(utc) + relativedelta.relativedelta(weeks=2)
|
||||
customer_override_valid = datetime.now(utc) + relativedelta.relativedelta(
|
||||
weeks=2
|
||||
)
|
||||
|
||||
rds_client = mock.MagicMock
|
||||
instance_arn = (
|
||||
f"arn:aws:rds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER_CON}:db:db-master-1"
|
||||
)
|
||||
rds_client.db_instances = {
|
||||
instance_arn: DBInstance(
|
||||
id="db-master-1",
|
||||
arn=instance_arn,
|
||||
engine="aurora-postgresql",
|
||||
engine_version="aurora14",
|
||||
status="available",
|
||||
public=False,
|
||||
encrypted=True,
|
||||
deletion_protection=True,
|
||||
auto_minor_version_upgrade=False,
|
||||
multi_az=True,
|
||||
username="test",
|
||||
iam_auth=False,
|
||||
region=AWS_REGION,
|
||||
ca_cert="rds-ca-rsa2048-g1",
|
||||
endpoint={},
|
||||
cert=[
|
||||
Certificate(
|
||||
id="rds-ca-rsa2048-g1",
|
||||
arn=f"arn:aws:rds:{AWS_REGION}::cert:rds-ca-2019",
|
||||
type="CA",
|
||||
valid_from=valid_from,
|
||||
valid_till=valid_till,
|
||||
customer_override=False,
|
||||
customer_override_valid_till=customer_override_valid,
|
||||
)
|
||||
],
|
||||
)
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.services.rds.rds_service.RDS",
|
||||
new=rds_client,
|
||||
), mock.patch(
|
||||
"prowler.providers.aws.services.rds.rds_client.rds_client",
|
||||
new=rds_client,
|
||||
):
|
||||
# Test Check
|
||||
from prowler.providers.aws.services.rds.rds_instance_certificate_expiration.rds_instance_certificate_expiration import (
|
||||
rds_instance_certificate_expiration,
|
||||
)
|
||||
|
||||
check = rds_instance_certificate_expiration()
|
||||
result = check.execute()
|
||||
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert result[0].check_metadata.Severity == "high"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== "RDS Instance db-master-1 certificate less than 1 month of validity."
|
||||
)
|
||||
assert result[0].resource_id == "db-master-1"
|
||||
assert result[0].region == AWS_REGION
|
||||
assert (
|
||||
result[0].resource_arn
|
||||
== f"arn:aws:rds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER_CON}:db:db-master-1"
|
||||
)
|
||||
assert result[0].resource_tags == []
|
||||
|
||||
def test_rds_certificate_between_three_and_six_months(self):
|
||||
valid_from = datetime.now(utc) - relativedelta.relativedelta(months=7)
|
||||
valid_till = datetime.now(utc) + relativedelta.relativedelta(months=4)
|
||||
|
||||
+13
-3
@@ -1,7 +1,7 @@
|
||||
from unittest import mock
|
||||
|
||||
from prowler.providers.aws.services.route53.route53_service import Domain
|
||||
from tests.providers.aws.utils import AWS_REGION_US_EAST_1
|
||||
from tests.providers.aws.utils import AWS_ACCOUNT_ARN, AWS_REGION_US_EAST_1
|
||||
|
||||
|
||||
class Test_route53_domains_privacy_protection_enabled:
|
||||
@@ -25,10 +25,14 @@ class Test_route53_domains_privacy_protection_enabled:
|
||||
|
||||
def test_domain_privacy_protection_disabled(self):
|
||||
route53domains = mock.MagicMock
|
||||
route53domains.audited_account_arn = AWS_ACCOUNT_ARN
|
||||
domain_name = "test-domain.com"
|
||||
route53domains.domains = {
|
||||
domain_name: Domain(
|
||||
name=domain_name, region=AWS_REGION_US_EAST_1, admin_privacy=False
|
||||
name=domain_name,
|
||||
arn=f"arn:aws:route53:::domain/{domain_name}",
|
||||
region=AWS_REGION_US_EAST_1,
|
||||
admin_privacy=False,
|
||||
)
|
||||
}
|
||||
|
||||
@@ -46,6 +50,7 @@ class Test_route53_domains_privacy_protection_enabled:
|
||||
|
||||
assert len(result) == 1
|
||||
assert result[0].resource_id == domain_name
|
||||
assert result[0].resource_arn == f"arn:aws:route53:::domain/{domain_name}"
|
||||
assert result[0].region == AWS_REGION_US_EAST_1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
@@ -55,10 +60,14 @@ class Test_route53_domains_privacy_protection_enabled:
|
||||
|
||||
def test_domain_privacy_protection_enabled(self):
|
||||
route53domains = mock.MagicMock
|
||||
route53domains.audited_account_arn = AWS_ACCOUNT_ARN
|
||||
domain_name = "test-domain.com"
|
||||
route53domains.domains = {
|
||||
domain_name: Domain(
|
||||
name=domain_name, region=AWS_REGION_US_EAST_1, admin_privacy=True
|
||||
name=domain_name,
|
||||
arn=f"arn:aws:route53:::domain/{domain_name}",
|
||||
region=AWS_REGION_US_EAST_1,
|
||||
admin_privacy=True,
|
||||
)
|
||||
}
|
||||
|
||||
@@ -76,6 +85,7 @@ class Test_route53_domains_privacy_protection_enabled:
|
||||
|
||||
assert len(result) == 1
|
||||
assert result[0].resource_id == domain_name
|
||||
assert result[0].resource_arn == f"arn:aws:route53:::domain/{domain_name}"
|
||||
assert result[0].region == AWS_REGION_US_EAST_1
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
|
||||
+7
-1
@@ -1,7 +1,7 @@
|
||||
from unittest import mock
|
||||
|
||||
from prowler.providers.aws.services.route53.route53_service import Domain
|
||||
from tests.providers.aws.utils import AWS_REGION_US_EAST_1
|
||||
from tests.providers.aws.utils import AWS_ACCOUNT_ARN, AWS_REGION_US_EAST_1
|
||||
|
||||
|
||||
class Test_route53_domains_transferlock_enabled:
|
||||
@@ -25,10 +25,12 @@ class Test_route53_domains_transferlock_enabled:
|
||||
|
||||
def test_domain_transfer_lock_disabled(self):
|
||||
route53domains = mock.MagicMock
|
||||
route53domains.audited_account_arn = AWS_ACCOUNT_ARN
|
||||
domain_name = "test-domain.com"
|
||||
route53domains.domains = {
|
||||
domain_name: Domain(
|
||||
name=domain_name,
|
||||
arn=f"arn:aws:route53:::domain/{domain_name}",
|
||||
region=AWS_REGION_US_EAST_1,
|
||||
admin_privacy=False,
|
||||
status_list=[""],
|
||||
@@ -49,6 +51,7 @@ class Test_route53_domains_transferlock_enabled:
|
||||
|
||||
assert len(result) == 1
|
||||
assert result[0].resource_id == domain_name
|
||||
assert result[0].resource_arn == f"arn:aws:route53:::domain/{domain_name}"
|
||||
assert result[0].region == AWS_REGION_US_EAST_1
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
@@ -58,10 +61,12 @@ class Test_route53_domains_transferlock_enabled:
|
||||
|
||||
def test_domain_transfer_lock_enabled(self):
|
||||
route53domains = mock.MagicMock
|
||||
route53domains.audited_account_arn = AWS_ACCOUNT_ARN
|
||||
domain_name = "test-domain.com"
|
||||
route53domains.domains = {
|
||||
domain_name: Domain(
|
||||
name=domain_name,
|
||||
arn=f"arn:aws:route53:::domain/{domain_name}",
|
||||
region=AWS_REGION_US_EAST_1,
|
||||
admin_privacy=False,
|
||||
status_list=["clientTransferProhibited"],
|
||||
@@ -82,6 +87,7 @@ class Test_route53_domains_transferlock_enabled:
|
||||
|
||||
assert len(result) == 1
|
||||
assert result[0].resource_id == domain_name
|
||||
assert result[0].resource_arn == f"arn:aws:route53:::domain/{domain_name}"
|
||||
assert result[0].region == AWS_REGION_US_EAST_1
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
|
||||
Reference in New Issue
Block a user