fix(aws): review checks with wrong attributes (#5503)

This commit is contained in:
Sergio Garcia
2024-10-28 00:45:03 -07:00
committed by GitHub
parent 0331af02ac
commit 0f9ebecbb7
25 changed files with 194 additions and 46 deletions
@@ -1,4 +1,4 @@
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.lib.check.models import Check, Check_Report_AWS, Severity
from prowler.providers.aws.services.acm.acm_client import acm_client
@@ -22,10 +22,10 @@ class acm_certificates_expiration_check(Check):
report.status = "FAIL"
if certificate.expiration_days < 0:
report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has expired ({abs(certificate.expiration_days)} days ago)."
report.check_metadata.Severity = "high"
report.check_metadata.Severity = Severity.high
else:
report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is about to expire in {certificate.expiration_days} days."
report.check_metadata.Severity = "medium"
report.check_metadata.Severity = Severity.medium
report.resource_id = certificate.id
report.resource_details = certificate.name
@@ -1,7 +1,7 @@
{
"Provider": "aws",
"CheckID": "codebuild_project_no_secrets_in_variables",
"CheckTitle": "Ensure CodeBuild projects do not contain secrets on plaintext environmet variables",
"CheckTitle": "Ensure CodeBuild projects do not contain secrets on plaintext environment variables",
"CheckType": [
"Security Best Practices"
],
@@ -21,7 +21,7 @@
"Terraform": ""
},
"Recommendation": {
"Text": "",
"Text": "Do not store secrets in plaintext environment variables. Use AWS Secrets Manager or AWS Systems Manager Parameter Store to securely store and retrieve sensitive information.",
"Url": "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html"
}
},
@@ -1,4 +1,4 @@
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.lib.check.models import Check, Check_Report_AWS, Severity
from prowler.providers.aws.services.documentdb.documentdb_client import (
documentdb_client,
)
@@ -25,7 +25,7 @@ class documentdb_cluster_backup_enabled(Check):
else:
if cluster.backup_retention_period > 0:
report.status = "FAIL"
report.check_metadata.Severity = "low"
report.check_metadata.Severity = Severity.low
report.status_extended = f"DocumentDB Cluster {cluster.id} has backup enabled with retention period {cluster.backup_retention_period} days. Recommended to increase the backup retention period to a minimum of 7 days."
findings.append(report)
@@ -1,4 +1,4 @@
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.lib.check.models import Check, Check_Report_AWS, Severity
from prowler.providers.aws.services.documentdb.documentdb_client import (
documentdb_client,
)
@@ -27,7 +27,7 @@ class documentdb_cluster_cloudwatch_log_export(Check):
or "profiler" in cluster.cloudwatch_logs
):
report.status = "FAIL"
report.check_metadata.Severity = "low"
report.check_metadata.Severity = Severity.low
report.status_extended = f"DocumentDB Cluster {cluster.id} is only shipping {' '.join(cluster.cloudwatch_logs)} to CloudWatch Logs. Recommended to ship both Audit and Profiler logs."
findings.append(report)
@@ -11,8 +11,7 @@ class ecr_registry_scan_images_on_push_enabled(Check):
report = Check_Report_AWS(self.metadata())
report.region = registry.region
report.resource_id = registry.id
# A registry cannot have tags
report.resource_tags = []
report.resource_arn = registry.arn
report.status = "FAIL"
report.status_extended = f"ECR registry {registry.id} has {registry.scan_type} scanning without scan on push enabled."
if registry.rules:
@@ -58,6 +58,7 @@ class ECR(AWSService):
# The default ECR registry is assumed
self.registries[regional_client.region] = Registry(
id=self.registry_id,
arn=f"arn:{self.audited_partition}:ecr:{regional_client.region}:registry/{self.registry_id}",
region=regional_client.region,
repositories=regional_registry_repositories,
)
@@ -389,6 +390,7 @@ class ScanningRule(BaseModel):
class Registry(BaseModel):
id: str
arn: str
region: str
repositories: list[Repository]
scan_type: Optional[str]
@@ -1,4 +1,4 @@
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.lib.check.models import Check, Check_Report_AWS, Severity
from prowler.providers.aws.services.elasticache.elasticache_client import (
elasticache_client,
)
@@ -23,7 +23,7 @@ class elasticache_redis_cluster_backup_enabled(Check):
else:
if repl_group.snapshot_retention > 0:
report.status = "FAIL"
report.check_metadata.Severity = "low"
report.check_metadata.Severity = Severity.low
report.status_extended = f"Elasticache Redis cache cluster {repl_group.id} has automated snapshot backups enabled with retention period {repl_group.snapshot_retention} days. Recommended to increase the snapshot retention period to a minimum of 7 days."
findings.append(report)
@@ -9,7 +9,7 @@
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:guardduty:region:account-id/detector-id",
"Severity": "high",
"ResourceType": "",
"ResourceType": "AwsGuardDutyDetector",
"Description": "GuardDuty Lambda Protection helps you identify potential security threats when an AWS Lambda function gets invoked. After you enable Lambda Protection, GuardDuty starts monitoring Lambda network activity logs associated with the Lambda functions in your AWS account.",
"Risk": "If Lambda Protection is not enabled, GuardDuty will not be able to monitor Lambda network activity logs and may miss potential security threats.",
"RelatedUrl": "https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection.html",
@@ -1,4 +1,4 @@
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.lib.check.models import Check, Check_Report_AWS, Severity
from prowler.providers.aws.services.neptune.neptune_client import neptune_client
@@ -23,7 +23,7 @@ class neptune_cluster_backup_enabled(Check):
else:
if cluster.backup_retention_period > 0:
report.status = "FAIL"
report.check_metadata.Severity = "low"
report.check_metadata.Severity = Severity.low
report.status_extended = f"Neptune Cluster {cluster.name} has backup enabled with retention period {cluster.backup_retention_period} days. Recommended to increase the backup retention period to a minimum of 7 days."
findings.append(report)
@@ -116,9 +116,13 @@ class Organizations(AWSService):
except ClientError as error:
if error.response["Error"]["Code"] == "AccessDeniedException":
policies = None
logger.error(
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
logger.warning(
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
else:
logger.error(
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
except Exception as error:
logger.error(
@@ -3,7 +3,7 @@ from datetime import datetime
from dateutil import relativedelta
from pytz import utc
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.lib.check.models import Check, Check_Report_AWS, Severity
from prowler.providers.aws.services.rds.rds_client import rds_client
@@ -21,7 +21,7 @@ class rds_instance_certificate_expiration(Check):
report.resource_arn = db_instance_arn
report.resource_tags = db_instance.tags
report.status = "FAIL"
report.check_metadata.Severity = "critical"
report.check_metadata.Severity = Severity.critical
report.status_extended = (
f"RDS Instance {db_instance.id} certificate has expired."
)
@@ -33,7 +33,7 @@ class rds_instance_certificate_expiration(Check):
utc
) + relativedelta.relativedelta(months=6):
report.status = "PASS"
report.check_metadata.Severity = "informational"
report.check_metadata.Severity = Severity.informational
report.status_extended = f"RDS Instance {db_instance.id} certificate has over 6 months of validity left."
elif cert.valid_till < datetime.now(
utc
@@ -45,7 +45,7 @@ class rds_instance_certificate_expiration(Check):
months=3
):
report.status = "PASS"
report.check_metadata.Severity = "low"
report.check_metadata.Severity = Severity.low
report.status_extended = f"RDS Instance {db_instance.id} certificate has between 3 and 6 months of validity."
elif cert.valid_till < datetime.now(
utc
@@ -57,7 +57,7 @@ class rds_instance_certificate_expiration(Check):
months=1
):
report.status = "FAIL"
report.check_metadata.Severity = "medium"
report.check_metadata.Severity = Severity.medium
report.status_extended = f"RDS Instance {db_instance.id} certificate less than 3 months of validity."
elif cert.valid_till < datetime.now(
utc
@@ -67,11 +67,11 @@ class rds_instance_certificate_expiration(Check):
utc
):
report.status = "FAIL"
report.check_metadata.Severity = "high"
report.check_metadata.Severity = Severity.high
report.status_extended = f"RDS Instance {db_instance.id} certificate less than 1 month of validity."
else:
report.status = "FAIL"
report.check_metadata.Severity = "critical"
report.check_metadata.Severity = Severity.critical
report.status_extended = (
f"RDS Instance {db_instance.id} certificate has expired."
)
@@ -80,7 +80,7 @@ class rds_instance_certificate_expiration(Check):
utc
) + relativedelta.relativedelta(months=6):
report.status = "PASS"
report.check_metadata.Severity = "informational"
report.check_metadata.Severity = Severity.informational
report.status_extended = f"RDS Instance {db_instance.id} custom certificate has over 6 months of validity left."
elif cert.valid_till < datetime.now(
utc
@@ -92,7 +92,7 @@ class rds_instance_certificate_expiration(Check):
months=3
):
report.status = "PASS"
report.check_metadata.Severity = "low"
report.check_metadata.Severity = Severity.low
report.status_extended = f"RDS Instance {db_instance.id} custom certificate has between 3 and 6 months of validity."
elif cert.valid_till < datetime.now(
utc
@@ -104,7 +104,7 @@ class rds_instance_certificate_expiration(Check):
months=1
):
report.status = "FAIL"
report.check_metadata.Severity = "medium"
report.check_metadata.Severity = Severity.medium
report.status_extended = f"RDS Instance {db_instance.id} custom certificate less than 3 months of validity."
elif cert.valid_till < datetime.now(
utc
@@ -114,11 +114,11 @@ class rds_instance_certificate_expiration(Check):
utc
):
report.status = "FAIL"
report.check_metadata.Severity = "high"
report.check_metadata.Severity = Severity.high
report.status_extended = f"RDS Instance {db_instance.id} custom certificate less than 1 month of validity."
else:
report.status = "FAIL"
report.check_metadata.Severity = "critical"
report.check_metadata.Severity = Severity.critical
report.status_extended = f"RDS Instance {db_instance.id} custom certificate has expired."
findings.append(report)
@@ -21,7 +21,7 @@
"Terraform": ""
},
"Recommendation": {
"Text": "",
"Text": "Create a backup plan for the RDS instance to protect it from data loss, accidental deletion, or corruption.",
"Url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html"
}
},
@@ -11,6 +11,7 @@ class route53_domains_privacy_protection_enabled(Check):
for domain in route53domains_client.domains.values():
report = Check_Report_AWS(self.metadata())
report.resource_id = domain.name
report.resource_arn = domain.arn
report.region = domain.region
report.resource_tags = domain.tags
if domain.admin_privacy:
@@ -11,6 +11,7 @@ class route53_domains_transferlock_enabled(Check):
for domain in route53domains_client.domains.values():
report = Check_Report_AWS(self.metadata())
report.resource_id = domain.name
report.resource_arn = domain.arn
report.region = domain.region
report.resource_tags = domain.tags
if domain.status_list and "clientTransferProhibited" in domain.status_list:
@@ -161,7 +161,9 @@ class Route53Domains(AWSService):
domain_name = domain["DomainName"]
self.domains[domain_name] = Domain(
name=domain_name, region=self.region
name=domain_name,
arn=f"arn:{self.audited_partition}:route53:::domain/{domain_name}",
region=self.region,
)
except Exception as error:
@@ -198,6 +200,7 @@ class Route53Domains(AWSService):
class Domain(BaseModel):
name: str
arn: str
region: str
admin_privacy: bool = False
status_list: list[str] = None
@@ -14,15 +14,21 @@ class WAF(AWSService):
self.rules = {}
self.rule_groups = {}
self.web_acls = {}
self._list_rules()
self.__threading_call__(self._get_rule, self.rules.values())
self._list_rule_groups()
self.__threading_call__(
self._list_activated_rules_in_rule_group, self.rule_groups.values()
)
self._list_web_acls()
self.__threading_call__(self._get_web_acl, self.web_acls.values())
self.__threading_call__(self._get_logging_configuration, self.web_acls.values())
if self.audited_partition == "aws":
# AWS WAF is available globally for CloudFront distributions, but you must use the Region US East (N. Virginia) to create your web ACL and any resources used in the web ACL, such as rule groups, IP sets, and regex pattern sets.
self.region = "us-east-1"
self.client = self.session.client(self.service, self.region)
self._list_rules()
self.__threading_call__(self._get_rule, self.rules.values())
self._list_rule_groups()
self.__threading_call__(
self._list_activated_rules_in_rule_group, self.rule_groups.values()
)
self._list_web_acls()
self.__threading_call__(self._get_web_acl, self.web_acls.values())
self.__threading_call__(
self._get_logging_configuration, self.web_acls.values()
)
def _list_rules(self):
logger.info("WAF - Listing Global Rules...")
@@ -7,6 +7,7 @@ from prowler.providers.aws.services.ecr.ecr_service import (
ScanningRule,
)
from tests.providers.aws.utils import (
AWS_ACCOUNT_ARN,
AWS_ACCOUNT_NUMBER,
AWS_REGION_EU_WEST_1,
set_mocked_aws_provider,
@@ -43,6 +44,7 @@ class Test_ecr_registry_scan_images_on_push_enabled:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[],
@@ -66,9 +68,11 @@ class Test_ecr_registry_scan_images_on_push_enabled:
def test_registry_scan_on_push_enabled(self):
ecr_client = mock.MagicMock
ecr_client.audited_account_arn = AWS_ACCOUNT_ARN
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -107,13 +111,19 @@ class Test_ecr_registry_scan_images_on_push_enabled:
assert result[0].status == "PASS"
assert search("with scan on push", result[0].status_extended)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}"
)
assert result[0].region == AWS_REGION_EU_WEST_1
def test_scan_on_push_enabled_with_filters(self):
ecr_client = mock.MagicMock
ecr_client.audited_account_arn = AWS_ACCOUNT_ARN
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -155,13 +165,19 @@ class Test_ecr_registry_scan_images_on_push_enabled:
result[0].status_extended,
)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}"
)
assert result[0].region == AWS_REGION_EU_WEST_1
def test_scan_on_push_disabled(self):
ecr_client = mock.MagicMock
ecr_client.audited_account_arn = AWS_ACCOUNT_ARN
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -195,4 +211,8 @@ class Test_ecr_registry_scan_images_on_push_enabled:
assert result[0].status == "FAIL"
assert search("scanning without scan on push", result[0].status_extended)
assert result[0].resource_id == AWS_ACCOUNT_NUMBER
assert (
result[0].resource_arn
== f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}"
)
assert result[0].region == AWS_REGION_EU_WEST_1
@@ -51,6 +51,7 @@ class Test_ecr_repositories_lifecycle_policy_enabled:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[],
@@ -77,6 +78,7 @@ class Test_ecr_repositories_lifecycle_policy_enabled:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
rules=[],
@@ -121,6 +123,7 @@ class Test_ecr_repositories_lifecycle_policy_enabled:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
rules=[],
@@ -63,6 +63,7 @@ class Test_ecr_repositories_not_publicly_accessible:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[],
@@ -91,6 +92,7 @@ class Test_ecr_repositories_not_publicly_accessible:
ecr_client.audited_account = AWS_ACCOUNT_NUMBER
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -134,6 +136,7 @@ class Test_ecr_repositories_not_publicly_accessible:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -179,6 +182,7 @@ class Test_ecr_repositories_not_publicly_accessible:
ecr_client.audited_account = AWS_ACCOUNT_NUMBER
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -51,6 +51,7 @@ class Test_ecr_repositories_scan_images_on_push_enabled:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[],
@@ -77,6 +78,7 @@ class Test_ecr_repositories_scan_images_on_push_enabled:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -120,6 +122,7 @@ class Test_ecr_repositories_scan_images_on_push_enabled:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -62,6 +62,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[],
@@ -89,6 +90,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -126,6 +128,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -184,6 +187,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -242,6 +246,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -304,6 +309,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -366,6 +372,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -428,6 +435,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -490,6 +498,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -552,6 +561,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -610,6 +620,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[
@@ -51,6 +51,7 @@ class Test_ecr_repositories_tag_immutability:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
repositories=[],
@@ -77,6 +78,7 @@ class Test_ecr_repositories_tag_immutability:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
rules=[],
@@ -122,6 +124,7 @@ class Test_ecr_repositories_tag_immutability:
ecr_client.registries = {}
ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry(
id=AWS_ACCOUNT_NUMBER,
arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}",
region=AWS_REGION_EU_WEST_1,
scan_type="BASIC",
rules=[],
@@ -197,6 +197,78 @@ class Test_rds_instance_certificate_expiration:
)
assert result[0].resource_tags == []
def test_rds_certificate_less_than_one_month(self):
valid_from = datetime.now(utc) - relativedelta.relativedelta(months=7)
valid_till = datetime.now(utc) + relativedelta.relativedelta(weeks=2)
customer_override_valid = datetime.now(utc) + relativedelta.relativedelta(
weeks=2
)
rds_client = mock.MagicMock
instance_arn = (
f"arn:aws:rds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER_CON}:db:db-master-1"
)
rds_client.db_instances = {
instance_arn: DBInstance(
id="db-master-1",
arn=instance_arn,
engine="aurora-postgresql",
engine_version="aurora14",
status="available",
public=False,
encrypted=True,
deletion_protection=True,
auto_minor_version_upgrade=False,
multi_az=True,
username="test",
iam_auth=False,
region=AWS_REGION,
ca_cert="rds-ca-rsa2048-g1",
endpoint={},
cert=[
Certificate(
id="rds-ca-rsa2048-g1",
arn=f"arn:aws:rds:{AWS_REGION}::cert:rds-ca-2019",
type="CA",
valid_from=valid_from,
valid_till=valid_till,
customer_override=False,
customer_override_valid_till=customer_override_valid,
)
],
)
}
with mock.patch(
"prowler.providers.aws.services.rds.rds_service.RDS",
new=rds_client,
), mock.patch(
"prowler.providers.aws.services.rds.rds_client.rds_client",
new=rds_client,
):
# Test Check
from prowler.providers.aws.services.rds.rds_instance_certificate_expiration.rds_instance_certificate_expiration import (
rds_instance_certificate_expiration,
)
check = rds_instance_certificate_expiration()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert result[0].check_metadata.Severity == "high"
assert (
result[0].status_extended
== "RDS Instance db-master-1 certificate less than 1 month of validity."
)
assert result[0].resource_id == "db-master-1"
assert result[0].region == AWS_REGION
assert (
result[0].resource_arn
== f"arn:aws:rds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER_CON}:db:db-master-1"
)
assert result[0].resource_tags == []
def test_rds_certificate_between_three_and_six_months(self):
valid_from = datetime.now(utc) - relativedelta.relativedelta(months=7)
valid_till = datetime.now(utc) + relativedelta.relativedelta(months=4)
@@ -1,7 +1,7 @@
from unittest import mock
from prowler.providers.aws.services.route53.route53_service import Domain
from tests.providers.aws.utils import AWS_REGION_US_EAST_1
from tests.providers.aws.utils import AWS_ACCOUNT_ARN, AWS_REGION_US_EAST_1
class Test_route53_domains_privacy_protection_enabled:
@@ -25,10 +25,14 @@ class Test_route53_domains_privacy_protection_enabled:
def test_domain_privacy_protection_disabled(self):
route53domains = mock.MagicMock
route53domains.audited_account_arn = AWS_ACCOUNT_ARN
domain_name = "test-domain.com"
route53domains.domains = {
domain_name: Domain(
name=domain_name, region=AWS_REGION_US_EAST_1, admin_privacy=False
name=domain_name,
arn=f"arn:aws:route53:::domain/{domain_name}",
region=AWS_REGION_US_EAST_1,
admin_privacy=False,
)
}
@@ -46,6 +50,7 @@ class Test_route53_domains_privacy_protection_enabled:
assert len(result) == 1
assert result[0].resource_id == domain_name
assert result[0].resource_arn == f"arn:aws:route53:::domain/{domain_name}"
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].status == "FAIL"
assert (
@@ -55,10 +60,14 @@ class Test_route53_domains_privacy_protection_enabled:
def test_domain_privacy_protection_enabled(self):
route53domains = mock.MagicMock
route53domains.audited_account_arn = AWS_ACCOUNT_ARN
domain_name = "test-domain.com"
route53domains.domains = {
domain_name: Domain(
name=domain_name, region=AWS_REGION_US_EAST_1, admin_privacy=True
name=domain_name,
arn=f"arn:aws:route53:::domain/{domain_name}",
region=AWS_REGION_US_EAST_1,
admin_privacy=True,
)
}
@@ -76,6 +85,7 @@ class Test_route53_domains_privacy_protection_enabled:
assert len(result) == 1
assert result[0].resource_id == domain_name
assert result[0].resource_arn == f"arn:aws:route53:::domain/{domain_name}"
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].status == "PASS"
assert (
@@ -1,7 +1,7 @@
from unittest import mock
from prowler.providers.aws.services.route53.route53_service import Domain
from tests.providers.aws.utils import AWS_REGION_US_EAST_1
from tests.providers.aws.utils import AWS_ACCOUNT_ARN, AWS_REGION_US_EAST_1
class Test_route53_domains_transferlock_enabled:
@@ -25,10 +25,12 @@ class Test_route53_domains_transferlock_enabled:
def test_domain_transfer_lock_disabled(self):
route53domains = mock.MagicMock
route53domains.audited_account_arn = AWS_ACCOUNT_ARN
domain_name = "test-domain.com"
route53domains.domains = {
domain_name: Domain(
name=domain_name,
arn=f"arn:aws:route53:::domain/{domain_name}",
region=AWS_REGION_US_EAST_1,
admin_privacy=False,
status_list=[""],
@@ -49,6 +51,7 @@ class Test_route53_domains_transferlock_enabled:
assert len(result) == 1
assert result[0].resource_id == domain_name
assert result[0].resource_arn == f"arn:aws:route53:::domain/{domain_name}"
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].status == "FAIL"
assert (
@@ -58,10 +61,12 @@ class Test_route53_domains_transferlock_enabled:
def test_domain_transfer_lock_enabled(self):
route53domains = mock.MagicMock
route53domains.audited_account_arn = AWS_ACCOUNT_ARN
domain_name = "test-domain.com"
route53domains.domains = {
domain_name: Domain(
name=domain_name,
arn=f"arn:aws:route53:::domain/{domain_name}",
region=AWS_REGION_US_EAST_1,
admin_privacy=False,
status_list=["clientTransferProhibited"],
@@ -82,6 +87,7 @@ class Test_route53_domains_transferlock_enabled:
assert len(result) == 1
assert result[0].resource_id == domain_name
assert result[0].resource_arn == f"arn:aws:route53:::domain/{domain_name}"
assert result[0].region == AWS_REGION_US_EAST_1
assert result[0].status == "PASS"
assert (