From 0f9ebecbb7fb89e520c462f17f3134074caae2f8 Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Mon, 28 Oct 2024 00:45:03 -0700 Subject: [PATCH] fix(aws): review checks with wrong attributes (#5503) --- .../acm_certificates_expiration_check.py | 6 +- ...ject_no_secrets_in_variables.metadata.json | 4 +- .../documentdb_cluster_backup_enabled.py | 4 +- ...ocumentdb_cluster_cloudwatch_log_export.py | 4 +- ...cr_registry_scan_images_on_push_enabled.py | 3 +- .../providers/aws/services/ecr/ecr_service.py | 2 + ...lasticache_redis_cluster_backup_enabled.py | 4 +- ...ty_lambda_protection_enabled.metadata.json | 2 +- .../neptune_cluster_backup_enabled.py | 4 +- .../organizations/organizations_service.py | 10 ++- .../rds_instance_certificate_expiration.py | 24 +++---- ...nce_protected_by_backup_plan.metadata.json | 2 +- ...te53_domains_privacy_protection_enabled.py | 1 + .../route53_domains_transferlock_enabled.py | 1 + .../aws/services/route53/route53_service.py | 5 +- .../providers/aws/services/waf/waf_service.py | 24 ++++--- ...gistry_scan_images_on_push_enabled_test.py | 20 ++++++ ...ositories_lifecycle_policy_enabled_test.py | 3 + ...positories_not_publicly_accessible_test.py | 4 ++ ...tories_scan_images_on_push_enabled_test.py | 3 + ...an_vulnerabilities_in_latest_image_test.py | 11 +++ .../ecr_repositories_tag_immutability_test.py | 3 + ...ds_instance_certificate_expiration_test.py | 72 +++++++++++++++++++ ...domains_privacy_protection_enabled_test.py | 16 ++++- ...ute53_domains_transferlock_enabled_test.py | 8 ++- 25 files changed, 194 insertions(+), 46 deletions(-) diff --git a/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py b/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py index ab684e3397..b434118078 100644 --- a/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py +++ b/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py @@ -1,4 +1,4 @@ -from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.lib.check.models import Check, Check_Report_AWS, Severity from prowler.providers.aws.services.acm.acm_client import acm_client @@ -22,10 +22,10 @@ class acm_certificates_expiration_check(Check): report.status = "FAIL" if certificate.expiration_days < 0: report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has expired ({abs(certificate.expiration_days)} days ago)." - report.check_metadata.Severity = "high" + report.check_metadata.Severity = Severity.high else: report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is about to expire in {certificate.expiration_days} days." - report.check_metadata.Severity = "medium" + report.check_metadata.Severity = Severity.medium report.resource_id = certificate.id report.resource_details = certificate.name diff --git a/prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.metadata.json b/prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.metadata.json index 1d6d8c5499..5b5052e7db 100644 --- a/prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.metadata.json +++ b/prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.metadata.json @@ -1,7 +1,7 @@ { "Provider": "aws", "CheckID": "codebuild_project_no_secrets_in_variables", - "CheckTitle": "Ensure CodeBuild projects do not contain secrets on plaintext environmet variables", + "CheckTitle": "Ensure CodeBuild projects do not contain secrets on plaintext environment variables", "CheckType": [ "Security Best Practices" ], @@ -21,7 +21,7 @@ "Terraform": "" }, "Recommendation": { - "Text": "", + "Text": "Do not store secrets in plaintext environment variables. Use AWS Secrets Manager or AWS Systems Manager Parameter Store to securely store and retrieve sensitive information.", "Url": "https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html" } }, diff --git a/prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.py b/prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.py index 76f5a620c5..67dcc6a03e 100644 --- a/prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.py +++ b/prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.py @@ -1,4 +1,4 @@ -from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.lib.check.models import Check, Check_Report_AWS, Severity from prowler.providers.aws.services.documentdb.documentdb_client import ( documentdb_client, ) @@ -25,7 +25,7 @@ class documentdb_cluster_backup_enabled(Check): else: if cluster.backup_retention_period > 0: report.status = "FAIL" - report.check_metadata.Severity = "low" + report.check_metadata.Severity = Severity.low report.status_extended = f"DocumentDB Cluster {cluster.id} has backup enabled with retention period {cluster.backup_retention_period} days. Recommended to increase the backup retention period to a minimum of 7 days." findings.append(report) diff --git a/prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.py b/prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.py index 528ab14eb6..dbedc2169f 100644 --- a/prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.py +++ b/prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.py @@ -1,4 +1,4 @@ -from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.lib.check.models import Check, Check_Report_AWS, Severity from prowler.providers.aws.services.documentdb.documentdb_client import ( documentdb_client, ) @@ -27,7 +27,7 @@ class documentdb_cluster_cloudwatch_log_export(Check): or "profiler" in cluster.cloudwatch_logs ): report.status = "FAIL" - report.check_metadata.Severity = "low" + report.check_metadata.Severity = Severity.low report.status_extended = f"DocumentDB Cluster {cluster.id} is only shipping {' '.join(cluster.cloudwatch_logs)} to CloudWatch Logs. Recommended to ship both Audit and Profiler logs." findings.append(report) diff --git a/prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.py b/prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.py index 0a9654a743..db34c41ea5 100644 --- a/prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.py +++ b/prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.py @@ -11,8 +11,7 @@ class ecr_registry_scan_images_on_push_enabled(Check): report = Check_Report_AWS(self.metadata()) report.region = registry.region report.resource_id = registry.id - # A registry cannot have tags - report.resource_tags = [] + report.resource_arn = registry.arn report.status = "FAIL" report.status_extended = f"ECR registry {registry.id} has {registry.scan_type} scanning without scan on push enabled." if registry.rules: diff --git a/prowler/providers/aws/services/ecr/ecr_service.py b/prowler/providers/aws/services/ecr/ecr_service.py index ea5d6486a8..b141de811e 100644 --- a/prowler/providers/aws/services/ecr/ecr_service.py +++ b/prowler/providers/aws/services/ecr/ecr_service.py @@ -58,6 +58,7 @@ class ECR(AWSService): # The default ECR registry is assumed self.registries[regional_client.region] = Registry( id=self.registry_id, + arn=f"arn:{self.audited_partition}:ecr:{regional_client.region}:registry/{self.registry_id}", region=regional_client.region, repositories=regional_registry_repositories, ) @@ -389,6 +390,7 @@ class ScanningRule(BaseModel): class Registry(BaseModel): id: str + arn: str region: str repositories: list[Repository] scan_type: Optional[str] diff --git a/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.py b/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.py index 1c73d77427..ce4cdc88cf 100644 --- a/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.py +++ b/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.py @@ -1,4 +1,4 @@ -from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.lib.check.models import Check, Check_Report_AWS, Severity from prowler.providers.aws.services.elasticache.elasticache_client import ( elasticache_client, ) @@ -23,7 +23,7 @@ class elasticache_redis_cluster_backup_enabled(Check): else: if repl_group.snapshot_retention > 0: report.status = "FAIL" - report.check_metadata.Severity = "low" + report.check_metadata.Severity = Severity.low report.status_extended = f"Elasticache Redis cache cluster {repl_group.id} has automated snapshot backups enabled with retention period {repl_group.snapshot_retention} days. Recommended to increase the snapshot retention period to a minimum of 7 days." findings.append(report) diff --git a/prowler/providers/aws/services/guardduty/guardduty_lambda_protection_enabled/guardduty_lambda_protection_enabled.metadata.json b/prowler/providers/aws/services/guardduty/guardduty_lambda_protection_enabled/guardduty_lambda_protection_enabled.metadata.json index 57fda8b12f..a39a93f736 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_lambda_protection_enabled/guardduty_lambda_protection_enabled.metadata.json +++ b/prowler/providers/aws/services/guardduty/guardduty_lambda_protection_enabled/guardduty_lambda_protection_enabled.metadata.json @@ -9,7 +9,7 @@ "SubServiceName": "", "ResourceIdTemplate": "arn:aws:guardduty:region:account-id/detector-id", "Severity": "high", - "ResourceType": "", + "ResourceType": "AwsGuardDutyDetector", "Description": "GuardDuty Lambda Protection helps you identify potential security threats when an AWS Lambda function gets invoked. After you enable Lambda Protection, GuardDuty starts monitoring Lambda network activity logs associated with the Lambda functions in your AWS account.", "Risk": "If Lambda Protection is not enabled, GuardDuty will not be able to monitor Lambda network activity logs and may miss potential security threats.", "RelatedUrl": "https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection.html", diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.py b/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.py index 206eacd30f..0296fe08fe 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.py +++ b/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.py @@ -1,4 +1,4 @@ -from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.lib.check.models import Check, Check_Report_AWS, Severity from prowler.providers.aws.services.neptune.neptune_client import neptune_client @@ -23,7 +23,7 @@ class neptune_cluster_backup_enabled(Check): else: if cluster.backup_retention_period > 0: report.status = "FAIL" - report.check_metadata.Severity = "low" + report.check_metadata.Severity = Severity.low report.status_extended = f"Neptune Cluster {cluster.name} has backup enabled with retention period {cluster.backup_retention_period} days. Recommended to increase the backup retention period to a minimum of 7 days." findings.append(report) diff --git a/prowler/providers/aws/services/organizations/organizations_service.py b/prowler/providers/aws/services/organizations/organizations_service.py index 27b9124431..98153ddaaa 100644 --- a/prowler/providers/aws/services/organizations/organizations_service.py +++ b/prowler/providers/aws/services/organizations/organizations_service.py @@ -116,9 +116,13 @@ class Organizations(AWSService): except ClientError as error: if error.response["Error"]["Code"] == "AccessDeniedException": policies = None - logger.error( - f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" - ) + logger.warning( + f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" + ) + else: + logger.error( + f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" + ) except Exception as error: logger.error( diff --git a/prowler/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration.py b/prowler/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration.py index 8e92f52e7b..2cc0441bae 100644 --- a/prowler/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration.py +++ b/prowler/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration.py @@ -3,7 +3,7 @@ from datetime import datetime from dateutil import relativedelta from pytz import utc -from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.lib.check.models import Check, Check_Report_AWS, Severity from prowler.providers.aws.services.rds.rds_client import rds_client @@ -21,7 +21,7 @@ class rds_instance_certificate_expiration(Check): report.resource_arn = db_instance_arn report.resource_tags = db_instance.tags report.status = "FAIL" - report.check_metadata.Severity = "critical" + report.check_metadata.Severity = Severity.critical report.status_extended = ( f"RDS Instance {db_instance.id} certificate has expired." ) @@ -33,7 +33,7 @@ class rds_instance_certificate_expiration(Check): utc ) + relativedelta.relativedelta(months=6): report.status = "PASS" - report.check_metadata.Severity = "informational" + report.check_metadata.Severity = Severity.informational report.status_extended = f"RDS Instance {db_instance.id} certificate has over 6 months of validity left." elif cert.valid_till < datetime.now( utc @@ -45,7 +45,7 @@ class rds_instance_certificate_expiration(Check): months=3 ): report.status = "PASS" - report.check_metadata.Severity = "low" + report.check_metadata.Severity = Severity.low report.status_extended = f"RDS Instance {db_instance.id} certificate has between 3 and 6 months of validity." elif cert.valid_till < datetime.now( utc @@ -57,7 +57,7 @@ class rds_instance_certificate_expiration(Check): months=1 ): report.status = "FAIL" - report.check_metadata.Severity = "medium" + report.check_metadata.Severity = Severity.medium report.status_extended = f"RDS Instance {db_instance.id} certificate less than 3 months of validity." elif cert.valid_till < datetime.now( utc @@ -67,11 +67,11 @@ class rds_instance_certificate_expiration(Check): utc ): report.status = "FAIL" - report.check_metadata.Severity = "high" + report.check_metadata.Severity = Severity.high report.status_extended = f"RDS Instance {db_instance.id} certificate less than 1 month of validity." else: report.status = "FAIL" - report.check_metadata.Severity = "critical" + report.check_metadata.Severity = Severity.critical report.status_extended = ( f"RDS Instance {db_instance.id} certificate has expired." ) @@ -80,7 +80,7 @@ class rds_instance_certificate_expiration(Check): utc ) + relativedelta.relativedelta(months=6): report.status = "PASS" - report.check_metadata.Severity = "informational" + report.check_metadata.Severity = Severity.informational report.status_extended = f"RDS Instance {db_instance.id} custom certificate has over 6 months of validity left." elif cert.valid_till < datetime.now( utc @@ -92,7 +92,7 @@ class rds_instance_certificate_expiration(Check): months=3 ): report.status = "PASS" - report.check_metadata.Severity = "low" + report.check_metadata.Severity = Severity.low report.status_extended = f"RDS Instance {db_instance.id} custom certificate has between 3 and 6 months of validity." elif cert.valid_till < datetime.now( utc @@ -104,7 +104,7 @@ class rds_instance_certificate_expiration(Check): months=1 ): report.status = "FAIL" - report.check_metadata.Severity = "medium" + report.check_metadata.Severity = Severity.medium report.status_extended = f"RDS Instance {db_instance.id} custom certificate less than 3 months of validity." elif cert.valid_till < datetime.now( utc @@ -114,11 +114,11 @@ class rds_instance_certificate_expiration(Check): utc ): report.status = "FAIL" - report.check_metadata.Severity = "high" + report.check_metadata.Severity = Severity.high report.status_extended = f"RDS Instance {db_instance.id} custom certificate less than 1 month of validity." else: report.status = "FAIL" - report.check_metadata.Severity = "critical" + report.check_metadata.Severity = Severity.critical report.status_extended = f"RDS Instance {db_instance.id} custom certificate has expired." findings.append(report) diff --git a/prowler/providers/aws/services/rds/rds_instance_protected_by_backup_plan/rds_instance_protected_by_backup_plan.metadata.json b/prowler/providers/aws/services/rds/rds_instance_protected_by_backup_plan/rds_instance_protected_by_backup_plan.metadata.json index 91b525a3d2..93c2f38f17 100644 --- a/prowler/providers/aws/services/rds/rds_instance_protected_by_backup_plan/rds_instance_protected_by_backup_plan.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_protected_by_backup_plan/rds_instance_protected_by_backup_plan.metadata.json @@ -21,7 +21,7 @@ "Terraform": "" }, "Recommendation": { - "Text": "", + "Text": "Create a backup plan for the RDS instance to protect it from data loss, accidental deletion, or corruption.", "Url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html" } }, diff --git a/prowler/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled.py b/prowler/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled.py index 09bb621473..face34e9ff 100644 --- a/prowler/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled.py +++ b/prowler/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled.py @@ -11,6 +11,7 @@ class route53_domains_privacy_protection_enabled(Check): for domain in route53domains_client.domains.values(): report = Check_Report_AWS(self.metadata()) report.resource_id = domain.name + report.resource_arn = domain.arn report.region = domain.region report.resource_tags = domain.tags if domain.admin_privacy: diff --git a/prowler/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled.py b/prowler/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled.py index 16e13a9800..735dc5fc9d 100644 --- a/prowler/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled.py +++ b/prowler/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled.py @@ -11,6 +11,7 @@ class route53_domains_transferlock_enabled(Check): for domain in route53domains_client.domains.values(): report = Check_Report_AWS(self.metadata()) report.resource_id = domain.name + report.resource_arn = domain.arn report.region = domain.region report.resource_tags = domain.tags if domain.status_list and "clientTransferProhibited" in domain.status_list: diff --git a/prowler/providers/aws/services/route53/route53_service.py b/prowler/providers/aws/services/route53/route53_service.py index 2e47757af3..374ee63351 100644 --- a/prowler/providers/aws/services/route53/route53_service.py +++ b/prowler/providers/aws/services/route53/route53_service.py @@ -161,7 +161,9 @@ class Route53Domains(AWSService): domain_name = domain["DomainName"] self.domains[domain_name] = Domain( - name=domain_name, region=self.region + name=domain_name, + arn=f"arn:{self.audited_partition}:route53:::domain/{domain_name}", + region=self.region, ) except Exception as error: @@ -198,6 +200,7 @@ class Route53Domains(AWSService): class Domain(BaseModel): name: str + arn: str region: str admin_privacy: bool = False status_list: list[str] = None diff --git a/prowler/providers/aws/services/waf/waf_service.py b/prowler/providers/aws/services/waf/waf_service.py index 4a99284801..b0521fd992 100644 --- a/prowler/providers/aws/services/waf/waf_service.py +++ b/prowler/providers/aws/services/waf/waf_service.py @@ -14,15 +14,21 @@ class WAF(AWSService): self.rules = {} self.rule_groups = {} self.web_acls = {} - self._list_rules() - self.__threading_call__(self._get_rule, self.rules.values()) - self._list_rule_groups() - self.__threading_call__( - self._list_activated_rules_in_rule_group, self.rule_groups.values() - ) - self._list_web_acls() - self.__threading_call__(self._get_web_acl, self.web_acls.values()) - self.__threading_call__(self._get_logging_configuration, self.web_acls.values()) + if self.audited_partition == "aws": + # AWS WAF is available globally for CloudFront distributions, but you must use the Region US East (N. Virginia) to create your web ACL and any resources used in the web ACL, such as rule groups, IP sets, and regex pattern sets. + self.region = "us-east-1" + self.client = self.session.client(self.service, self.region) + self._list_rules() + self.__threading_call__(self._get_rule, self.rules.values()) + self._list_rule_groups() + self.__threading_call__( + self._list_activated_rules_in_rule_group, self.rule_groups.values() + ) + self._list_web_acls() + self.__threading_call__(self._get_web_acl, self.web_acls.values()) + self.__threading_call__( + self._get_logging_configuration, self.web_acls.values() + ) def _list_rules(self): logger.info("WAF - Listing Global Rules...") diff --git a/tests/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled_test.py b/tests/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled_test.py index 3fb661b7d1..89b3ce5b77 100644 --- a/tests/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled_test.py +++ b/tests/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled_test.py @@ -7,6 +7,7 @@ from prowler.providers.aws.services.ecr.ecr_service import ( ScanningRule, ) from tests.providers.aws.utils import ( + AWS_ACCOUNT_ARN, AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1, set_mocked_aws_provider, @@ -43,6 +44,7 @@ class Test_ecr_registry_scan_images_on_push_enabled: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[], @@ -66,9 +68,11 @@ class Test_ecr_registry_scan_images_on_push_enabled: def test_registry_scan_on_push_enabled(self): ecr_client = mock.MagicMock + ecr_client.audited_account_arn = AWS_ACCOUNT_ARN ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ @@ -107,13 +111,19 @@ class Test_ecr_registry_scan_images_on_push_enabled: assert result[0].status == "PASS" assert search("with scan on push", result[0].status_extended) assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert ( + result[0].resource_arn + == f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}" + ) assert result[0].region == AWS_REGION_EU_WEST_1 def test_scan_on_push_enabled_with_filters(self): ecr_client = mock.MagicMock + ecr_client.audited_account_arn = AWS_ACCOUNT_ARN ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ @@ -155,13 +165,19 @@ class Test_ecr_registry_scan_images_on_push_enabled: result[0].status_extended, ) assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert ( + result[0].resource_arn + == f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}" + ) assert result[0].region == AWS_REGION_EU_WEST_1 def test_scan_on_push_disabled(self): ecr_client = mock.MagicMock + ecr_client.audited_account_arn = AWS_ACCOUNT_ARN ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ @@ -195,4 +211,8 @@ class Test_ecr_registry_scan_images_on_push_enabled: assert result[0].status == "FAIL" assert search("scanning without scan on push", result[0].status_extended) assert result[0].resource_id == AWS_ACCOUNT_NUMBER + assert ( + result[0].resource_arn + == f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}" + ) assert result[0].region == AWS_REGION_EU_WEST_1 diff --git a/tests/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled_test.py b/tests/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled_test.py index 1235bcc96c..3e430e8095 100644 --- a/tests/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled_test.py +++ b/tests/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled_test.py @@ -51,6 +51,7 @@ class Test_ecr_repositories_lifecycle_policy_enabled: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[], @@ -77,6 +78,7 @@ class Test_ecr_repositories_lifecycle_policy_enabled: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", rules=[], @@ -121,6 +123,7 @@ class Test_ecr_repositories_lifecycle_policy_enabled: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", rules=[], diff --git a/tests/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible_test.py b/tests/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible_test.py index 0ae364051a..9904aec2ca 100644 --- a/tests/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible_test.py +++ b/tests/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible_test.py @@ -63,6 +63,7 @@ class Test_ecr_repositories_not_publicly_accessible: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[], @@ -91,6 +92,7 @@ class Test_ecr_repositories_not_publicly_accessible: ecr_client.audited_account = AWS_ACCOUNT_NUMBER ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ @@ -134,6 +136,7 @@ class Test_ecr_repositories_not_publicly_accessible: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ @@ -179,6 +182,7 @@ class Test_ecr_repositories_not_publicly_accessible: ecr_client.audited_account = AWS_ACCOUNT_NUMBER ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ diff --git a/tests/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled_test.py b/tests/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled_test.py index fd931bc1b4..3e86ba0829 100644 --- a/tests/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled_test.py +++ b/tests/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled_test.py @@ -51,6 +51,7 @@ class Test_ecr_repositories_scan_images_on_push_enabled: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[], @@ -77,6 +78,7 @@ class Test_ecr_repositories_scan_images_on_push_enabled: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ @@ -120,6 +122,7 @@ class Test_ecr_repositories_scan_images_on_push_enabled: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ diff --git a/tests/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image_test.py b/tests/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image_test.py index 7f99502bd8..8bc08f005b 100644 --- a/tests/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image_test.py +++ b/tests/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image_test.py @@ -62,6 +62,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[], @@ -89,6 +90,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ @@ -126,6 +128,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ @@ -184,6 +187,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ @@ -242,6 +246,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ @@ -304,6 +309,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ @@ -366,6 +372,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ @@ -428,6 +435,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ @@ -490,6 +498,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ @@ -552,6 +561,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ @@ -610,6 +620,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[ diff --git a/tests/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability_test.py b/tests/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability_test.py index 2508cdd161..128291b129 100644 --- a/tests/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability_test.py +++ b/tests/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability_test.py @@ -51,6 +51,7 @@ class Test_ecr_repositories_tag_immutability: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", repositories=[], @@ -77,6 +78,7 @@ class Test_ecr_repositories_tag_immutability: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", rules=[], @@ -122,6 +124,7 @@ class Test_ecr_repositories_tag_immutability: ecr_client.registries = {} ecr_client.registries[AWS_REGION_EU_WEST_1] = Registry( id=AWS_ACCOUNT_NUMBER, + arn=f"arn:aws:ecr:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:registry/{AWS_ACCOUNT_NUMBER}", region=AWS_REGION_EU_WEST_1, scan_type="BASIC", rules=[], diff --git a/tests/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration_test.py b/tests/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration_test.py index 446cae5f45..a492ff7d2b 100644 --- a/tests/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration_test.py +++ b/tests/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration_test.py @@ -197,6 +197,78 @@ class Test_rds_instance_certificate_expiration: ) assert result[0].resource_tags == [] + def test_rds_certificate_less_than_one_month(self): + valid_from = datetime.now(utc) - relativedelta.relativedelta(months=7) + valid_till = datetime.now(utc) + relativedelta.relativedelta(weeks=2) + customer_override_valid = datetime.now(utc) + relativedelta.relativedelta( + weeks=2 + ) + + rds_client = mock.MagicMock + instance_arn = ( + f"arn:aws:rds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER_CON}:db:db-master-1" + ) + rds_client.db_instances = { + instance_arn: DBInstance( + id="db-master-1", + arn=instance_arn, + engine="aurora-postgresql", + engine_version="aurora14", + status="available", + public=False, + encrypted=True, + deletion_protection=True, + auto_minor_version_upgrade=False, + multi_az=True, + username="test", + iam_auth=False, + region=AWS_REGION, + ca_cert="rds-ca-rsa2048-g1", + endpoint={}, + cert=[ + Certificate( + id="rds-ca-rsa2048-g1", + arn=f"arn:aws:rds:{AWS_REGION}::cert:rds-ca-2019", + type="CA", + valid_from=valid_from, + valid_till=valid_till, + customer_override=False, + customer_override_valid_till=customer_override_valid, + ) + ], + ) + } + + with mock.patch( + "prowler.providers.aws.services.rds.rds_service.RDS", + new=rds_client, + ), mock.patch( + "prowler.providers.aws.services.rds.rds_client.rds_client", + new=rds_client, + ): + # Test Check + from prowler.providers.aws.services.rds.rds_instance_certificate_expiration.rds_instance_certificate_expiration import ( + rds_instance_certificate_expiration, + ) + + check = rds_instance_certificate_expiration() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert result[0].check_metadata.Severity == "high" + assert ( + result[0].status_extended + == "RDS Instance db-master-1 certificate less than 1 month of validity." + ) + assert result[0].resource_id == "db-master-1" + assert result[0].region == AWS_REGION + assert ( + result[0].resource_arn + == f"arn:aws:rds:{AWS_REGION}:{AWS_ACCOUNT_NUMBER_CON}:db:db-master-1" + ) + assert result[0].resource_tags == [] + def test_rds_certificate_between_three_and_six_months(self): valid_from = datetime.now(utc) - relativedelta.relativedelta(months=7) valid_till = datetime.now(utc) + relativedelta.relativedelta(months=4) diff --git a/tests/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled_test.py b/tests/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled_test.py index c847595967..7e8b5b4011 100644 --- a/tests/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled_test.py +++ b/tests/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled_test.py @@ -1,7 +1,7 @@ from unittest import mock from prowler.providers.aws.services.route53.route53_service import Domain -from tests.providers.aws.utils import AWS_REGION_US_EAST_1 +from tests.providers.aws.utils import AWS_ACCOUNT_ARN, AWS_REGION_US_EAST_1 class Test_route53_domains_privacy_protection_enabled: @@ -25,10 +25,14 @@ class Test_route53_domains_privacy_protection_enabled: def test_domain_privacy_protection_disabled(self): route53domains = mock.MagicMock + route53domains.audited_account_arn = AWS_ACCOUNT_ARN domain_name = "test-domain.com" route53domains.domains = { domain_name: Domain( - name=domain_name, region=AWS_REGION_US_EAST_1, admin_privacy=False + name=domain_name, + arn=f"arn:aws:route53:::domain/{domain_name}", + region=AWS_REGION_US_EAST_1, + admin_privacy=False, ) } @@ -46,6 +50,7 @@ class Test_route53_domains_privacy_protection_enabled: assert len(result) == 1 assert result[0].resource_id == domain_name + assert result[0].resource_arn == f"arn:aws:route53:::domain/{domain_name}" assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].status == "FAIL" assert ( @@ -55,10 +60,14 @@ class Test_route53_domains_privacy_protection_enabled: def test_domain_privacy_protection_enabled(self): route53domains = mock.MagicMock + route53domains.audited_account_arn = AWS_ACCOUNT_ARN domain_name = "test-domain.com" route53domains.domains = { domain_name: Domain( - name=domain_name, region=AWS_REGION_US_EAST_1, admin_privacy=True + name=domain_name, + arn=f"arn:aws:route53:::domain/{domain_name}", + region=AWS_REGION_US_EAST_1, + admin_privacy=True, ) } @@ -76,6 +85,7 @@ class Test_route53_domains_privacy_protection_enabled: assert len(result) == 1 assert result[0].resource_id == domain_name + assert result[0].resource_arn == f"arn:aws:route53:::domain/{domain_name}" assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].status == "PASS" assert ( diff --git a/tests/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled_test.py b/tests/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled_test.py index 14be1f0ee1..d9b752d088 100644 --- a/tests/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled_test.py +++ b/tests/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled_test.py @@ -1,7 +1,7 @@ from unittest import mock from prowler.providers.aws.services.route53.route53_service import Domain -from tests.providers.aws.utils import AWS_REGION_US_EAST_1 +from tests.providers.aws.utils import AWS_ACCOUNT_ARN, AWS_REGION_US_EAST_1 class Test_route53_domains_transferlock_enabled: @@ -25,10 +25,12 @@ class Test_route53_domains_transferlock_enabled: def test_domain_transfer_lock_disabled(self): route53domains = mock.MagicMock + route53domains.audited_account_arn = AWS_ACCOUNT_ARN domain_name = "test-domain.com" route53domains.domains = { domain_name: Domain( name=domain_name, + arn=f"arn:aws:route53:::domain/{domain_name}", region=AWS_REGION_US_EAST_1, admin_privacy=False, status_list=[""], @@ -49,6 +51,7 @@ class Test_route53_domains_transferlock_enabled: assert len(result) == 1 assert result[0].resource_id == domain_name + assert result[0].resource_arn == f"arn:aws:route53:::domain/{domain_name}" assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].status == "FAIL" assert ( @@ -58,10 +61,12 @@ class Test_route53_domains_transferlock_enabled: def test_domain_transfer_lock_enabled(self): route53domains = mock.MagicMock + route53domains.audited_account_arn = AWS_ACCOUNT_ARN domain_name = "test-domain.com" route53domains.domains = { domain_name: Domain( name=domain_name, + arn=f"arn:aws:route53:::domain/{domain_name}", region=AWS_REGION_US_EAST_1, admin_privacy=False, status_list=["clientTransferProhibited"], @@ -82,6 +87,7 @@ class Test_route53_domains_transferlock_enabled: assert len(result) == 1 assert result[0].resource_id == domain_name + assert result[0].resource_arn == f"arn:aws:route53:::domain/{domain_name}" assert result[0].region == AWS_REGION_US_EAST_1 assert result[0].status == "PASS" assert (