From 35043c2dd6376769c50ad1619c1b8a67650d6976 Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Tue, 19 Mar 2024 15:15:19 +0100 Subject: [PATCH] chore(unused services): scan unused services by default and add flag (#3556) Co-authored-by: Pepe Fagoaga --- docs/tutorials/parallel-execution.md | 4 ++-- ...re-unused-services.md => scan-unused-services.md} | 8 ++++---- mkdocs.yml | 2 +- prowler/providers/aws/aws_provider.py | 12 ++++++------ prowler/providers/aws/lib/arguments/arguments.py | 12 ++++++------ .../athena_workgroup_encryption.py | 2 +- .../athena_workgroup_enforce_configuration.py | 2 +- .../cloudtrail_s3_dataevents_read_enabled.py | 2 +- .../cloudtrail_s3_dataevents_write_enabled.py | 2 +- .../ec2_ebs_default_encryption.py | 4 +--- .../ec2_networkacl_allow_ingress_any_port.py | 2 +- .../ec2_networkacl_allow_ingress_tcp_port_22.py | 2 +- .../ec2_networkacl_allow_ingress_tcp_port_3389.py | 2 +- ...ygroup_allow_ingress_from_internet_to_any_port.py | 2 +- ...ress_from_internet_to_port_mongodb_27017_27018.py | 2 +- ...ow_ingress_from_internet_to_tcp_ftp_port_20_21.py | 2 +- ...oup_allow_ingress_from_internet_to_tcp_port_22.py | 2 +- ...p_allow_ingress_from_internet_to_tcp_port_3389.py | 2 +- ..._internet_to_tcp_port_cassandra_7199_9160_8888.py | 2 +- ...o_tcp_port_elasticsearch_kibana_9200_9300_5601.py | 2 +- ...w_ingress_from_internet_to_tcp_port_kafka_9092.py | 2 +- ...ress_from_internet_to_tcp_port_memcached_11211.py | 2 +- ...w_ingress_from_internet_to_tcp_port_mysql_3306.py | 2 +- ...ess_from_internet_to_tcp_port_oracle_1521_2483.py | 2 +- ...ngress_from_internet_to_tcp_port_postgres_5432.py | 2 +- ...w_ingress_from_internet_to_tcp_port_redis_6379.py | 2 +- ...from_internet_to_tcp_port_sql_server_1433_1434.py | 2 +- ...ow_ingress_from_internet_to_tcp_port_telnet_23.py | 2 +- .../ec2_securitygroup_allow_wide_open_public_ipv4.py | 2 +- ...talogs_connection_passwords_encryption_enabled.py | 2 +- ...glue_data_catalogs_metadata_encryption_enabled.py | 2 +- .../inspector2_is_enabled/inspector2_is_enabled.py | 4 ++-- .../macie/macie_is_enabled/macie_is_enabled.py | 2 +- .../networkfirewall_in_all_vpc.py | 2 +- .../s3_account_level_public_access_blocks.py | 2 +- .../vpc_flow_logs_enabled/vpc_flow_logs_enabled.py | 2 +- tests/lib/cli/parser_test.py | 8 ++++---- tests/providers/aws/aws_provider_test.py | 6 +++--- .../athena_workgroup_encryption_test.py | 2 +- .../athena_workgroup_enforce_configuration_test.py | 2 +- .../cloudtrail_s3_dataevents_read_enabled_test.py | 4 ++-- .../cloudtrail_s3_dataevents_write_enabled_test.py | 4 ++-- .../ec2_ebs_default_encryption_test.py | 4 ++-- .../ec2_networkacl_allow_ingress_any_port_test.py | 4 ++-- .../ec2_networkacl_allow_ingress_tcp_port_22_test.py | 4 ++-- ...c2_networkacl_allow_ingress_tcp_port_3389_test.py | 4 ++-- ...p_allow_ingress_from_internet_to_any_port_test.py | 4 ++-- ...from_internet_to_port_mongodb_27017_27018_test.py | 4 ++-- ...gress_from_internet_to_tcp_ftp_port_20_21_test.py | 4 ++-- ...llow_ingress_from_internet_to_tcp_port_22_test.py | 4 ++-- ...ow_ingress_from_internet_to_tcp_port_3389_test.py | 4 ++-- ...rnet_to_tcp_port_cassandra_7199_9160_8888_test.py | 4 ++-- ..._port_elasticsearch_kibana_9200_9300_5601_test.py | 4 ++-- ...ress_from_internet_to_tcp_port_kafka_9092_test.py | 4 ++-- ...from_internet_to_tcp_port_memcached_11211_test.py | 4 ++-- ...ress_from_internet_to_tcp_port_mysql_3306_test.py | 4 ++-- ...rom_internet_to_tcp_port_oracle_1521_2483_test.py | 4 ++-- ...s_from_internet_to_tcp_port_postgres_5432_test.py | 4 ++-- ...ress_from_internet_to_tcp_port_redis_6379_test.py | 4 ++-- ...internet_to_tcp_port_sql_server_1433_1434_test.py | 4 ++-- ...gress_from_internet_to_tcp_port_telnet_23_test.py | 4 ++-- ...s_connection_passwords_encryption_enabled_test.py | 4 ++-- ...data_catalogs_metadata_encryption_enabled_test.py | 4 ++-- .../inspector2_active_findings_exist_test.py | 2 +- .../macie/macie_is_enabled/macie_is_enabled_test.py | 4 ++-- .../networkfirewall_in_all_vpc_test.py | 4 ++-- .../s3_account_level_public_access_blocks_test.py | 2 +- .../vpc_flow_logs_enabled_test.py | 4 ++-- tests/providers/aws/utils.py | 4 ++-- 69 files changed, 116 insertions(+), 118 deletions(-) rename docs/tutorials/{ignore-unused-services.md => scan-unused-services.md} (91%) diff --git a/docs/tutorials/parallel-execution.md b/docs/tutorials/parallel-execution.md index 3e4cb2aeb1..de152f6af7 100644 --- a/docs/tutorials/parallel-execution.md +++ b/docs/tutorials/parallel-execution.md @@ -42,7 +42,7 @@ while read service; do echo "$(date '+%Y-%m-%d %H:%M:%S'): Starting job for service: ${service}" # Run the command in the background - (prowler -p "$profile" -s "$service" -F "${account_id}-${service}" --ignore-unused-services --only-logs; echo "$(date '+%Y-%m-%d %H:%M:%S') - ${service} has completed") & + (prowler -p "$profile" -s "$service" -F "${account_id}-${service}" --only-logs; echo "$(date '+%Y-%m-%d %H:%M:%S') - ${service} has completed") & # Check if we have reached the maximum number of processes while [ $(jobs -r | wc -l) -ge ${MAX_PROCESSES} ]; do @@ -98,7 +98,7 @@ $jobs = @() foreach ($service in $services) { # Start the command as a job $job = Start-Job -ScriptBlock { - prowler -p ${using:profile} -s ${using:service} -F "${using:account_id}-${using:service}" --ignore-unused-services --only-logs + prowler -p ${using:profile} -s ${using:service} -F "${using:account_id}-${using:service}" --only-logs $endTimestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss" Write-Output "${endTimestamp} - $using:service has completed" } diff --git a/docs/tutorials/ignore-unused-services.md b/docs/tutorials/scan-unused-services.md similarity index 91% rename from docs/tutorials/ignore-unused-services.md rename to docs/tutorials/scan-unused-services.md index 30fa3b670d..4231d4e064 100644 --- a/docs/tutorials/ignore-unused-services.md +++ b/docs/tutorials/scan-unused-services.md @@ -1,15 +1,15 @@ -# Ignore Unused Services +# Scan Unused Services ???+ note Currently only available on the AWS provider. -Prowler allows you to ignore unused services findings, so you can reduce the number of findings in Prowler's reports. +By default, Prowler only scans the cloud services that are used (where resources are created) to reduce the number of findings in Prowler's reports. If you want Prowler to also scan unused services, you can use the following command: ```console -prowler --ignore-unused-services +prowler --scan-unused-services ``` -## Services that can be ignored +## Services that are ignored ### AWS #### Athena When you create an AWS Account, Athena will create a default primary workgroup for you. diff --git a/mkdocs.yml b/mkdocs.yml index 82cdb35bb8..e3634c305e 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -44,7 +44,7 @@ nav: - Mute List: tutorials/mutelist.md - Check Aliases: tutorials/check-aliases.md - Custom Metadata: tutorials/custom-checks-metadata.md - - Ignore Unused Services: tutorials/ignore-unused-services.md + - Scan Unused Services: tutorials/scan-unused-services.md - Pentesting: tutorials/pentesting.md - Parallel Execution: tutorials/parallel-execution.md - Developer Guide: developer-guide/introduction.md diff --git a/prowler/providers/aws/aws_provider.py b/prowler/providers/aws/aws_provider.py index 56476fda18..c5353b5d77 100644 --- a/prowler/providers/aws/aws_provider.py +++ b/prowler/providers/aws/aws_provider.py @@ -48,7 +48,7 @@ class AwsProvider(Provider): _organizations_metadata: AWSOrganizationsInfo _audit_resources: list = [] _audit_config: dict - _ignore_unused_services: bool = False + _scan_unused_services: bool = False _enabled_regions: set = set() _mutelist: dict = {} _output_options: AWSOutputOptions @@ -73,8 +73,8 @@ class AwsProvider(Provider): input_regions = getattr(arguments, "region", set()) organizations_role_arn = getattr(arguments, "organizations_role", None) - # Set if unused services must be ignored - ignore_unused_services = getattr(arguments, "ignore_unused_services", None) + # Set if unused services must be scanned + scan_unused_services = getattr(arguments, "scan_unused_services", None) ######## ######## AWS Session @@ -222,7 +222,7 @@ class AwsProvider(Provider): ) # Set ignore unused services - self._ignore_unused_services = ignore_unused_services + self._scan_unused_services = scan_unused_services # Audit Config self._audit_config = {} @@ -252,8 +252,8 @@ class AwsProvider(Provider): return self._audit_resources @property - def ignore_unused_services(self): - return self._ignore_unused_services + def scan_unused_services(self): + return self._scan_unused_services @property def audit_config(self): diff --git a/prowler/providers/aws/lib/arguments/arguments.py b/prowler/providers/aws/lib/arguments/arguments.py index 98757a163f..63412c4d56 100644 --- a/prowler/providers/aws/lib/arguments/arguments.py +++ b/prowler/providers/aws/lib/arguments/arguments.py @@ -147,14 +147,14 @@ def init_parser(self): help="Set the maximum attemps for the Boto3 standard retrier config (Default: 3)", ) - # Ignore Unused Services - ignore_unused_services_subparser = aws_parser.add_argument_group( - "Ignore Unused Services" + # Scan Unused Services + scan_unused_services_subparser = aws_parser.add_argument_group( + "Scan Unused Services" ) - ignore_unused_services_subparser.add_argument( - "--ignore-unused-services", + scan_unused_services_subparser.add_argument( + "--scan-unused-services", action="store_true", - help="Ignore findings in unused services", + help="Scan unused services", ) diff --git a/prowler/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption.py b/prowler/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption.py index d9d498c45f..42bebbe448 100644 --- a/prowler/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption.py +++ b/prowler/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption.py @@ -12,7 +12,7 @@ class athena_workgroup_encryption(Check): # Only check for enabled and used workgroups (has recent queries) if ( workgroup.state == "ENABLED" and workgroup.queries - ) or not athena_client.provider.ignore_unused_services: + ) or athena_client.provider.scan_unused_services: report = Check_Report_AWS(self.metadata()) report.region = workgroup.region report.resource_id = workgroup.name diff --git a/prowler/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration.py b/prowler/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration.py index d0043edfc2..1606c6cfb7 100644 --- a/prowler/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration.py +++ b/prowler/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration.py @@ -12,7 +12,7 @@ class athena_workgroup_enforce_configuration(Check): # Only check for enabled and used workgroups (has recent queries) if ( workgroup.state == "ENABLED" and workgroup.queries - ) or not athena_client.provider.ignore_unused_services: + ) or athena_client.provider.scan_unused_services: report = Check_Report_AWS(self.metadata()) report.region = workgroup.region report.resource_id = workgroup.name diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py index 289438dc7a..dc0916f34c 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py @@ -50,7 +50,7 @@ class cloudtrail_s3_dataevents_read_enabled(Check): report.status_extended = f"Trail {trail.name} from home region {trail.home_region} has an advanced data event selector to record all S3 object-level API operations." findings.append(report) if not findings and ( - s3_client.buckets or not cloudtrail_client.provider.ignore_unused_services + s3_client.buckets or cloudtrail_client.provider.scan_unused_services ): report = Check_Report_AWS(self.metadata()) report.region = cloudtrail_client.region diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py index bf01a971d3..fda427d25f 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py @@ -50,7 +50,7 @@ class cloudtrail_s3_dataevents_write_enabled(Check): report.status_extended = f"Trail {trail.name} from home region {trail.home_region} has an advanced data event selector to record all S3 object-level API operations." findings.append(report) if not findings and ( - s3_client.buckets or not cloudtrail_client.provider.ignore_unused_services + s3_client.buckets or cloudtrail_client.provider.scan_unused_services ): report = Check_Report_AWS(self.metadata()) report.region = cloudtrail_client.region diff --git a/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.py b/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.py index 9032126c00..8ef98bc92c 100644 --- a/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.py +++ b/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.py @@ -16,9 +16,7 @@ class ec2_ebs_default_encryption(Check): report.status = "PASS" report.status_extended = "EBS Default Encryption is activated." findings.append(report) - elif ( - not ec2_client.provider.ignore_unused_services or ebs_encryption.volumes - ): + elif ec2_client.provider.scan_unused_services or ebs_encryption.volumes: report.status = "FAIL" report.status_extended = "EBS Default Encryption is not activated." findings.append(report) diff --git a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py index 55c4c796ef..444f73527c 100644 --- a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py +++ b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py @@ -10,7 +10,7 @@ class ec2_networkacl_allow_ingress_any_port(Check): check_port = 0 for network_acl in ec2_client.network_acls: if ( - not ec2_client.provider.ignore_unused_services + ec2_client.provider.scan_unused_services or network_acl.region in ec2_client.regions_with_sgs ): # If some entry allows it, that ACL is not securely configured diff --git a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py index f8b8526632..13d580c3f5 100644 --- a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py +++ b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py @@ -10,7 +10,7 @@ class ec2_networkacl_allow_ingress_tcp_port_22(Check): check_port = 22 for network_acl in ec2_client.network_acls: if ( - not ec2_client.provider.ignore_unused_services + ec2_client.provider.scan_unused_services or network_acl.region in ec2_client.regions_with_sgs ): # If some entry allows it, that ACL is not securely configured diff --git a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py index 42b873b62f..11adad1d69 100644 --- a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py +++ b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py @@ -10,7 +10,7 @@ class ec2_networkacl_allow_ingress_tcp_port_3389(Check): check_port = 3389 for network_acl in ec2_client.network_acls: if ( - not ec2_client.provider.ignore_unused_services + ec2_client.provider.scan_unused_services or network_acl.region in ec2_client.regions_with_sgs ): # If some entry allows it, that ACL is not securely configured diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py index 88c1f770c0..8a91fb1b94 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py @@ -8,7 +8,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_any_port(Check): findings = [] for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018.py index f07d561db2..7d81a491d5 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018.py @@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018( check_ports = [27017, 27018] for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py index 531cd0e6da..49e40528b4 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py @@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21(Check) check_ports = [20, 21] for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22.py index 98e4707db6..302b90fde3 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22.py @@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22(Check): check_ports = [22] for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389.py index 4ba73e2ec8..1a8817e689 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389.py @@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389(Check): check_ports = [3389] for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888.py index 3aa513d1a5..380fc0758d 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888.py @@ -12,7 +12,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9 check_ports = [7199, 9160, 8888] for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601.py index a4b105d9e5..d117f2ae05 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601.py @@ -12,7 +12,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_ki check_ports = [9200, 9300, 5601] for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092.py index d2e8632354..a437239b08 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092.py @@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092(Check check_ports = [9092] for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211.py index 215eb0c3b6..b233307c7b 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211.py @@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211( check_ports = [11211] for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306.py index 6678aa04e4..495a216558 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306.py @@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306(Check check_ports = [3306] for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483.py index c9da15e8c6..dcc2696d6a 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483.py @@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483 check_ports = [1521, 2483] for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432.py index c9a6786865..1882064d3a 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432.py @@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432(Ch check_ports = [5432] for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.py index 6a5701b6d1..3c88521612 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.py @@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379(Check check_ports = [6379] for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434.py index 18cab0fb9e..c7590cd444 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434.py @@ -12,7 +12,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_ check_ports = [1433, 1434] for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23.py index e8b173fbfd..97166f0b0c 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23.py @@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23(Check) check_ports = [23] for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4.py index 4a90f4e95b..549c8b3064 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4.py @@ -11,7 +11,7 @@ class ec2_securitygroup_allow_wide_open_public_ipv4(Check): cidr_treshold = 24 for security_group in ec2_client.security_groups: # Check if ignoring flag is set and if the VPC and the SG is in use - if not ec2_client.provider.ignore_unused_services or ( + if ec2_client.provider.scan_unused_services or ( security_group.vpc_id in vpc_client.vpcs and vpc_client.vpcs[security_group.vpc_id].in_use and len(security_group.network_interfaces) > 0 diff --git a/prowler/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.py index 1e4174df52..b599733a74 100644 --- a/prowler/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.py @@ -7,7 +7,7 @@ class glue_data_catalogs_connection_passwords_encryption_enabled(Check): findings = [] for encryption in glue_client.catalog_encryption_settings: # Check only if there are Glue Tables - if encryption.tables or not glue_client.provider.ignore_unused_services: + if encryption.tables or glue_client.provider.scan_unused_services: report = Check_Report_AWS(self.metadata()) report.resource_id = glue_client.audited_account report.resource_arn = glue_client.__get_data_catalog_arn_template__( diff --git a/prowler/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.py index cc9e19891e..21955d607f 100644 --- a/prowler/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.py @@ -7,7 +7,7 @@ class glue_data_catalogs_metadata_encryption_enabled(Check): findings = [] for encryption in glue_client.catalog_encryption_settings: # Check only if there are Glue Tables - if encryption.tables or not glue_client.provider.ignore_unused_services: + if encryption.tables or glue_client.provider.scan_unused_services: report = Check_Report_AWS(self.metadata()) report.resource_id = glue_client.audited_account report.resource_arn = glue_client.__get_data_catalog_arn_template__( diff --git a/prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.py b/prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.py index d183c175a1..95969653c3 100644 --- a/prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.py +++ b/prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.py @@ -20,7 +20,7 @@ class inspector2_is_enabled(Check): report.status_extended = "Inspector2 is enabled." findings.append(report) else: - if inspector2_client.provider.ignore_unused_services: + if not inspector2_client.provider.scan_unused_services: funtions_in_region = False ec2_in_region = False for function in awslambda_client.functions.values(): @@ -29,7 +29,7 @@ class inspector2_is_enabled(Check): for instance in ec2_client.instances: if instance == inspector.region: ec2_in_region = True - if not inspector2_client.provider.ignore_unused_services or ( + if inspector2_client.provider.scan_unused_services or ( funtions_in_region or ecr_client.registries[inspector.region].repositories or ec2_in_region diff --git a/prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.py b/prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.py index dc5029ecaf..ac95388e9a 100644 --- a/prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.py +++ b/prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.py @@ -19,7 +19,7 @@ class macie_is_enabled(Check): findings.append(report) else: if ( - not macie_client.provider.ignore_unused_services + macie_client.provider.scan_unused_services or session.region in s3_client.regions_with_buckets ): if session.status == "PAUSED": diff --git a/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py b/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py index f28883efae..6e68988f4f 100644 --- a/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py +++ b/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py @@ -9,7 +9,7 @@ class networkfirewall_in_all_vpc(Check): def execute(self): findings = [] for vpc in vpc_client.vpcs.values(): - if not vpc_client.provider.ignore_unused_services or vpc.in_use: + if vpc_client.provider.scan_unused_services or vpc.in_use: report = Check_Report_AWS(self.metadata()) report.region = vpc.region report.resource_id = vpc.id diff --git a/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks.py b/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks.py index d0a8f66165..07814a0aab 100644 --- a/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks.py +++ b/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks.py @@ -18,7 +18,7 @@ class s3_account_level_public_access_blocks(Check): report.resource_id = s3control_client.audited_account report.resource_arn = s3_client.account_arn_template findings.append(report) - elif s3_client.buckets or not s3_client.provider.ignore_unused_services: + elif s3_client.buckets or s3_client.provider.scan_unused_services: report.status = "FAIL" report.status_extended = f"Block Public Access is not configured for the account {s3control_client.audited_account}." report.region = s3control_client.region diff --git a/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py b/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py index 2177d11300..1d2da328fa 100644 --- a/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py +++ b/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py @@ -6,7 +6,7 @@ class vpc_flow_logs_enabled(Check): def execute(self): findings = [] for vpc in vpc_client.vpcs.values(): - if not vpc_client.provider.ignore_unused_services or vpc.in_use: + if vpc_client.provider.scan_unused_services or vpc.in_use: report = Check_Report_AWS(self.metadata()) report.region = vpc.region report.resource_tags = vpc.tags diff --git a/tests/lib/cli/parser_test.py b/tests/lib/cli/parser_test.py index a681b466ae..d67a0a9404 100644 --- a/tests/lib/cli/parser_test.py +++ b/tests/lib/cli/parser_test.py @@ -80,7 +80,7 @@ class Test_Parser: assert not parsed.output_bucket_no_assume assert not parsed.shodan assert not parsed.resource_tags - assert not parsed.ignore_unused_services + assert not parsed.scan_unused_services def test_default_parser_no_arguments_azure(self): provider = "azure" @@ -1040,11 +1040,11 @@ class Test_Parser: parsed = self.parser.parse(command) assert parsed.aws_retries_max_attempts == int(max_retries) - def test_aws_parser_ignore_unused_services(self): - argument = "--ignore-unused-services" + def test_aws_parser_scan_unused_services(self): + argument = "--scan-unused-services" command = [prowler_command, argument] parsed = self.parser.parse(command) - assert parsed.ignore_unused_services + assert parsed.scan_unused_services def test_aws_parser_config_file(self): argument = "--config-file" diff --git a/tests/providers/aws/aws_provider_test.py b/tests/providers/aws/aws_provider_test.py index 2c29e567cc..d66613f77e 100644 --- a/tests/providers/aws/aws_provider_test.py +++ b/tests/providers/aws/aws_provider_test.py @@ -240,11 +240,11 @@ class TestAWSProvider: def test_aws_provider_default(self): arguments = Namespace() arguments.mfa = False - arguments.ignore_unused_services = True + arguments.scan_unused_services = True aws_provider = AwsProvider(arguments) assert aws_provider.type == "aws" - assert aws_provider.ignore_unused_services is True + assert aws_provider.scan_unused_services is True assert aws_provider.audit_config == {} assert aws_provider.session.current_session.region_name == AWS_REGION_US_EAST_1 @@ -359,7 +359,7 @@ class TestAWSProvider: aws_provider = AwsProvider(arguments) assert aws_provider.type == "aws" - assert aws_provider.ignore_unused_services is None + assert aws_provider.scan_unused_services is None assert aws_provider.audit_config == {} assert ( aws_provider.session.current_session.region_name == AWS_REGION_US_EAST_1 diff --git a/tests/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption_test.py b/tests/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption_test.py index 75d45d202c..9be889d3d8 100644 --- a/tests/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption_test.py +++ b/tests/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption_test.py @@ -51,7 +51,7 @@ class Test_athena_workgroup_encryption: from prowler.providers.aws.services.athena.athena_service import Athena aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) - aws_provider._ignore_unused_services = True + aws_provider._scan_unused_services = False with mock.patch( "prowler.providers.common.common.get_global_provider", diff --git a/tests/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration_test.py b/tests/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration_test.py index c73c06f830..efb074fcc5 100644 --- a/tests/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration_test.py +++ b/tests/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration_test.py @@ -51,7 +51,7 @@ class Test_athena_workgroup_enforce_configuration: from prowler.providers.aws.services.athena.athena_service import Athena aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) - aws_provider._ignore_unused_services = True + aws_provider._scan_unused_services = False with mock.patch( "prowler.providers.common.common.get_global_provider", diff --git a/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled_test.py b/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled_test.py index 89ac4ed02b..648df19ce8 100644 --- a/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled_test.py +++ b/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled_test.py @@ -71,7 +71,7 @@ class Test_cloudtrail_s3_dataevents_read_enabled: from prowler.providers.aws.services.s3.s3_service import S3 aws_provider = set_mocked_aws_provider() - aws_provider._ignore_unused_services = True + aws_provider._scan_unused_services = False with mock.patch( "prowler.providers.common.common.get_global_provider", @@ -105,7 +105,7 @@ class Test_cloudtrail_s3_dataevents_read_enabled: from prowler.providers.aws.services.s3.s3_service import S3 aws_provider = set_mocked_aws_provider() - aws_provider._ignore_unused_services = True + aws_provider._scan_unused_services = False with mock.patch( "prowler.providers.common.common.get_global_provider", diff --git a/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled_test.py b/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled_test.py index a7f0323b15..a144be6b61 100644 --- a/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled_test.py +++ b/tests/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled_test.py @@ -135,7 +135,7 @@ class Test_cloudtrail_s3_dataevents_write_enabled: from prowler.providers.aws.services.s3.s3_service import S3 aws_provider = set_mocked_aws_provider() - aws_provider._ignore_unused_services = True + aws_provider._scan_unused_services = False with mock.patch( "prowler.providers.common.common.get_global_provider", @@ -168,7 +168,7 @@ class Test_cloudtrail_s3_dataevents_write_enabled: from prowler.providers.aws.services.s3.s3_service import S3 aws_provider = set_mocked_aws_provider() - aws_provider._ignore_unused_services = True + aws_provider._scan_unused_services = False with mock.patch( "prowler.providers.common.common.get_global_provider", diff --git a/tests/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_test.py b/tests/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_test.py index bd3734ad9a..c36c5f4def 100644 --- a/tests/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_test.py +++ b/tests/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_test.py @@ -121,7 +121,7 @@ class Test_ec2_ebs_default_encryption: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -151,7 +151,7 @@ class Test_ec2_ebs_default_encryption: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port_test.py b/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port_test.py index bcbcd56f1f..f29577da80 100644 --- a/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port_test.py +++ b/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port_test.py @@ -203,7 +203,7 @@ class Test_ec2_networkacl_allow_ingress_any_port: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -245,7 +245,7 @@ class Test_ec2_networkacl_allow_ingress_any_port: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22_test.py b/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22_test.py index 7b747373ba..e1d7b37440 100644 --- a/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22_test.py +++ b/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22_test.py @@ -205,7 +205,7 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_22: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -247,7 +247,7 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_22: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389_test.py b/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389_test.py index bec6b56515..ce2a111650 100644 --- a/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389_test.py +++ b/tests/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389_test.py @@ -205,7 +205,7 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_3389: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -247,7 +247,7 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_3389: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port_test.py index 8c637add22..949de3577f 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port_test.py @@ -265,7 +265,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_any_port: expected_checks=[ "ec2_securitygroup_allow_ingress_from_internet_to_any_port" ], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -308,7 +308,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_any_port: expected_checks=[ "ec2_securitygroup_allow_ingress_from_internet_to_any_port" ], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018_test.py index c75c531e87..dbb0067183 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018_test.py @@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_2 aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_2 aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21_test.py index f64830fcd8..adfd2dcb78 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21_test.py @@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22_test.py index b992ffe94c..9ad1dc5df0 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22_test.py @@ -192,7 +192,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -232,7 +232,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389_test.py index 703e9b22b8..25c62f8069 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389_test.py @@ -59,7 +59,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -99,7 +99,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888_test.py index 505f5dd0e1..17ed1557b3 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888_test.py @@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7 aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7 aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601_test.py index 4e2db95f98..67ab29d792 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601_test.py @@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsear aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsear aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092_test.py index bb1ab9fb47..550343756f 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092_test.py @@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211_test.py index 6e2417cb13..050a8abb5f 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211_test.py @@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_1 aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_1 aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306_test.py index 9064e2f99e..1720e70674 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306_test.py @@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483_test.py index 94acaa8f85..916d804e1c 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483_test.py @@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521 aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521 aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432_test.py index bf1b440163..e4e05ff70e 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432_test.py @@ -264,7 +264,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_54 aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -306,7 +306,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_54 aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py index aa971e327c..803215321d 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379_test.py @@ -243,7 +243,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: AWS_REGION_EU_WEST_1, ] ) - aws_provider._ignore_unused_services = True + aws_provider._scan_unused_services = False with mock.patch( "prowler.providers.common.common.get_global_provider", @@ -281,7 +281,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379: from prowler.providers.aws.services.ec2.ec2_service import EC2 aws_provider = set_mocked_aws_provider() - aws_provider._ignore_unused_services = True + aws_provider._scan_unused_services = False with mock.patch( "prowler.providers.common.common.get_global_provider", diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434_test.py index 019afa89d3..4e4b6b52c5 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434_test.py @@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_ aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_ aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23_test.py b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23_test.py index 59f153a33d..460b203c9c 100644 --- a/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23_test.py +++ b/tests/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23_test.py @@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( @@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23: aws_provider = set_mocked_aws_provider( [AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1], - ignore_unused_services=True, + scan_unused_services=False, ) with mock.patch( diff --git a/tests/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled_test.py b/tests/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled_test.py index 1b513ec61c..a77731b950 100644 --- a/tests/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled_test.py +++ b/tests/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled_test.py @@ -91,7 +91,7 @@ class Test_glue_data_catalogs_connection_passwords_encryption_enabled: glue_client.__get_data_catalog_arn_template__ = mock.MagicMock( return_value=glue_client.data_catalog_arn_template ) - glue_client.provider._ignore_unused_services = True + glue_client.provider._scan_unused_services = False with mock.patch( "prowler.providers.aws.services.glue.glue_service.Glue", glue_client, @@ -126,7 +126,7 @@ class Test_glue_data_catalogs_connection_passwords_encryption_enabled: glue_client.__get_data_catalog_arn_template__ = mock.MagicMock( return_value=glue_client.data_catalog_arn_template ) - glue_client.provider._ignore_unused_services = True + glue_client.provider._scan_unused_services = False with mock.patch( "prowler.providers.aws.services.glue.glue_service.Glue", glue_client, diff --git a/tests/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled_test.py b/tests/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled_test.py index 9d8ed4a15d..be5600ad1c 100644 --- a/tests/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled_test.py +++ b/tests/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled_test.py @@ -86,7 +86,7 @@ class Test_glue_data_catalogs_metadata_encryption_enabled: ) ] glue_client.audited_account = AWS_ACCOUNT_NUMBER - glue_client.provider._ignore_unused_services = True + glue_client.provider._scan_unused_services = False glue_client.audited_partition = AWS_COMMERCIAL_PARTITION glue_client.region = AWS_REGION_US_EAST_1 glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog" @@ -121,7 +121,7 @@ class Test_glue_data_catalogs_metadata_encryption_enabled: ) ] glue_client.audited_account = AWS_ACCOUNT_NUMBER - glue_client.provider._ignore_unused_services = True + glue_client.provider._scan_unused_services = False glue_client.audited_partition = AWS_COMMERCIAL_PARTITION glue_client.region = AWS_REGION_US_EAST_1 glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog" diff --git a/tests/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist_test.py b/tests/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist_test.py index 407ee0e612..f9a92fc208 100644 --- a/tests/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist_test.py +++ b/tests/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist_test.py @@ -266,7 +266,7 @@ class Test_inspector2_active_findings_exist: ecr_client.provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) awslambda_client.aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) inspector2_client.aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) - inspector2_client.provider._ignore_unused_services = True + inspector2_client.provider._scan_unused_services = False inspector2_client.audited_account = AWS_ACCOUNT_NUMBER inspector2_client.audited_account_arn = ( f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root" diff --git a/tests/providers/aws/services/macie/macie_is_enabled/macie_is_enabled_test.py b/tests/providers/aws/services/macie/macie_is_enabled/macie_is_enabled_test.py index 68b1c1d17b..cf8b680ab2 100644 --- a/tests/providers/aws/services/macie/macie_is_enabled/macie_is_enabled_test.py +++ b/tests/providers/aws/services/macie/macie_is_enabled/macie_is_enabled_test.py @@ -141,7 +141,7 @@ class Test_macie_is_enabled: ] aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) - macie_client.provider._ignore_unused_services = True + macie_client.provider._scan_unused_services = False with mock.patch( "prowler.providers.common.common.get_global_provider", @@ -192,7 +192,7 @@ class Test_macie_is_enabled: macie_client.__get_session_arn_template__ = mock.MagicMock( return_value=macie_client.session_arn_template ) - macie_client.provider._ignore_unused_services = True + macie_client.provider._scan_unused_services = False aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) with mock.patch( diff --git a/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py b/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py index 9b9d9a497c..cd5b143165 100644 --- a/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py +++ b/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py @@ -437,7 +437,7 @@ class Test_networkfirewall_in_all_vpc: } aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) - vpc_client.provider._ignore_unused_services = True + vpc_client.provider._scan_unused_services = False with mock.patch( "prowler.providers.common.common.get_global_provider", @@ -502,7 +502,7 @@ class Test_networkfirewall_in_all_vpc: } aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) - vpc_client.provider._ignore_unused_services = True + vpc_client.provider._scan_unused_services = False with mock.patch( "prowler.providers.common.common.get_global_provider", diff --git a/tests/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks_test.py b/tests/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks_test.py index d9c950f60c..160ab3da5a 100644 --- a/tests/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks_test.py +++ b/tests/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks_test.py @@ -127,7 +127,7 @@ class Test_s3_account_level_public_access_blocks: from prowler.providers.aws.services.s3.s3_service import S3, S3Control aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) - aws_provider._ignore_unused_services = True + aws_provider._scan_unused_services = False with mock.patch( "prowler.providers.common.common.get_global_provider", diff --git a/tests/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled_test.py b/tests/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled_test.py index fc725dd2f2..81669937b9 100644 --- a/tests/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled_test.py +++ b/tests/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled_test.py @@ -145,7 +145,7 @@ class Test_vpc_flow_logs_enabled: aws_provider = set_mocked_aws_provider( [AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1] ) - aws_provider._ignore_unused_services = True + aws_provider._scan_unused_services = False with mock.patch( "prowler.providers.common.common.get_global_provider", @@ -177,7 +177,7 @@ class Test_vpc_flow_logs_enabled: aws_provider = set_mocked_aws_provider( [AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1] ) - aws_provider._ignore_unused_services = True + aws_provider._scan_unused_services = False with mock.patch( "prowler.providers.common.common.get_global_provider", diff --git a/tests/providers/aws/utils.py b/tests/providers/aws/utils.py index 34740421cd..68a55fa61a 100644 --- a/tests/providers/aws/utils.py +++ b/tests/providers/aws/utils.py @@ -58,7 +58,7 @@ def set_mocked_aws_provider( expected_checks: list[str] = [], profile_region: str = None, audit_config: dict = {}, - ignore_unused_services: bool = False, + scan_unused_services: bool = True, audit_session: session.Session = session.Session( profile_name=None, botocore_session=None, @@ -96,7 +96,7 @@ def set_mocked_aws_provider( provider._identity.profile_region = profile_region provider._identity.audited_regions = audited_regions # Mock Configiration - provider._ignore_unused_services = ignore_unused_services + provider._scan_unused_services = scan_unused_services provider._enabled_regions = ( enabled_regions if enabled_regions else set(audited_regions) )