mirror of
https://github.com/prowler-cloud/prowler.git
synced 2025-12-19 05:17:47 +00:00
chore(unused services): scan unused services by default and add flag (#3556)
Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
This commit is contained in:
Sergio Garcia
@@ -42,7 +42,7 @@ while read service; do
|
||||
echo "$(date '+%Y-%m-%d %H:%M:%S'): Starting job for service: ${service}"
|
||||
|
||||
# Run the command in the background
|
||||
(prowler -p "$profile" -s "$service" -F "${account_id}-${service}" --ignore-unused-services --only-logs; echo "$(date '+%Y-%m-%d %H:%M:%S') - ${service} has completed") &
|
||||
(prowler -p "$profile" -s "$service" -F "${account_id}-${service}" --only-logs; echo "$(date '+%Y-%m-%d %H:%M:%S') - ${service} has completed") &
|
||||
|
||||
# Check if we have reached the maximum number of processes
|
||||
while [ $(jobs -r | wc -l) -ge ${MAX_PROCESSES} ]; do
|
||||
@@ -98,7 +98,7 @@ $jobs = @()
|
||||
foreach ($service in $services) {
|
||||
# Start the command as a job
|
||||
$job = Start-Job -ScriptBlock {
|
||||
prowler -p ${using:profile} -s ${using:service} -F "${using:account_id}-${using:service}" --ignore-unused-services --only-logs
|
||||
prowler -p ${using:profile} -s ${using:service} -F "${using:account_id}-${using:service}" --only-logs
|
||||
$endTimestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
|
||||
Write-Output "${endTimestamp} - $using:service has completed"
|
||||
}
|
||||
|
||||
@@ -1,15 +1,15 @@
|
||||
# Ignore Unused Services
|
||||
# Scan Unused Services
|
||||
|
||||
???+ note
|
||||
Currently only available on the AWS provider.
|
||||
|
||||
Prowler allows you to ignore unused services findings, so you can reduce the number of findings in Prowler's reports.
|
||||
By default, Prowler only scans the cloud services that are used (where resources are created) to reduce the number of findings in Prowler's reports. If you want Prowler to also scan unused services, you can use the following command:
|
||||
|
||||
```console
|
||||
prowler <provider> --ignore-unused-services
|
||||
prowler <provider> --scan-unused-services
|
||||
```
|
||||
|
||||
## Services that can be ignored
|
||||
## Services that are ignored
|
||||
### AWS
|
||||
#### Athena
|
||||
When you create an AWS Account, Athena will create a default primary workgroup for you.
|
||||
@@ -44,7 +44,7 @@ nav:
|
||||
- Mute List: tutorials/mutelist.md
|
||||
- Check Aliases: tutorials/check-aliases.md
|
||||
- Custom Metadata: tutorials/custom-checks-metadata.md
|
||||
- Ignore Unused Services: tutorials/ignore-unused-services.md
|
||||
- Scan Unused Services: tutorials/scan-unused-services.md
|
||||
- Pentesting: tutorials/pentesting.md
|
||||
- Parallel Execution: tutorials/parallel-execution.md
|
||||
- Developer Guide: developer-guide/introduction.md
|
||||
|
||||
@@ -48,7 +48,7 @@ class AwsProvider(Provider):
|
||||
_organizations_metadata: AWSOrganizationsInfo
|
||||
_audit_resources: list = []
|
||||
_audit_config: dict
|
||||
_ignore_unused_services: bool = False
|
||||
_scan_unused_services: bool = False
|
||||
_enabled_regions: set = set()
|
||||
_mutelist: dict = {}
|
||||
_output_options: AWSOutputOptions
|
||||
@@ -73,8 +73,8 @@ class AwsProvider(Provider):
|
||||
input_regions = getattr(arguments, "region", set())
|
||||
organizations_role_arn = getattr(arguments, "organizations_role", None)
|
||||
|
||||
# Set if unused services must be ignored
|
||||
ignore_unused_services = getattr(arguments, "ignore_unused_services", None)
|
||||
# Set if unused services must be scanned
|
||||
scan_unused_services = getattr(arguments, "scan_unused_services", None)
|
||||
########
|
||||
|
||||
######## AWS Session
|
||||
@@ -222,7 +222,7 @@ class AwsProvider(Provider):
|
||||
)
|
||||
|
||||
# Set ignore unused services
|
||||
self._ignore_unused_services = ignore_unused_services
|
||||
self._scan_unused_services = scan_unused_services
|
||||
|
||||
# Audit Config
|
||||
self._audit_config = {}
|
||||
@@ -252,8 +252,8 @@ class AwsProvider(Provider):
|
||||
return self._audit_resources
|
||||
|
||||
@property
|
||||
def ignore_unused_services(self):
|
||||
return self._ignore_unused_services
|
||||
def scan_unused_services(self):
|
||||
return self._scan_unused_services
|
||||
|
||||
@property
|
||||
def audit_config(self):
|
||||
|
||||
@@ -147,14 +147,14 @@ def init_parser(self):
|
||||
help="Set the maximum attemps for the Boto3 standard retrier config (Default: 3)",
|
||||
)
|
||||
|
||||
# Ignore Unused Services
|
||||
ignore_unused_services_subparser = aws_parser.add_argument_group(
|
||||
"Ignore Unused Services"
|
||||
# Scan Unused Services
|
||||
scan_unused_services_subparser = aws_parser.add_argument_group(
|
||||
"Scan Unused Services"
|
||||
)
|
||||
ignore_unused_services_subparser.add_argument(
|
||||
"--ignore-unused-services",
|
||||
scan_unused_services_subparser.add_argument(
|
||||
"--scan-unused-services",
|
||||
action="store_true",
|
||||
help="Ignore findings in unused services",
|
||||
help="Scan unused services",
|
||||
)
|
||||
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ class athena_workgroup_encryption(Check):
|
||||
# Only check for enabled and used workgroups (has recent queries)
|
||||
if (
|
||||
workgroup.state == "ENABLED" and workgroup.queries
|
||||
) or not athena_client.provider.ignore_unused_services:
|
||||
) or athena_client.provider.scan_unused_services:
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = workgroup.region
|
||||
report.resource_id = workgroup.name
|
||||
|
||||
@@ -12,7 +12,7 @@ class athena_workgroup_enforce_configuration(Check):
|
||||
# Only check for enabled and used workgroups (has recent queries)
|
||||
if (
|
||||
workgroup.state == "ENABLED" and workgroup.queries
|
||||
) or not athena_client.provider.ignore_unused_services:
|
||||
) or athena_client.provider.scan_unused_services:
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = workgroup.region
|
||||
report.resource_id = workgroup.name
|
||||
|
||||
@@ -50,7 +50,7 @@ class cloudtrail_s3_dataevents_read_enabled(Check):
|
||||
report.status_extended = f"Trail {trail.name} from home region {trail.home_region} has an advanced data event selector to record all S3 object-level API operations."
|
||||
findings.append(report)
|
||||
if not findings and (
|
||||
s3_client.buckets or not cloudtrail_client.provider.ignore_unused_services
|
||||
s3_client.buckets or cloudtrail_client.provider.scan_unused_services
|
||||
):
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = cloudtrail_client.region
|
||||
|
||||
@@ -50,7 +50,7 @@ class cloudtrail_s3_dataevents_write_enabled(Check):
|
||||
report.status_extended = f"Trail {trail.name} from home region {trail.home_region} has an advanced data event selector to record all S3 object-level API operations."
|
||||
findings.append(report)
|
||||
if not findings and (
|
||||
s3_client.buckets or not cloudtrail_client.provider.ignore_unused_services
|
||||
s3_client.buckets or cloudtrail_client.provider.scan_unused_services
|
||||
):
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = cloudtrail_client.region
|
||||
|
||||
@@ -16,9 +16,7 @@ class ec2_ebs_default_encryption(Check):
|
||||
report.status = "PASS"
|
||||
report.status_extended = "EBS Default Encryption is activated."
|
||||
findings.append(report)
|
||||
elif (
|
||||
not ec2_client.provider.ignore_unused_services or ebs_encryption.volumes
|
||||
):
|
||||
elif ec2_client.provider.scan_unused_services or ebs_encryption.volumes:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = "EBS Default Encryption is not activated."
|
||||
findings.append(report)
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_networkacl_allow_ingress_any_port(Check):
|
||||
check_port = 0
|
||||
for network_acl in ec2_client.network_acls:
|
||||
if (
|
||||
not ec2_client.provider.ignore_unused_services
|
||||
ec2_client.provider.scan_unused_services
|
||||
or network_acl.region in ec2_client.regions_with_sgs
|
||||
):
|
||||
# If some entry allows it, that ACL is not securely configured
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_networkacl_allow_ingress_tcp_port_22(Check):
|
||||
check_port = 22
|
||||
for network_acl in ec2_client.network_acls:
|
||||
if (
|
||||
not ec2_client.provider.ignore_unused_services
|
||||
ec2_client.provider.scan_unused_services
|
||||
or network_acl.region in ec2_client.regions_with_sgs
|
||||
):
|
||||
# If some entry allows it, that ACL is not securely configured
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_networkacl_allow_ingress_tcp_port_3389(Check):
|
||||
check_port = 3389
|
||||
for network_acl in ec2_client.network_acls:
|
||||
if (
|
||||
not ec2_client.provider.ignore_unused_services
|
||||
ec2_client.provider.scan_unused_services
|
||||
or network_acl.region in ec2_client.regions_with_sgs
|
||||
):
|
||||
# If some entry allows it, that ACL is not securely configured
|
||||
|
||||
@@ -8,7 +8,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_any_port(Check):
|
||||
findings = []
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018(
|
||||
check_ports = [27017, 27018]
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21(Check)
|
||||
check_ports = [20, 21]
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22(Check):
|
||||
check_ports = [22]
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389(Check):
|
||||
check_ports = [3389]
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -12,7 +12,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9
|
||||
check_ports = [7199, 9160, 8888]
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -12,7 +12,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_ki
|
||||
check_ports = [9200, 9300, 5601]
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092(Check
|
||||
check_ports = [9092]
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211(
|
||||
check_ports = [11211]
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306(Check
|
||||
check_ports = [3306]
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483
|
||||
check_ports = [1521, 2483]
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432(Ch
|
||||
check_ports = [5432]
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379(Check
|
||||
check_ports = [6379]
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -12,7 +12,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_
|
||||
check_ports = [1433, 1434]
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -10,7 +10,7 @@ class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23(Check)
|
||||
check_ports = [23]
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -11,7 +11,7 @@ class ec2_securitygroup_allow_wide_open_public_ipv4(Check):
|
||||
cidr_treshold = 24
|
||||
for security_group in ec2_client.security_groups:
|
||||
# Check if ignoring flag is set and if the VPC and the SG is in use
|
||||
if not ec2_client.provider.ignore_unused_services or (
|
||||
if ec2_client.provider.scan_unused_services or (
|
||||
security_group.vpc_id in vpc_client.vpcs
|
||||
and vpc_client.vpcs[security_group.vpc_id].in_use
|
||||
and len(security_group.network_interfaces) > 0
|
||||
|
||||
@@ -7,7 +7,7 @@ class glue_data_catalogs_connection_passwords_encryption_enabled(Check):
|
||||
findings = []
|
||||
for encryption in glue_client.catalog_encryption_settings:
|
||||
# Check only if there are Glue Tables
|
||||
if encryption.tables or not glue_client.provider.ignore_unused_services:
|
||||
if encryption.tables or glue_client.provider.scan_unused_services:
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.resource_id = glue_client.audited_account
|
||||
report.resource_arn = glue_client.__get_data_catalog_arn_template__(
|
||||
|
||||
@@ -7,7 +7,7 @@ class glue_data_catalogs_metadata_encryption_enabled(Check):
|
||||
findings = []
|
||||
for encryption in glue_client.catalog_encryption_settings:
|
||||
# Check only if there are Glue Tables
|
||||
if encryption.tables or not glue_client.provider.ignore_unused_services:
|
||||
if encryption.tables or glue_client.provider.scan_unused_services:
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.resource_id = glue_client.audited_account
|
||||
report.resource_arn = glue_client.__get_data_catalog_arn_template__(
|
||||
|
||||
@@ -20,7 +20,7 @@ class inspector2_is_enabled(Check):
|
||||
report.status_extended = "Inspector2 is enabled."
|
||||
findings.append(report)
|
||||
else:
|
||||
if inspector2_client.provider.ignore_unused_services:
|
||||
if not inspector2_client.provider.scan_unused_services:
|
||||
funtions_in_region = False
|
||||
ec2_in_region = False
|
||||
for function in awslambda_client.functions.values():
|
||||
@@ -29,7 +29,7 @@ class inspector2_is_enabled(Check):
|
||||
for instance in ec2_client.instances:
|
||||
if instance == inspector.region:
|
||||
ec2_in_region = True
|
||||
if not inspector2_client.provider.ignore_unused_services or (
|
||||
if inspector2_client.provider.scan_unused_services or (
|
||||
funtions_in_region
|
||||
or ecr_client.registries[inspector.region].repositories
|
||||
or ec2_in_region
|
||||
|
||||
@@ -19,7 +19,7 @@ class macie_is_enabled(Check):
|
||||
findings.append(report)
|
||||
else:
|
||||
if (
|
||||
not macie_client.provider.ignore_unused_services
|
||||
macie_client.provider.scan_unused_services
|
||||
or session.region in s3_client.regions_with_buckets
|
||||
):
|
||||
if session.status == "PAUSED":
|
||||
|
||||
@@ -9,7 +9,7 @@ class networkfirewall_in_all_vpc(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for vpc in vpc_client.vpcs.values():
|
||||
if not vpc_client.provider.ignore_unused_services or vpc.in_use:
|
||||
if vpc_client.provider.scan_unused_services or vpc.in_use:
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = vpc.region
|
||||
report.resource_id = vpc.id
|
||||
|
||||
@@ -18,7 +18,7 @@ class s3_account_level_public_access_blocks(Check):
|
||||
report.resource_id = s3control_client.audited_account
|
||||
report.resource_arn = s3_client.account_arn_template
|
||||
findings.append(report)
|
||||
elif s3_client.buckets or not s3_client.provider.ignore_unused_services:
|
||||
elif s3_client.buckets or s3_client.provider.scan_unused_services:
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"Block Public Access is not configured for the account {s3control_client.audited_account}."
|
||||
report.region = s3control_client.region
|
||||
|
||||
@@ -6,7 +6,7 @@ class vpc_flow_logs_enabled(Check):
|
||||
def execute(self):
|
||||
findings = []
|
||||
for vpc in vpc_client.vpcs.values():
|
||||
if not vpc_client.provider.ignore_unused_services or vpc.in_use:
|
||||
if vpc_client.provider.scan_unused_services or vpc.in_use:
|
||||
report = Check_Report_AWS(self.metadata())
|
||||
report.region = vpc.region
|
||||
report.resource_tags = vpc.tags
|
||||
|
||||
@@ -80,7 +80,7 @@ class Test_Parser:
|
||||
assert not parsed.output_bucket_no_assume
|
||||
assert not parsed.shodan
|
||||
assert not parsed.resource_tags
|
||||
assert not parsed.ignore_unused_services
|
||||
assert not parsed.scan_unused_services
|
||||
|
||||
def test_default_parser_no_arguments_azure(self):
|
||||
provider = "azure"
|
||||
@@ -1040,11 +1040,11 @@ class Test_Parser:
|
||||
parsed = self.parser.parse(command)
|
||||
assert parsed.aws_retries_max_attempts == int(max_retries)
|
||||
|
||||
def test_aws_parser_ignore_unused_services(self):
|
||||
argument = "--ignore-unused-services"
|
||||
def test_aws_parser_scan_unused_services(self):
|
||||
argument = "--scan-unused-services"
|
||||
command = [prowler_command, argument]
|
||||
parsed = self.parser.parse(command)
|
||||
assert parsed.ignore_unused_services
|
||||
assert parsed.scan_unused_services
|
||||
|
||||
def test_aws_parser_config_file(self):
|
||||
argument = "--config-file"
|
||||
|
||||
@@ -240,11 +240,11 @@ class TestAWSProvider:
|
||||
def test_aws_provider_default(self):
|
||||
arguments = Namespace()
|
||||
arguments.mfa = False
|
||||
arguments.ignore_unused_services = True
|
||||
arguments.scan_unused_services = True
|
||||
aws_provider = AwsProvider(arguments)
|
||||
|
||||
assert aws_provider.type == "aws"
|
||||
assert aws_provider.ignore_unused_services is True
|
||||
assert aws_provider.scan_unused_services is True
|
||||
assert aws_provider.audit_config == {}
|
||||
assert aws_provider.session.current_session.region_name == AWS_REGION_US_EAST_1
|
||||
|
||||
@@ -359,7 +359,7 @@ class TestAWSProvider:
|
||||
aws_provider = AwsProvider(arguments)
|
||||
|
||||
assert aws_provider.type == "aws"
|
||||
assert aws_provider.ignore_unused_services is None
|
||||
assert aws_provider.scan_unused_services is None
|
||||
assert aws_provider.audit_config == {}
|
||||
assert (
|
||||
aws_provider.session.current_session.region_name == AWS_REGION_US_EAST_1
|
||||
|
||||
@@ -51,7 +51,7 @@ class Test_athena_workgroup_encryption:
|
||||
from prowler.providers.aws.services.athena.athena_service import Athena
|
||||
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
aws_provider._ignore_unused_services = True
|
||||
aws_provider._scan_unused_services = False
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
|
||||
@@ -51,7 +51,7 @@ class Test_athena_workgroup_enforce_configuration:
|
||||
from prowler.providers.aws.services.athena.athena_service import Athena
|
||||
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
aws_provider._ignore_unused_services = True
|
||||
aws_provider._scan_unused_services = False
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
|
||||
@@ -71,7 +71,7 @@ class Test_cloudtrail_s3_dataevents_read_enabled:
|
||||
from prowler.providers.aws.services.s3.s3_service import S3
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider._ignore_unused_services = True
|
||||
aws_provider._scan_unused_services = False
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
@@ -105,7 +105,7 @@ class Test_cloudtrail_s3_dataevents_read_enabled:
|
||||
from prowler.providers.aws.services.s3.s3_service import S3
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider._ignore_unused_services = True
|
||||
aws_provider._scan_unused_services = False
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
|
||||
@@ -135,7 +135,7 @@ class Test_cloudtrail_s3_dataevents_write_enabled:
|
||||
from prowler.providers.aws.services.s3.s3_service import S3
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider._ignore_unused_services = True
|
||||
aws_provider._scan_unused_services = False
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
@@ -168,7 +168,7 @@ class Test_cloudtrail_s3_dataevents_write_enabled:
|
||||
from prowler.providers.aws.services.s3.s3_service import S3
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider._ignore_unused_services = True
|
||||
aws_provider._scan_unused_services = False
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
|
||||
@@ -121,7 +121,7 @@ class Test_ec2_ebs_default_encryption:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -151,7 +151,7 @@ class Test_ec2_ebs_default_encryption:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -203,7 +203,7 @@ class Test_ec2_networkacl_allow_ingress_any_port:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -245,7 +245,7 @@ class Test_ec2_networkacl_allow_ingress_any_port:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -205,7 +205,7 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_22:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -247,7 +247,7 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_22:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -205,7 +205,7 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_3389:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -247,7 +247,7 @@ class Test_ec2_networkacl_allow_ingress_tcp_port_3389:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -265,7 +265,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_any_port:
|
||||
expected_checks=[
|
||||
"ec2_securitygroup_allow_ingress_from_internet_to_any_port"
|
||||
],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -308,7 +308,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_any_port:
|
||||
expected_checks=[
|
||||
"ec2_securitygroup_allow_ingress_from_internet_to_any_port"
|
||||
],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_2
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_2
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -192,7 +192,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -232,7 +232,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -59,7 +59,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -99,7 +99,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsear
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsear
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_1
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_1
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -264,7 +264,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_54
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -306,7 +306,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_54
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -243,7 +243,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379:
|
||||
AWS_REGION_EU_WEST_1,
|
||||
]
|
||||
)
|
||||
aws_provider._ignore_unused_services = True
|
||||
aws_provider._scan_unused_services = False
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
@@ -281,7 +281,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379:
|
||||
from prowler.providers.aws.services.ec2.ec2_service import EC2
|
||||
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
aws_provider._ignore_unused_services = True
|
||||
aws_provider._scan_unused_services = False
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
|
||||
@@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -193,7 +193,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
@@ -235,7 +235,7 @@ class Test_ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23:
|
||||
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1],
|
||||
ignore_unused_services=True,
|
||||
scan_unused_services=False,
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -91,7 +91,7 @@ class Test_glue_data_catalogs_connection_passwords_encryption_enabled:
|
||||
glue_client.__get_data_catalog_arn_template__ = mock.MagicMock(
|
||||
return_value=glue_client.data_catalog_arn_template
|
||||
)
|
||||
glue_client.provider._ignore_unused_services = True
|
||||
glue_client.provider._scan_unused_services = False
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.services.glue.glue_service.Glue",
|
||||
glue_client,
|
||||
@@ -126,7 +126,7 @@ class Test_glue_data_catalogs_connection_passwords_encryption_enabled:
|
||||
glue_client.__get_data_catalog_arn_template__ = mock.MagicMock(
|
||||
return_value=glue_client.data_catalog_arn_template
|
||||
)
|
||||
glue_client.provider._ignore_unused_services = True
|
||||
glue_client.provider._scan_unused_services = False
|
||||
with mock.patch(
|
||||
"prowler.providers.aws.services.glue.glue_service.Glue",
|
||||
glue_client,
|
||||
|
||||
@@ -86,7 +86,7 @@ class Test_glue_data_catalogs_metadata_encryption_enabled:
|
||||
)
|
||||
]
|
||||
glue_client.audited_account = AWS_ACCOUNT_NUMBER
|
||||
glue_client.provider._ignore_unused_services = True
|
||||
glue_client.provider._scan_unused_services = False
|
||||
glue_client.audited_partition = AWS_COMMERCIAL_PARTITION
|
||||
glue_client.region = AWS_REGION_US_EAST_1
|
||||
glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog"
|
||||
@@ -121,7 +121,7 @@ class Test_glue_data_catalogs_metadata_encryption_enabled:
|
||||
)
|
||||
]
|
||||
glue_client.audited_account = AWS_ACCOUNT_NUMBER
|
||||
glue_client.provider._ignore_unused_services = True
|
||||
glue_client.provider._scan_unused_services = False
|
||||
glue_client.audited_partition = AWS_COMMERCIAL_PARTITION
|
||||
glue_client.region = AWS_REGION_US_EAST_1
|
||||
glue_client.data_catalog_arn_template = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog"
|
||||
|
||||
@@ -266,7 +266,7 @@ class Test_inspector2_active_findings_exist:
|
||||
ecr_client.provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
awslambda_client.aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
inspector2_client.aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
inspector2_client.provider._ignore_unused_services = True
|
||||
inspector2_client.provider._scan_unused_services = False
|
||||
inspector2_client.audited_account = AWS_ACCOUNT_NUMBER
|
||||
inspector2_client.audited_account_arn = (
|
||||
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"
|
||||
|
||||
@@ -141,7 +141,7 @@ class Test_macie_is_enabled:
|
||||
]
|
||||
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
macie_client.provider._ignore_unused_services = True
|
||||
macie_client.provider._scan_unused_services = False
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
@@ -192,7 +192,7 @@ class Test_macie_is_enabled:
|
||||
macie_client.__get_session_arn_template__ = mock.MagicMock(
|
||||
return_value=macie_client.session_arn_template
|
||||
)
|
||||
macie_client.provider._ignore_unused_services = True
|
||||
macie_client.provider._scan_unused_services = False
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
|
||||
with mock.patch(
|
||||
|
||||
@@ -437,7 +437,7 @@ class Test_networkfirewall_in_all_vpc:
|
||||
}
|
||||
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
|
||||
vpc_client.provider._ignore_unused_services = True
|
||||
vpc_client.provider._scan_unused_services = False
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
@@ -502,7 +502,7 @@ class Test_networkfirewall_in_all_vpc:
|
||||
}
|
||||
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
|
||||
vpc_client.provider._ignore_unused_services = True
|
||||
vpc_client.provider._scan_unused_services = False
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
|
||||
@@ -127,7 +127,7 @@ class Test_s3_account_level_public_access_blocks:
|
||||
from prowler.providers.aws.services.s3.s3_service import S3, S3Control
|
||||
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
|
||||
aws_provider._ignore_unused_services = True
|
||||
aws_provider._scan_unused_services = False
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
|
||||
@@ -145,7 +145,7 @@ class Test_vpc_flow_logs_enabled:
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1]
|
||||
)
|
||||
aws_provider._ignore_unused_services = True
|
||||
aws_provider._scan_unused_services = False
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
@@ -177,7 +177,7 @@ class Test_vpc_flow_logs_enabled:
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_US_EAST_1, AWS_REGION_EU_WEST_1]
|
||||
)
|
||||
aws_provider._ignore_unused_services = True
|
||||
aws_provider._scan_unused_services = False
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
|
||||
@@ -58,7 +58,7 @@ def set_mocked_aws_provider(
|
||||
expected_checks: list[str] = [],
|
||||
profile_region: str = None,
|
||||
audit_config: dict = {},
|
||||
ignore_unused_services: bool = False,
|
||||
scan_unused_services: bool = True,
|
||||
audit_session: session.Session = session.Session(
|
||||
profile_name=None,
|
||||
botocore_session=None,
|
||||
@@ -96,7 +96,7 @@ def set_mocked_aws_provider(
|
||||
provider._identity.profile_region = profile_region
|
||||
provider._identity.audited_regions = audited_regions
|
||||
# Mock Configiration
|
||||
provider._ignore_unused_services = ignore_unused_services
|
||||
provider._scan_unused_services = scan_unused_services
|
||||
provider._enabled_regions = (
|
||||
enabled_regions if enabled_regions else set(audited_regions)
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user