test(s3_bucket_server_access_logging_enabled): Add multi-bucket test (#9716)

Co-authored-by: pedrooot <pedromarting3@gmail.com>
2026-01-25 02:08:11 +00:00 · 2026-01-05 11:34:57 +01:00
parent 9ad2e1ef98
commit 4169611a6a
1 changed files with 112 additions and 0 deletions
--- a/tests/providers/aws/services/s3/s3_bucket_server_access_logging_enabled/s3_bucket_server_access_logging_enabled_test.py
+++ b/tests/providers/aws/services/s3/s3_bucket_server_access_logging_enabled/s3_bucket_server_access_logging_enabled_test.py
@@ -137,3 +137,115 @@ class Test_s3_bucket_server_access_logging_enabled:
                    result[0].resource_arn
                    == f"arn:{aws_provider.identity.partition}:s3:::{bucket_name_us}"
                )
+
+    @mock_aws
+    def test_multiple_buckets_mixed_logging(self):
+        s3_client_us_east_1 = client("s3", region_name=AWS_REGION_US_EAST_1)
+
+        bucket_fail = "bucket_test_no_logging"
+        bucket_pass = "bucket_test_with_logging"
+
+        # Create two buckets
+        s3_client_us_east_1.create_bucket(Bucket=bucket_fail)
+        s3_client_us_east_1.create_bucket(Bucket=bucket_pass)
+
+        # Enable logging on the PASS bucket (same pattern as existing test)
+        bucket_owner = s3_client_us_east_1.get_bucket_acl(Bucket=bucket_pass)["Owner"]
+        s3_client_us_east_1.put_bucket_acl(
+            Bucket=bucket_pass,
+            AccessControlPolicy={
+                "Grants": [
+                    {
+                        "Grantee": {
+                            "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery",
+                            "Type": "Group",
+                        },
+                        "Permission": "WRITE",
+                    },
+                    {
+                        "Grantee": {
+                            "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery",
+                            "Type": "Group",
+                        },
+                        "Permission": "READ_ACP",
+                    },
+                    {
+                        "Grantee": {"Type": "CanonicalUser", "ID": bucket_owner["ID"]},
+                        "Permission": "FULL_CONTROL",
+                    },
+                ],
+                "Owner": bucket_owner,
+            },
+        )
+
+        s3_client_us_east_1.put_bucket_logging(
+            Bucket=bucket_pass,
+            BucketLoggingStatus={
+                "LoggingEnabled": {
+                    "TargetBucket": bucket_pass,
+                    "TargetPrefix": f"{bucket_pass}/",
+                    "TargetGrants": [
+                        {
+                            "Grantee": {
+                                "ID": "SOMEIDSTRINGHERE9238748923734823917498237489237409123840983274",
+                                "Type": "CanonicalUser",
+                            },
+                            "Permission": "READ",
+                        },
+                        {
+                            "Grantee": {
+                                "ID": "SOMEIDSTRINGHERE9238748923734823917498237489237409123840983274",
+                                "Type": "CanonicalUser",
+                            },
+                            "Permission": "WRITE",
+                        },
+                    ],
+                }
+            },
+        )
+
+        from prowler.providers.aws.services.s3.s3_service import S3
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ):
+            with mock.patch(
+                "prowler.providers.aws.services.s3.s3_bucket_server_access_logging_enabled.s3_bucket_server_access_logging_enabled.s3_client",
+                new=S3(aws_provider),
+            ):
+                from prowler.providers.aws.services.s3.s3_bucket_server_access_logging_enabled.s3_bucket_server_access_logging_enabled import (
+                    s3_bucket_server_access_logging_enabled,
+                )
+
+                check = s3_bucket_server_access_logging_enabled()
+                result = check.execute()
+
+                # Two buckets -> two findings
+                assert len(result) == 2
+
+                # Make assertions order-independent
+                by_id = {finding.resource_id: finding for finding in result}
+
+                assert by_id[bucket_fail].status == "FAIL"
+                assert (
+                    by_id[bucket_fail].status_extended
+                    == f"S3 Bucket {bucket_fail} has server access logging disabled."
+                )
+
+                assert by_id[bucket_pass].status == "PASS"
+                assert (
+                    by_id[bucket_pass].status_extended
+                    == f"S3 Bucket {bucket_pass} has server access logging enabled."
+                )
+
+                assert (
+                    by_id[bucket_fail].resource_arn
+                    == f"arn:{aws_provider.identity.partition}:s3:::{bucket_fail}"
+                )
+                assert (
+                    by_id[bucket_pass].resource_arn
+                    == f"arn:{aws_provider.identity.partition}:s3:::{bucket_pass}"
+                )