mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
feat(aws): Add new S3 check for public access block configuration in access points (#4608)
This commit is contained in:
committed by
GitHub
parent
6c029a9d7d
commit
5ce54e5605
@@ -1,5 +1,7 @@
|
||||
import json
|
||||
from unittest.mock import patch
|
||||
|
||||
import botocore
|
||||
from boto3 import client
|
||||
from moto import mock_aws
|
||||
|
||||
@@ -10,9 +12,27 @@ from tests.providers.aws.utils import (
|
||||
set_mocked_aws_provider,
|
||||
)
|
||||
|
||||
# Original botocore _make_api_call function
|
||||
orig = botocore.client.BaseClient._make_api_call
|
||||
|
||||
|
||||
# Mocked botocore _make_api_call function
|
||||
def mock_make_api_call(self, operation_name, kwarg):
|
||||
if operation_name == "ListAccessPoints":
|
||||
return {
|
||||
"AccessPointList": [
|
||||
{
|
||||
"Name": "test-access-point",
|
||||
"Bucket": "test-bucket",
|
||||
"AccessPointArn": f"arn:aws:s3:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:accesspoint/test-access-point",
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
return orig(self, operation_name, kwarg)
|
||||
|
||||
|
||||
class Test_S3_Service:
|
||||
|
||||
# Test S3 Service
|
||||
@mock_aws
|
||||
def test_service(self):
|
||||
@@ -47,7 +67,7 @@ class Test_S3_Service:
|
||||
|
||||
# Test S3 List Buckets
|
||||
@mock_aws
|
||||
def test__list_buckets__(self):
|
||||
def test_list_buckets(self):
|
||||
# Generate S3 Client
|
||||
s3_client = client("s3")
|
||||
# Create S3 Bucket
|
||||
@@ -68,7 +88,7 @@ class Test_S3_Service:
|
||||
|
||||
# Test S3 Get Bucket Versioning
|
||||
@mock_aws
|
||||
def test__get_bucket_versioning__(self):
|
||||
def test_get_bucket_versioning(self):
|
||||
# Generate S3 Client
|
||||
s3_client = client("s3")
|
||||
# Create S3 Bucket
|
||||
@@ -92,7 +112,7 @@ class Test_S3_Service:
|
||||
|
||||
# Test S3 Get Bucket ACL
|
||||
@mock_aws
|
||||
def test__get_bucket_acl__(self):
|
||||
def test_get_bucket_acl(self):
|
||||
s3_client = client("s3")
|
||||
bucket_name = "test-bucket"
|
||||
s3_client.create_bucket(Bucket=bucket_name)
|
||||
@@ -131,7 +151,7 @@ class Test_S3_Service:
|
||||
|
||||
# Test S3 Get Bucket Logging
|
||||
@mock_aws
|
||||
def test__get_bucket_logging__(self):
|
||||
def test_get_bucket_logging(self):
|
||||
# Generate S3 Client
|
||||
s3_client = client("s3")
|
||||
# Create S3 Bucket
|
||||
@@ -205,7 +225,7 @@ class Test_S3_Service:
|
||||
|
||||
# Test S3 Get Bucket Policy
|
||||
@mock_aws
|
||||
def test__get_bucket_policy__(self):
|
||||
def test_get_bucket_policy(self):
|
||||
s3_client = client("s3")
|
||||
bucket_name = "test-bucket"
|
||||
s3_client.create_bucket(Bucket=bucket_name)
|
||||
@@ -226,7 +246,7 @@ class Test_S3_Service:
|
||||
|
||||
# Test S3 Get Bucket Encryption
|
||||
@mock_aws
|
||||
def test__get_bucket_encryption__(self):
|
||||
def test_get_bucket_encryption(self):
|
||||
# Generate S3 Client
|
||||
s3_client = client("s3")
|
||||
# Create S3 Bucket
|
||||
@@ -259,7 +279,7 @@ class Test_S3_Service:
|
||||
|
||||
# Test S3 Get Bucket Ownership Controls
|
||||
@mock_aws
|
||||
def test__get_bucket_ownership_controls__(self):
|
||||
def test_get_bucket_ownership_controls(self):
|
||||
# Generate S3 Client
|
||||
s3_client = client("s3")
|
||||
# Create S3 Bucket
|
||||
@@ -281,7 +301,7 @@ class Test_S3_Service:
|
||||
|
||||
# Test S3 Get Public Access Block
|
||||
@mock_aws
|
||||
def test__get_public_access_block__(self):
|
||||
def test_get_public_access_block(self):
|
||||
# Generate S3 Client
|
||||
s3_client = client("s3")
|
||||
# Create S3 Bucket
|
||||
@@ -314,7 +334,7 @@ class Test_S3_Service:
|
||||
|
||||
# Test S3 Get Bucket Tagging
|
||||
@mock_aws
|
||||
def test__get_bucket_tagging__(self):
|
||||
def test_get_bucket_tagging(self):
|
||||
# Generate S3 Client
|
||||
s3_client = client("s3")
|
||||
# Create S3 Bucket
|
||||
@@ -339,7 +359,7 @@ class Test_S3_Service:
|
||||
|
||||
# Test S3 Control Account Get Public Access Block
|
||||
@mock_aws
|
||||
def test__get_public_access_block__s3_control(self):
|
||||
def test_get_public_access_blocks3_control(self):
|
||||
# Generate S3Control Client
|
||||
s3control_client = client("s3control", region_name=AWS_REGION_US_EAST_1)
|
||||
s3control_client.put_public_access_block(
|
||||
@@ -361,7 +381,7 @@ class Test_S3_Service:
|
||||
|
||||
# Test S3 Get Bucket Object Lock
|
||||
@mock_aws
|
||||
def test__get_object_lock_configuration__(self):
|
||||
def test_get_object_lock_configuration(self):
|
||||
# Generate S3 Client
|
||||
s3_client = client("s3")
|
||||
# Create S3 Bucket
|
||||
@@ -382,3 +402,108 @@ class Test_S3_Service:
|
||||
== f"arn:{aws_provider.identity.partition}:s3:::{bucket_name}"
|
||||
)
|
||||
assert s3.buckets[0].object_lock
|
||||
|
||||
# Test S3 List Access Points
|
||||
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
|
||||
@mock_aws
|
||||
def test_list_access_points(self):
|
||||
arn = f"arn:aws:s3:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:accesspoint/test-access-point"
|
||||
|
||||
# Generate S3 Client
|
||||
s3_client = client("s3", region_name=AWS_REGION_US_EAST_1)
|
||||
|
||||
# Generate Bucket
|
||||
s3_client.create_bucket(
|
||||
Bucket="test-bucket", ObjectOwnership="BucketOwnerEnforced"
|
||||
)
|
||||
sse_config = {
|
||||
"Rules": [
|
||||
{
|
||||
"ApplyServerSideEncryptionByDefault": {
|
||||
"SSEAlgorithm": "AES256",
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
s3_client.put_bucket_encryption(
|
||||
Bucket="test-bucket", ServerSideEncryptionConfiguration=sse_config
|
||||
)
|
||||
|
||||
# Generate S3Control Client
|
||||
s3control_client = client("s3control", region_name=AWS_REGION_US_EAST_1)
|
||||
|
||||
s3control_client.create_access_point(
|
||||
AccountId=AWS_ACCOUNT_NUMBER,
|
||||
Name="test-access-point",
|
||||
Bucket="test-bucket",
|
||||
PublicAccessBlockConfiguration={
|
||||
"BlockPublicAcls": True,
|
||||
"IgnorePublicAcls": True,
|
||||
"BlockPublicPolicy": True,
|
||||
"RestrictPublicBuckets": True,
|
||||
},
|
||||
)
|
||||
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
|
||||
s3control = S3Control(aws_provider)
|
||||
|
||||
assert len(s3control.access_points) == 1
|
||||
assert s3control.access_points[arn].account_id == AWS_ACCOUNT_NUMBER
|
||||
assert s3control.access_points[arn].name == "test-access-point"
|
||||
assert s3control.access_points[arn].bucket == "test-bucket"
|
||||
assert s3control.access_points[arn].region == AWS_REGION_US_EAST_1
|
||||
|
||||
# Test S3 Get Access Point
|
||||
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
|
||||
@mock_aws
|
||||
def test_get_access_point(self):
|
||||
arn = f"arn:aws:s3:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:accesspoint/test-access-point"
|
||||
|
||||
# Generate S3 Client
|
||||
s3_client = client("s3", region_name=AWS_REGION_US_EAST_1)
|
||||
|
||||
# Generate Bucket
|
||||
s3_client.create_bucket(
|
||||
Bucket="test-bucket", ObjectOwnership="BucketOwnerEnforced"
|
||||
)
|
||||
sse_config = {
|
||||
"Rules": [
|
||||
{
|
||||
"ApplyServerSideEncryptionByDefault": {
|
||||
"SSEAlgorithm": "AES256",
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
s3_client.put_bucket_encryption(
|
||||
Bucket="test-bucket", ServerSideEncryptionConfiguration=sse_config
|
||||
)
|
||||
|
||||
# Generate S3Control Client
|
||||
s3control_client = client("s3control", region_name=AWS_REGION_US_EAST_1)
|
||||
|
||||
s3control_client.create_access_point(
|
||||
AccountId=AWS_ACCOUNT_NUMBER,
|
||||
Name="test-access-point",
|
||||
Bucket="test-bucket",
|
||||
PublicAccessBlockConfiguration={
|
||||
"BlockPublicAcls": True,
|
||||
"IgnorePublicAcls": True,
|
||||
"BlockPublicPolicy": True,
|
||||
"RestrictPublicBuckets": True,
|
||||
},
|
||||
)
|
||||
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
|
||||
s3control = S3Control(aws_provider)
|
||||
|
||||
assert len(s3control.access_points) == 1
|
||||
assert s3control.access_points[arn].account_id == AWS_ACCOUNT_NUMBER
|
||||
assert s3control.access_points[arn].name == "test-access-point"
|
||||
assert s3control.access_points[arn].bucket == "test-bucket"
|
||||
assert s3control.access_points[arn].region == AWS_REGION_US_EAST_1
|
||||
assert s3control.access_points[arn].public_access_block
|
||||
assert s3control.access_points[arn].public_access_block.block_public_acls
|
||||
assert s3control.access_points[arn].public_access_block.ignore_public_acls
|
||||
assert s3control.access_points[arn].public_access_block.block_public_policy
|
||||
assert s3control.access_points[arn].public_access_block.restrict_public_buckets
|
||||
|
||||
Reference in New Issue
Block a user