fix(aws): always use audited partition (#5177)

Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
Co-authored-by: Sergio <sergio@prowler.com>

prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py

@@ -28,7 +28,8 @@ class awslambda_function_invoke_api_operations_cloudtrail_logging_enabled(Check)
                             for resource in data_event.event_selector["DataResources"]:
                                 if resource["Type"] == "AWS::Lambda::Function" and (
                                     function.arn in resource["Values"]
-                                    or "arn:aws:lambda" in resource["Values"]
+                                    or f"arn:{awslambda_client.audited_partition}:lambda"
+                                    in resource["Values"]
                                 ):
                                     lambda_recorded_cloudtrail = True
                                     break

prowler/providers/aws/services/ec2/ec2_service.py

@@ -466,7 +466,7 @@ class EC2(AWSService):
 
             for page in describe_launch_templates_paginator.paginate():
                 for template in page["LaunchTemplates"]:
-                    template_arn = f"arn:aws:ec2:{regional_client.region}:{self.audited_account}:launch-template/{template['LaunchTemplateId']}"
+                    template_arn = f"arn:{self.audited_partition}:ec2:{regional_client.region}:{self.audited_account}:launch-template/{template['LaunchTemplateId']}"
                     if not self.audit_resources or (
                         is_resource_filtered(template_arn, self.audit_resources)
                     ):

prowler/providers/aws/services/eventbridge/eventbridge_service.py

@@ -107,7 +107,7 @@ class Schema(AWSService):
             for registry in regional_client.list_registries()["Registries"]:
                 registry_arn = registry.get(
                     "RegistryArn",
-                    f"arn:aws:schemas:{regional_client.region}:{self.audited_account}:registry/{registry.get('RegistryName', '')}",
+                    f"arn:{self.audited_partition}:schemas:{regional_client.region}:{self.audited_account}:registry/{registry.get('RegistryName', '')}",
                 )
                 if not self.audit_resources or (
                     is_resource_filtered(registry_arn, self.audit_resources)

prowler/providers/aws/services/iam/iam_administrator_access_with_mfa/iam_administrator_access_with_mfa.py

@@ -22,7 +22,7 @@ class iam_administrator_access_with_mfa(Check):
                 for group_policy in group.attached_policies:
                     if (
                         group_policy["PolicyArn"]
-                        == "arn:aws:iam::aws:policy/AdministratorAccess"
+                        == f"arn:{iam_client.audited_partition}:iam::aws:policy/AdministratorAccess"
                     ):
                         # users in group are Administrators
                         if group.users:

prowler/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created.py

@@ -9,7 +9,9 @@ class iam_securityaudit_role_created(Check):
             report = Check_Report_AWS(self.metadata())
             report.region = iam_client.region
             report.resource_id = "SecurityAudit"
-            report.resource_arn = "arn:aws:iam::aws:policy/SecurityAudit"
+            report.resource_arn = (
+                f"arn:{iam_client.audited_partition}:iam::aws:policy/SecurityAudit"
+            )
             if iam_client.entities_role_attached_to_securityaudit_policy:
                 report.status = "PASS"
                 report.status_extended = f"SecurityAudit policy attached to role {iam_client.entities_role_attached_to_securityaudit_policy[0]['RoleName']}."

prowler/providers/aws/services/iam/iam_service.py

@@ -69,13 +69,13 @@ class IAM(AWSService):
         self.__list_attached_role_policies__()
         self.__list_mfa_devices__()
         self.password_policy = self.__get_password_policy__()
-        support_policy_arn = (
-            "arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy"
-        )
+        support_policy_arn = f"arn:{self.audited_partition}:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy"
         self.entities_role_attached_to_support_policy = (
             self.__list_entities_role_for_policy__(support_policy_arn)
         )
-        securityaudit_policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
+        securityaudit_policy_arn = (
+            f"arn:{self.audited_partition}:iam::aws:policy/SecurityAudit"
+        )
         self.entities_role_attached_to_securityaudit_policy = (
             self.__list_entities_role_for_policy__(securityaudit_policy_arn)
         )

prowler/providers/aws/services/iam/iam_support_role_created/iam_support_role_created.py

@@ -9,9 +9,7 @@ class iam_support_role_created(Check):
             report = Check_Report_AWS(self.metadata())
             report.region = iam_client.region
             report.resource_id = "AWSSupportServiceRolePolicy"
-            report.resource_arn = (
-                "arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy"
-            )
+            report.resource_arn = f"arn:{iam_client.audited_partition}:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy"
             if iam_client.entities_role_attached_to_support_policy:
                 report.status = "PASS"
                 report.status_extended = f"Support policy attached to role {iam_client.entities_role_attached_to_support_policy[0]['RoleName']}."