From e050f44d6399dee7704f3754207f7f28241b67ae Mon Sep 17 00:00:00 2001 From: cetteup <17167062+cetteup@users.noreply.github.com> Date: Wed, 31 Jul 2024 13:25:53 +0200 Subject: [PATCH] fix(aws): Pass backup retention check if retention period is equal to minimum (#4593) --- .../documentdb_cluster_backup_enabled.py | 2 +- .../neptune_cluster_backup_enabled.py | 2 +- .../documentdb_cluster_backup_enabled_test.py | 38 +++++++++++++ .../neptune_cluster_backup_enabled_test.py | 55 +++++++++++++++++++ 4 files changed, 95 insertions(+), 2 deletions(-) diff --git a/prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.py b/prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.py index 381a8ec3da..76f5a620c5 100644 --- a/prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.py +++ b/prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.py @@ -17,7 +17,7 @@ class documentdb_cluster_backup_enabled(Check): report.status_extended = ( f"DocumentDB Cluster {cluster.id} does not have backup enabled." ) - if cluster.backup_retention_period > documentdb_client.audit_config.get( + if cluster.backup_retention_period >= documentdb_client.audit_config.get( "minimum_backup_retention_period", 7 ): report.status = "PASS" diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.py b/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.py index 97da535f98..206eacd30f 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.py +++ b/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.py @@ -15,7 +15,7 @@ class neptune_cluster_backup_enabled(Check): report.status_extended = ( f"Neptune Cluster {cluster.name} does not have backup enabled." ) - if cluster.backup_retention_period > neptune_client.audit_config.get( + if cluster.backup_retention_period >= neptune_client.audit_config.get( "minimum_backup_retention_period", 7 ): report.status = "PASS" diff --git a/tests/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled_test.py b/tests/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled_test.py index b69a1c03fe..61e59acc22 100644 --- a/tests/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled_test.py +++ b/tests/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled_test.py @@ -108,6 +108,44 @@ class Test_documentdb_cluster_backup_enabled: assert result[0].resource_id == DOC_DB_CLUSTER_NAME assert result[0].resource_arn == DOC_DB_CLUSTER_ARN + def test_documentdb_cluster_with_backup_equal_to_recommended(self): + documentdb_client = mock.MagicMock + documentdb_client.db_clusters = { + DOC_DB_CLUSTER_ARN: DBCluster( + id=DOC_DB_CLUSTER_NAME, + arn=DOC_DB_CLUSTER_ARN, + engine="docdb", + status="available", + backup_retention_period=7, + encrypted=True, + cloudwatch_logs=[], + multi_az=True, + parameter_group="default.docdb3.6", + deletion_protection=True, + region=AWS_REGION, + tags=[], + ) + } + documentdb_client.audit_config = {"minimum_backup_retention_period": 7} + with mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", + new=documentdb_client, + ): + from prowler.providers.aws.services.documentdb.documentdb_cluster_backup_enabled.documentdb_cluster_backup_enabled import ( + documentdb_cluster_backup_enabled, + ) + + check = documentdb_cluster_backup_enabled() + result = check.execute() + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"DocumentDB Cluster {DOC_DB_CLUSTER_NAME} has backup enabled with retention period 7 days." + ) + assert result[0].region == AWS_REGION + assert result[0].resource_id == DOC_DB_CLUSTER_NAME + assert result[0].resource_arn == DOC_DB_CLUSTER_ARN + def test_documentdb_cluster_with_backup(self): documentdb_client = mock.MagicMock documentdb_client.db_clusters = { diff --git a/tests/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled_test.py b/tests/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled_test.py index 489a48b1a0..50c495d075 100644 --- a/tests/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled_test.py +++ b/tests/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled_test.py @@ -169,6 +169,61 @@ class Test_neptune_cluster_backup_enabled: ) assert result[0].resource_tags == [] + @mock_aws + def test_neptune_cluster_with_backup_equal_to_recommended(self): + conn = client("neptune", region_name=AWS_REGION_US_EAST_1) + conn.create_db_parameter_group( + DBParameterGroupName="test", + DBParameterGroupFamily="default.neptune", + Description="test parameter group", + ) + conn.create_db_cluster( + DBClusterIdentifier="db-cluster-1", + Engine="neptune", + DatabaseName="test-1", + DeletionProtection=True, + DBClusterParameterGroupName="test", + MasterUsername="test", + MasterUserPassword="password", + EnableIAMDatabaseAuthentication=True, + BackupRetentionPeriod=7, + StorageEncrypted=True, + Tags=[], + ) + from prowler.providers.aws.services.neptune.neptune_service import Neptune + + aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ): + with mock.patch( + "prowler.providers.aws.services.neptune.neptune_cluster_backup_enabled.neptune_cluster_backup_enabled.neptune_client", + new=Neptune(aws_provider), + ): + # Test Check + from prowler.providers.aws.services.neptune.neptune_cluster_backup_enabled.neptune_cluster_backup_enabled import ( + neptune_cluster_backup_enabled, + ) + + check = neptune_cluster_backup_enabled() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == "Neptune Cluster db-cluster-1 has backup enabled with retention period 7 days." + ) + assert result[0].resource_id == "db-cluster-1" + assert result[0].region == AWS_REGION_US_EAST_1 + assert ( + result[0].resource_arn + == f"arn:aws:rds:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:cluster:db-cluster-1" + ) + assert result[0].resource_tags == [] + @mock_aws def test_neptune_cluster_with_backup(self): conn = client("neptune", region_name=AWS_REGION_US_EAST_1)