fix(kafka): false positives in kafka_cluster_is_public check (#8514)

2026-01-25 02:08:11 +00:00 · 2025-08-13 09:05:09 +02:00
parent d9f3a6b88e
commit f5b1532647
3 changed files with 8 additions and 7 deletions
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -23,6 +23,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Validation errors in Azure and M365 providers [(#8353)](https://github.com/prowler-cloud/prowler/pull/8353)
 - Azure `app_http_logs_enabled` check false positives [(#8507)](https://github.com/prowler-cloud/prowler/pull/8507)
 - Azure `storage_geo_redundant_enabled` check false positives [(#8504)](https://github.com/prowler-cloud/prowler/pull/8504)
+- AWS `kafka_cluster_is_public` check false positives [(#8514)](https://github.com/prowler-cloud/prowler/pull/8514)

 ---

--- a/prowler/providers/aws/services/kafka/kafka_cluster_is_public/kafka_cluster_is_public.py
+++ b/prowler/providers/aws/services/kafka/kafka_cluster_is_public/kafka_cluster_is_public.py
@@ -10,13 +10,13 @@ class kafka_cluster_is_public(Check):
            report = Check_Report_AWS(metadata=self.metadata(), resource=cluster)
            report.status = "FAIL"
            report.status_extended = (
-                f"Kafka cluster '{cluster.name}' is publicly accessible."
+                f"Kafka cluster {cluster.name} is publicly accessible."
            )

-            if cluster.public_access:
+            if not cluster.public_access:
                report.status = "PASS"
                report.status_extended = (
-                    f"Kafka cluster '{cluster.name}' is not publicly accessible."
+                    f"Kafka cluster {cluster.name} is not publicly accessible."
                )

            findings.append(report)
--- a/tests/providers/aws/services/kafka/kafka_cluster_is_public/kafka_cluster_is_public_test.py
+++ b/tests/providers/aws/services/kafka/kafka_cluster_is_public/kafka_cluster_is_public_test.py
@@ -72,10 +72,10 @@ class Test_kafka_cluster_is_public:
            result = check.execute()

            assert len(result) == 1
-            assert result[0].status == "FAIL"
+            assert result[0].status == "PASS"
            assert (
                result[0].status_extended
-                == "Kafka cluster 'demo-cluster-1' is publicly accessible."
+                == "Kafka cluster demo-cluster-1 is not publicly accessible."
            )
            assert (
                result[0].resource_arn
@@ -126,10 +126,10 @@ class Test_kafka_cluster_is_public:
            result = check.execute()

            assert len(result) == 1
-            assert result[0].status == "PASS"
+            assert result[0].status == "FAIL"
            assert (
                result[0].status_extended
-                == "Kafka cluster 'demo-cluster-1' is not publicly accessible."
+                == "Kafka cluster demo-cluster-1 is publicly accessible."
            )
            assert (
                result[0].resource_arn