Skip to content

Commit

Permalink
feat(aws): include resource metadata in services from d* to e* (#…
Browse files Browse the repository at this point in the history 
…6532)

Co-authored-by: Sergio Garcia <hello@mistercloudsec.com>
  • Loading branch information
@HugoPBrito @MrCloudSec
HugoPBrito and MrCloudSec authored Jan 15, 2025
1 parent 74a90aa commit ee87f26
Show file tree
Hide file tree
Showing 177 changed files with 517 additions and 593 deletions.
2 changes: 1 addition & 1 deletion ...ders/aws/services/datasync/datasync_task_logging_enabled/datasync_task_logging_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ def execute(self) -> List[Check_Report_AWS]:
"""
findings = []
for task in datasync_client.tasks.values():
report = Check_Report_AWS(self.metadata(), task)
report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=task)
report.status = "PASS"
report.status_extended = f"DataSync task {task.name} has logging enabled."

Expand Down
4 changes: 3 additions & 1 deletion .../directconnect/directconnect_connection_redundancy/directconnect_connection_redundancy.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ def execute(self):
regions[conn.region]["Locations"].add(conn.location)

for region, connections in regions.items():
report = Check_Report_AWS(self.metadata())
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=connections
)
report.region = region
report.resource_arn = directconnect_client._get_connection_arn_template(
region
Expand Down
5 changes: 1 addition & 4 deletions .../directconnect_virtual_interface_redundancy/directconnect_virtual_interface_redundancy.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,7 @@ def execute(self):
findings.append(report)

for dxgw in directconnect_client.dxgws.values():
report = Check_Report_AWS(self.metadata())
report.region = dxgw.region
report.resource_arn = dxgw.arn
report.resource_id = dxgw.id
report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=dxgw)
if len(dxgw.vifs) < 2:
report.status = "FAIL"
report.status_extended = (
Expand Down
8 changes: 3 additions & 5 deletions ...ice_directory_log_forwarding_enabled/directoryservice_directory_log_forwarding_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,9 @@ class directoryservice_directory_log_forwarding_enabled(Check):
def execute(self):
findings = []
for directory in directoryservice_client.directories.values():
report = Check_Report_AWS(self.metadata())
report.region = directory.region
report.resource_id = directory.id
report.resource_arn = directory.arn
report.resource_tags = directory.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=directory
)
if directory.log_subscriptions:
report.status = "PASS"
report.status_extended = f"Directory Service {directory.id} have log forwarding to CloudWatch enabled."
Expand Down
8 changes: 3 additions & 5 deletions ...rvice_directory_monitor_notifications/directoryservice_directory_monitor_notifications.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,9 @@ class directoryservice_directory_monitor_notifications(Check):
def execute(self):
findings = []
for directory in directoryservice_client.directories.values():
report = Check_Report_AWS(self.metadata())
report.region = directory.region
report.resource_id = directory.id
report.resource_arn = directory.arn
report.resource_tags = directory.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=directory
)
if directory.event_topics:
report.status = "PASS"
report.status_extended = (
Expand Down
8 changes: 3 additions & 5 deletions .../directoryservice_directory_snapshots_limit/directoryservice_directory_snapshots_limit.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,9 @@ class directoryservice_directory_snapshots_limit(Check):
def execute(self):
findings = []
for directory in directoryservice_client.directories.values():
report = Check_Report_AWS(self.metadata())
report.region = directory.region
report.resource_id = directory.id
report.resource_arn = directory.arn
report.resource_tags = directory.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=directory
)
if directory.snapshots_limits:
if directory.snapshots_limits.manual_snapshots_limit_reached:
report.status = "FAIL"
Expand Down
7 changes: 3 additions & 4 deletions ...ectoryservice_ldap_certificate_expiration/directoryservice_ldap_certificate_expiration.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,10 @@ def execute(self):
findings = []
for directory in directoryservice_client.directories.values():
for certificate in directory.certificates:
report = Check_Report_AWS(self.metadata())
report.region = directory.region
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=directory
)
report.resource_id = certificate.id
report.resource_arn = directory.arn
report.resource_tags = directory.tags

remaining_days_to_expire = (
certificate.expiry_date_time
Expand Down
8 changes: 3 additions & 5 deletions ...rvice_radius_server_security_protocol/directoryservice_radius_server_security_protocol.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,9 @@ def execute(self):
findings = []
for directory in directoryservice_client.directories.values():
if directory.radius_settings:
report = Check_Report_AWS(self.metadata())
report.region = directory.region
report.resource_id = directory.id
report.resource_arn = directory.arn
report.resource_tags = directory.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=directory
)
if (
directory.radius_settings.authentication_protocol
== AuthenticationProtocol.MS_CHAPv2
Expand Down
8 changes: 3 additions & 5 deletions ...toryservice_supported_mfa_radius_enabled/directoryservice_supported_mfa_radius_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,9 @@ def execute(self):
findings = []
for directory in directoryservice_client.directories.values():
if directory.radius_settings:
report = Check_Report_AWS(self.metadata())
report.region = directory.region
report.resource_id = directory.id
report.resource_arn = directory.arn
report.resource_tags = directory.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=directory
)
if directory.radius_settings.status == RadiusStatus.Completed:
report.status = "PASS"
report.status_extended = (
Expand Down
5 changes: 4 additions & 1 deletion .../dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,10 @@ def execute(self):
region in ec2_client.regions_with_snapshots
and ec2_client.regions_with_snapshots[region]
):
report = Check_Report_AWS(self.metadata())
report = Check_Report_AWS(
metadata=self.metadata(),
resource_metadata=dlm_client.lifecycle_policies,
)
report.status = "FAIL"
report.status_extended = "No EBS Snapshot lifecycle policies found."
report.region = region
Expand Down
10 changes: 4 additions & 6 deletions ...ms_endpoint_mongodb_authentication_enabled/dms_endpoint_mongodb_authentication_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,11 @@ def execute(self) -> List[Check_Report_AWS]:
List[Check_Report_AWS]: A list of report objects with the results of the check.
"""
findings = []
for endpoint_arn, endpoint in dms_client.endpoints.items():
for endpoint in dms_client.endpoints.values():
if endpoint.engine_name == "mongodb":
report = Check_Report_AWS(self.metadata())
report.resource_id = endpoint.id
report.resource_arn = endpoint_arn
report.region = endpoint.region
report.resource_tags = endpoint.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=endpoint
)
report.status = "FAIL"
report.status_extended = f"DMS Endpoint '{endpoint.id}' for MongoDB does not have an authentication mechanism enabled."
if endpoint.mongodb_auth_type != "no":
Expand Down
10 changes: 4 additions & 6 deletions ...point_neptune_iam_authorization_enabled/dms_endpoint_neptune_iam_authorization_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,11 @@ def execute(self) -> List[Check_Report_AWS]:
List[Check_Report_AWS]: A list of report objects with the results of the check.
"""
findings = []
for endpoint_arn, endpoint in dms_client.endpoints.items():
for endpoint in dms_client.endpoints.values():
if endpoint.engine_name == "neptune":
report = Check_Report_AWS(self.metadata())
report.resource_id = endpoint.id
report.resource_arn = endpoint_arn
report.region = endpoint.region
report.resource_tags = endpoint.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=endpoint
)
report.status = "FAIL"
report.status_extended = f"DMS Endpoint {endpoint.id} for Neptune databases does not have IAM authorization enabled."
if endpoint.neptune_iam_auth_enabled:
Expand Down
10 changes: 4 additions & 6 deletions ...t_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,11 @@ def execute(self) -> List[Check_Report_AWS]:
List[Check_Report_AWS]: A list of report objects with the results of the check.
"""
findings = []
for endpoint_arn, endpoint in dms_client.endpoints.items():
for endpoint in dms_client.endpoints.values():
if endpoint.engine_name == "redis":
report = Check_Report_AWS(self.metadata())
report.resource_id = endpoint.id
report.resource_arn = endpoint_arn
report.region = endpoint.region
report.resource_tags = endpoint.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=endpoint
)
report.status = "FAIL"
report.status_extended = f"DMS Endpoint {endpoint.id} for Redis OSS is not encrypted in transit."
if endpoint.redis_ssl_protocol == "ssl-encryption":
Expand Down
10 changes: 4 additions & 6 deletions prowler/providers/aws/services/dms/dms_endpoint_ssl_enabled/dms_endpoint_ssl_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,10 @@
class dms_endpoint_ssl_enabled(Check):
def execute(self):
findings = []
for endpoint_arn, endpoint in dms_client.endpoints.items():
report = Check_Report_AWS(self.metadata())
report.resource_id = endpoint.id
report.resource_arn = endpoint_arn
report.region = endpoint.region
report.resource_tags = endpoint.tags
for endpoint in dms_client.endpoints.values():
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=endpoint
)

if endpoint.ssl_mode == "none":
report.status = "FAIL"
Expand Down
8 changes: 3 additions & 5 deletions .../dms_instance_minor_version_upgrade_enabled/dms_instance_minor_version_upgrade_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,9 @@ class dms_instance_minor_version_upgrade_enabled(Check):
def execute(self):
findings = []
for instance in dms_client.instances:
report = Check_Report_AWS(self.metadata())
report.region = instance.region
report.resource_id = instance.id
report.resource_arn = instance.arn
report.resource_tags = instance.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=instance
)
report.status = "FAIL"
report.status_extended = f"DMS Replication Instance {instance.id} does not have auto minor version upgrade enabled."
if instance.auto_minor_version_upgrade:
Expand Down
8 changes: 3 additions & 5 deletions ...providers/aws/services/dms/dms_instance_multi_az_enabled/dms_instance_multi_az_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,9 @@ class dms_instance_multi_az_enabled(Check):
def execute(self):
findings = []
for instance in dms_client.instances:
report = Check_Report_AWS(self.metadata())
report.region = instance.region
report.resource_id = instance.id
report.resource_arn = instance.arn
report.resource_tags = instance.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=instance
)
report.status = "FAIL"
report.status_extended = f"DMS Replication Instance {instance.id} does not have multi az enabled."
if instance.multi_az:
Expand Down
8 changes: 3 additions & 5 deletions ...providers/aws/services/dms/dms_instance_no_public_access/dms_instance_no_public_access.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,9 @@ class dms_instance_no_public_access(Check):
def execute(self):
findings = []
for instance in dms_client.instances:
report = Check_Report_AWS(self.metadata())
report.region = instance.region
report.resource_id = instance.id
report.resource_arn = instance.arn
report.resource_tags = instance.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=instance
)
report.status = "PASS"
report.status_extended = (
f"DMS Replication Instance {instance.id} is not publicly accessible."
Expand Down
7 changes: 3 additions & 4 deletions ...ms_replication_task_source_logging_enabled/dms_replication_task_source_logging_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,10 @@ def execute(self) -> List[Check_Report_AWS]:
replication_task_arn,
replication_task,
) in dms_client.replication_tasks.items():
report = Check_Report_AWS(self.metadata())
report.resource_id = replication_task.id
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=replication_task
)
report.resource_arn = replication_task_arn
report.region = replication_task.region
report.resource_tags = replication_task.tags

if not replication_task.logging_enabled:
report.status = "FAIL"
Expand Down
7 changes: 3 additions & 4 deletions ...ms_replication_task_target_logging_enabled/dms_replication_task_target_logging_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,10 @@ def execute(self) -> List[Check_Report_AWS]:
replication_task_arn,
replication_task,
) in dms_client.replication_tasks.items():
report = Check_Report_AWS(self.metadata())
report.resource_id = replication_task.id
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=replication_task
)
report.resource_arn = replication_task_arn
report.region = replication_task.region
report.resource_tags = replication_task.tags

if not replication_task.logging_enabled:
report.status = "FAIL"
Expand Down
8 changes: 3 additions & 5 deletions ...ervices/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,9 @@ class documentdb_cluster_backup_enabled(Check):
def execute(self):
findings = []
for cluster in documentdb_client.db_clusters.values():
report = Check_Report_AWS(self.metadata())
report.region = cluster.region
report.resource_id = cluster.id
report.resource_arn = cluster.arn
report.resource_tags = cluster.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=cluster
)
report.status = "FAIL"
report.status_extended = (
f"DocumentDB Cluster {cluster.id} does not have backup enabled."
Expand Down
8 changes: 3 additions & 5 deletions ...ntdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,9 @@ class documentdb_cluster_cloudwatch_log_export(Check):
def execute(self):
findings = []
for cluster in documentdb_client.db_clusters.values():
report = Check_Report_AWS(self.metadata())
report.region = cluster.region
report.resource_id = cluster.id
report.resource_arn = cluster.arn
report.resource_tags = cluster.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=cluster
)
report.status = "FAIL"
report.status_extended = f"DocumentDB Cluster {cluster.id} does not have cloudwatch log export enabled."
if cluster.cloudwatch_logs:
Expand Down
8 changes: 3 additions & 5 deletions ...cumentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,9 @@ class documentdb_cluster_deletion_protection(Check):
def execute(self):
findings = []
for cluster in documentdb_client.db_clusters.values():
report = Check_Report_AWS(self.metadata())
report.region = cluster.region
report.resource_id = cluster.id
report.resource_arn = cluster.arn
report.resource_tags = cluster.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=cluster
)
report.status = "FAIL"
report.status_extended = f"DocumentDB Cluster {cluster.id} does not have deletion protection enabled."
if cluster.deletion_protection:
Expand Down
8 changes: 3 additions & 5 deletions ...ces/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,9 @@ class documentdb_cluster_multi_az_enabled(Check):
def execute(self):
findings = []
for db_cluster in documentdb_client.db_clusters.values():
report = Check_Report_AWS(self.metadata())
report.region = db_cluster.region
report.resource_id = db_cluster.id
report.resource_arn = db_cluster.arn
report.resource_tags = db_cluster.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_cluster
)
report.status = "FAIL"
report.status_extended = (
f"DocumentDB Cluster {db_cluster.id} does not have Multi-AZ enabled."
Expand Down
8 changes: 3 additions & 5 deletions ...vices/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,9 @@ class documentdb_cluster_public_snapshot(Check):
def execute(self):
findings = []
for db_snap in documentdb_client.db_cluster_snapshots:
report = Check_Report_AWS(self.metadata())
report.region = db_snap.region
report.resource_id = db_snap.id
report.resource_arn = db_snap.arn
report.resource_tags = db_snap.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_snap
)
if db_snap.public:
report.status = "FAIL"
report.status_extended = (
Expand Down
8 changes: 3 additions & 5 deletions ...s/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,9 @@ class documentdb_cluster_storage_encrypted(Check):
def execute(self):
findings = []
for db_cluster in documentdb_client.db_clusters.values():
report = Check_Report_AWS(self.metadata())
report.region = db_cluster.region
report.resource_id = db_cluster.id
report.resource_arn = db_cluster.arn
report.resource_tags = db_cluster.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_cluster
)
if db_cluster.encrypted:
report.status = "PASS"
report.status_extended = (
Expand Down
9 changes: 4 additions & 5 deletions prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,12 @@ class drs_job_exist(Check):
def execute(self):
findings = []
for drs in drs_client.drs_services:
report = Check_Report_AWS(self.metadata())
report.status = "FAIL"
report.status_extended = "DRS is not enabled for this region."
report.region = drs.region
report.resource_tags = []
report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=drs)
report.resource_arn = drs_client._get_recovery_job_arn_template(drs.region)
report.resource_id = drs_client.audited_account
report.status = "FAIL"
report.status_extended = "DRS is not enabled for this region."

if drs.status == "ENABLED":
report.status_extended = "DRS is enabled for this region without jobs."
if drs.jobs:
Expand Down
Loading

0 comments on commit ee87f26

Please sign in to comment.