Skip to content

Commit

Permalink
feat(aws): include resource metadata in services from r* to s* (#…
Browse files Browse the repository at this point in the history 
…6536)

Co-authored-by: MrCloudSec <[email protected]>
  • Loading branch information
@HugoPBrito @MrCloudSec
HugoPBrito and MrCloudSec authored Jan 15, 2025
1 parent 95189b5 commit b1f0209
Show file tree
Hide file tree
Showing 105 changed files with 419 additions and 595 deletions.
8 changes: 4 additions & 4 deletions ...providers/aws/services/rds/rds_cluster_backtrack_enabled/rds_cluster_backtrack_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,11 @@ class rds_cluster_backtrack_enabled(Check):
def execute(self):
findings = []
for db_cluster in rds_client.db_clusters:
report = Check_Report_AWS(self.metadata())
report.region = rds_client.db_clusters[db_cluster].region
report.resource_id = rds_client.db_clusters[db_cluster].id
report = Check_Report_AWS(
metadata=self.metadata(),
resource_metadata=rds_client.db_clusters[db_cluster],
)
report.resource_arn = db_cluster
report.resource_tags = rds_client.db_clusters[db_cluster].tags
report.status = "FAIL"
report.status_extended = f"RDS Cluster {rds_client.db_clusters[db_cluster].id} does not have backtrack enabled."
# Only RDS Aurora MySQL clusters support backtrack.
Expand Down
10 changes: 4 additions & 6 deletions ...aws/services/rds/rds_cluster_copy_tags_to_snapshots/rds_cluster_copy_tags_to_snapshots.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,10 @@
class rds_cluster_copy_tags_to_snapshots(Check):
def execute(self):
findings = []
for db_cluster_arn, db_cluster in rds_client.db_clusters.items():
report = Check_Report_AWS(self.metadata())
report.region = db_cluster.region
report.resource_id = db_cluster.id
report.resource_arn = db_cluster_arn
report.resource_tags = db_cluster.tags
for db_cluster in rds_client.db_clusters.values():
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_cluster
)
if db_cluster.copy_tags_to_snapshot:
report.status = "PASS"
report.status_extended = (
Expand Down
18 changes: 6 additions & 12 deletions ...es/rds/rds_cluster_critical_event_subscription/rds_cluster_critical_event_subscription.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,37 +7,31 @@ def execute(self):
findings = []
if rds_client.provider.scan_unused_services or rds_client.db_clusters:
for db_event in rds_client.db_event_subscriptions:
report = Check_Report_AWS(self.metadata())
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_event
)
report.status = "FAIL"
report.status_extended = "RDS cluster event categories of maintenance and failure are not subscribed."
report.resource_id = rds_client.audited_account
report.resource_arn = rds_client._get_rds_arn_template(db_event.region)
report.region = db_event.region
report.resource_tags = db_event.tags
if db_event.source_type == "db-cluster" and db_event.enabled:
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_event
)
if db_event.event_list == [] or set(db_event.event_list) == {
"maintenance",
"failure",
}:
report.resource_id = db_event.id
report.resource_arn = db_event.arn
report.resource_tags = db_event.tags
report.status = "PASS"
report.status_extended = "RDS cluster events are subscribed."

elif db_event.event_list == ["maintenance"]:
report.resource_id = db_event.id
report.resource_arn = db_event.arn
report.resource_tags = db_event.tags
report.status = "FAIL"
report.status_extended = (
"RDS cluster event category of failure is not subscribed."
)

elif db_event.event_list == ["failure"]:
report.resource_id = db_event.id
report.resource_arn = db_event.arn
report.resource_tags = db_event.tags
report.status = "FAIL"
report.status_extended = "RDS cluster event category of maintenance is not subscribed."

Expand Down
9 changes: 4 additions & 5 deletions prowler/providers/aws/services/rds/rds_cluster_default_admin/rds_cluster_default_admin.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,10 @@ class rds_cluster_default_admin(Check):
def execute(self):
findings = []
for db_cluster in rds_client.db_clusters:
report = Check_Report_AWS(self.metadata())
report.region = rds_client.db_clusters[db_cluster].region
report.resource_id = rds_client.db_clusters[db_cluster].id
report.resource_arn = db_cluster
report.resource_tags = rds_client.db_clusters[db_cluster].tags
report = Check_Report_AWS(
metadata=self.metadata(),
resource_metadata=rds_client.db_clusters[db_cluster],
)
report.status = "FAIL"
report.status_extended = f"RDS Cluster {rds_client.db_clusters[db_cluster].id} is using the default master username."
if rds_client.db_clusters[db_cluster].username not in [
Expand Down
9 changes: 4 additions & 5 deletions ...iders/aws/services/rds/rds_cluster_deletion_protection/rds_cluster_deletion_protection.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,10 @@ class rds_cluster_deletion_protection(Check):
def execute(self):
findings = []
for db_cluster in rds_client.db_clusters:
report = Check_Report_AWS(self.metadata())
report.region = rds_client.db_clusters[db_cluster].region
report.resource_id = rds_client.db_clusters[db_cluster].id
report.resource_arn = db_cluster
report.resource_tags = rds_client.db_clusters[db_cluster].tags
report = Check_Report_AWS(
metadata=self.metadata(),
resource_metadata=rds_client.db_clusters[db_cluster],
)
report.status = "FAIL"
report.status_extended = f"RDS Cluster {rds_client.db_clusters[db_cluster].id} does not have deletion protection enabled."
if rds_client.db_clusters[db_cluster].deletion_protection:
Expand Down
9 changes: 4 additions & 5 deletions ...ices/rds/rds_cluster_iam_authentication_enabled/rds_cluster_iam_authentication_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,10 @@ def execute(self):
engine in rds_client.db_clusters[db_cluster].engine
for engine in supported_engines
):
report = Check_Report_AWS(self.metadata())
report.region = rds_client.db_clusters[db_cluster].region
report.resource_id = rds_client.db_clusters[db_cluster].id
report.resource_arn = db_cluster
report.resource_tags = rds_client.db_clusters[db_cluster].tags
report = Check_Report_AWS(
metadata=self.metadata(),
resource_metadata=rds_client.db_clusters[db_cluster],
)

if rds_client.db_clusters[db_cluster].iam_auth:
report.status = "PASS"
Expand Down
10 changes: 4 additions & 6 deletions ...es/rds/rds_cluster_integration_cloudwatch_logs/rds_cluster_integration_cloudwatch_logs.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,11 @@ class rds_cluster_integration_cloudwatch_logs(Check):
def execute(self):
findings = []
valid_engines = ["aurora-mysql", "aurora-postgresql", "mysql", "postgres"]
for db_cluster_arn, db_cluster in rds_client.db_clusters.items():
for db_cluster in rds_client.db_clusters.values():
if db_cluster.engine in valid_engines:
report = Check_Report_AWS(self.metadata())
report.region = db_cluster.region
report.resource_id = db_cluster.id
report.resource_arn = db_cluster_arn
report.resource_tags = db_cluster.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_cluster
)
if db_cluster.cloudwatch_logs:
report.status = "PASS"
report.status_extended = f"RDS Cluster {db_cluster.id} is shipping {', '.join(db_cluster.cloudwatch_logs)} logs to CloudWatch Logs."
Expand Down
9 changes: 4 additions & 5 deletions ...ds/rds_cluster_minor_version_upgrade_enabled/rds_cluster_minor_version_upgrade_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,10 @@ def execute(self):
for db_cluster in rds_client.db_clusters:
# Auto minor version upgrade is only available for non-Aurora Multi-AZ DB clusters
if rds_client.db_clusters[db_cluster].multi_az:
report = Check_Report_AWS(self.metadata())
report.region = rds_client.db_clusters[db_cluster].region
report.resource_id = rds_client.db_clusters[db_cluster].id
report.resource_arn = rds_client.db_clusters[db_cluster].arn
report.resource_tags = rds_client.db_clusters[db_cluster].tags
report = Check_Report_AWS(
metadata=self.metadata(),
resource_metadata=rds_client.db_clusters[db_cluster],
)
if rds_client.db_clusters[db_cluster].auto_minor_version_upgrade:
report.status = "PASS"
report.status_extended = f"RDS Cluster {rds_client.db_clusters[db_cluster].id} has minor version upgrade enabled."
Expand Down
10 changes: 4 additions & 6 deletions prowler/providers/aws/services/rds/rds_cluster_multi_az/rds_cluster_multi_az.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,10 @@
class rds_cluster_multi_az(Check):
def execute(self):
findings = []
for db_cluster_arn, db_cluster in rds_client.db_clusters.items():
report = Check_Report_AWS(self.metadata())
report.region = db_cluster.region
report.resource_id = db_cluster.id
report.resource_arn = db_cluster_arn
report.resource_tags = db_cluster.tags
for db_cluster in rds_client.db_clusters.values():
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_cluster
)
report.status = "FAIL"
report.status_extended = (
f"RDS Cluster {db_cluster.id} does not have multi-AZ enabled."
Expand Down
10 changes: 4 additions & 6 deletions ...r/providers/aws/services/rds/rds_cluster_non_default_port/rds_cluster_non_default_port.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,10 @@ def execute(self):
1433: ["sqlserver"],
50000: ["db2"],
}
for db_cluster_arn, db_cluster in rds_client.db_clusters.items():
report = Check_Report_AWS(self.metadata())
report.region = db_cluster.region
report.resource_id = db_cluster.id
report.resource_arn = db_cluster_arn
report.resource_tags = db_cluster.tags
for db_cluster in rds_client.db_clusters.values():
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_cluster
)
report.status = "PASS"
report.status_extended = (
f"RDS Cluster {db_cluster.id} is not using the default port "
Expand Down
12 changes: 5 additions & 7 deletions ...services/rds/rds_cluster_protected_by_backup_plan/rds_cluster_protected_by_backup_plan.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,19 +6,17 @@
class rds_cluster_protected_by_backup_plan(Check):
def execute(self):
findings = []
for db_cluster_arn, db_cluster in rds_client.db_clusters.items():
report = Check_Report_AWS(self.metadata())
report.region = db_cluster.region
report.resource_id = db_cluster.id
report.resource_arn = db_cluster_arn
report.resource_tags = db_cluster.tags
for db_cluster in rds_client.db_clusters.values():
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_cluster
)
report.status = "FAIL"
report.status_extended = (
f"RDS Cluster {db_cluster.id} is not protected by a backup plan."
)

if (
db_cluster_arn in backup_client.protected_resources
db_cluster.arn in backup_client.protected_resources
or f"arn:{rds_client.audited_partition}:rds:*:*:cluster:*"
in backup_client.protected_resources
or "*" in backup_client.protected_resources
Expand Down
10 changes: 4 additions & 6 deletions ...providers/aws/services/rds/rds_cluster_storage_encrypted/rds_cluster_storage_encrypted.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,10 @@
class rds_cluster_storage_encrypted(Check):
def execute(self):
findings = []
for db_cluster_arn, db_cluster in rds_client.db_clusters.items():
report = Check_Report_AWS(self.metadata())
report.region = db_cluster.region
report.resource_id = db_cluster.id
report.resource_arn = db_cluster_arn
report.resource_tags = db_cluster.tags
for db_cluster in rds_client.db_clusters.values():
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_cluster
)
if db_cluster.encrypted:
report.status = "PASS"
report.status_extended = f"RDS cluster {db_cluster.id} is encrypted."
Expand Down
10 changes: 4 additions & 6 deletions ...ler/providers/aws/services/rds/rds_instance_backup_enabled/rds_instance_backup_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,10 @@
class rds_instance_backup_enabled(Check):
def execute(self):
findings = []
for db_instance_arn, db_instance in rds_client.db_instances.items():
report = Check_Report_AWS(self.metadata())
report.region = db_instance.region
report.resource_id = db_instance.id
report.resource_arn = db_instance_arn
report.resource_tags = db_instance.tags
for db_instance in rds_client.db_instances.values():
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_instance
)
if db_instance.backup_retention_period > 0:
report.status = "PASS"
report.status_extended = f"RDS Instance {db_instance.id} has backup enabled with retention period {db_instance.backup_retention_period} days."
Expand Down
10 changes: 4 additions & 6 deletions ...s/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,10 @@ class rds_instance_certificate_expiration(Check):
# RDS Certificates that are expired the check will FAIL with a severity of critical.
def execute(self):
findings = []
for db_instance_arn, db_instance in rds_client.db_instances.items():
report = Check_Report_AWS(self.metadata())
report.region = db_instance.region
report.resource_id = db_instance.id
report.resource_arn = db_instance_arn
report.resource_tags = db_instance.tags
for db_instance in rds_client.db_instances.values():
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_instance
)
report.status = "FAIL"
report.check_metadata.Severity = Severity.critical
report.status_extended = (
Expand Down
10 changes: 4 additions & 6 deletions ...s/services/rds/rds_instance_copy_tags_to_snapshots/rds_instance_copy_tags_to_snapshots.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,15 @@
class rds_instance_copy_tags_to_snapshots(Check):
def execute(self):
findings = []
for db_instance_arn, db_instance in rds_client.db_instances.items():
for db_instance in rds_client.db_instances.values():
if db_instance.engine not in [
"aurora",
"aurora-mysql",
"aurora-postgresql",
]:
report = Check_Report_AWS(self.metadata())
report.region = db_instance.region
report.resource_id = db_instance.id
report.resource_arn = db_instance_arn
report.resource_tags = db_instance.tags
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_instance
)
if db_instance.copy_tags_to_snapshot:
report.status = "PASS"
report.status_extended = f"RDS Instance {db_instance.id} has copy tags to snapshots enabled."
Expand Down
28 changes: 6 additions & 22 deletions .../rds/rds_instance_critical_event_subscription/rds_instance_critical_event_subscription.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,49 +7,39 @@ def execute(self):
findings = []
if rds_client.provider.scan_unused_services or rds_client.db_instances:
for db_event in rds_client.db_event_subscriptions:
report = Check_Report_AWS(self.metadata())
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_event
)
report.status = "FAIL"
report.status_extended = "RDS instance event categories of maintenance, configuration change, and failure are not subscribed."
report.resource_id = rds_client.audited_account
report.resource_arn = rds_client._get_rds_arn_template(db_event.region)
report.region = db_event.region
report.resource_tags = db_event.tags
if db_event.source_type == "db-instance" and db_event.enabled:
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_event
)
if db_event.event_list == [] or set(db_event.event_list) == {
"maintenance",
"configuration change",
"failure",
}:
report.resource_id = db_event.id
report.resource_arn = db_event.arn
report.resource_tags = db_event.tags
report.status = "PASS"
report.status_extended = "RDS instance events are subscribed."
elif set(db_event.event_list) == {"maintenance"}:
report.resource_id = db_event.id
report.resource_arn = db_event.arn
report.resource_tags = db_event.tags
report.status = "FAIL"
report.status_extended = "RDS instance event categories of configuration change and failure are not subscribed."
elif set(db_event.event_list) == {"configuration change"}:
report.resource_id = db_event.id
report.resource_arn = db_event.arn
report.resource_tags = db_event.tags
report.status = "FAIL"
report.status_extended = "RDS instance event categories of maintenance and failure are not subscribed."
elif set(db_event.event_list) == {"failure"}:
report.resource_id = db_event.id
report.resource_arn = db_event.arn
report.resource_tags = db_event.tags
report.status = "FAIL"
report.status_extended = "RDS instance event categories of maintenance and configuration change are not subscribed."
elif set(db_event.event_list) == {
"maintenance",
"configuration change",
}:
report.resource_id = db_event.id
report.resource_arn = db_event.arn
report.resource_tags = db_event.tags
report.status = "FAIL"
report.status_extended = (
"RDS instance event category of failure is not subscribed."
Expand All @@ -58,18 +48,12 @@ def execute(self):
"maintenance",
"failure",
}:
report.resource_id = db_event.id
report.resource_arn = db_event.arn
report.resource_tags = db_event.tags
report.status = "FAIL"
report.status_extended = "RDS instance event category of configuration change is not subscribed."
elif set(db_event.event_list) == {
"configuration change",
"failure",
}:
report.resource_id = db_event.id
report.resource_arn = db_event.arn
report.resource_tags = db_event.tags
report.status = "FAIL"
report.status_extended = "RDS instance event category of maintenance is not subscribed."
findings.append(report)
Expand Down
10 changes: 4 additions & 6 deletions prowler/providers/aws/services/rds/rds_instance_default_admin/rds_instance_default_admin.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,10 @@
class rds_instance_default_admin(Check):
def execute(self):
findings = []
for db_instance_arn, db_instance in rds_client.db_instances.items():
report = Check_Report_AWS(self.metadata())
report.region = db_instance.region
report.resource_id = db_instance.id
report.resource_arn = db_instance_arn
report.resource_tags = db_instance.tags
for db_instance in rds_client.db_instances.values():
report = Check_Report_AWS(
metadata=self.metadata(), resource_metadata=db_instance
)
# Check if is member of a cluster
if db_instance.cluster_id:
if (
Expand Down
Loading

0 comments on commit b1f0209

Please sign in to comment.