Skip to content

Commit

Permalink
chore(backport): master changes to v4.5 branch (#5641)
Browse files Browse the repository at this point in the history
Co-authored-by: sansns-aws <107269923+sansns@users.noreply.github.com>
Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
  • Loading branch information
3 people authored Nov 5, 2024
1 parent 9802fc1 commit d84d0e7
Show file tree
Hide file tree
Showing 20 changed files with 535 additions and 16 deletions.
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,9 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe

| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) |
|---|---|---|---|---|
| AWS | 457 | 67 -> `prowler aws --list-services` | 30 -> `prowler aws --list-compliance` | 9 -> `prowler aws --list-categories` |
| AWS | 553 | 77 -> `prowler aws --list-services` | 30 -> `prowler aws --list-compliance` | 9 -> `prowler aws --list-categories` |
| GCP | 77 | 13 -> `prowler gcp --list-services` | 2 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|
| Azure | 136 | 17 -> `prowler azure --list-services` | 3 -> `prowler azure --list-compliance` | 2 -> `prowler azure --list-categories` |
| Azure | 138 | 17 -> `prowler azure --list-services` | 3 -> `prowler azure --list-compliance` | 2 -> `prowler azure --list-categories` |
| Kubernetes | 83 | 7 -> `prowler kubernetes --list-services` | 1 -> `prowler kubernetes --list-compliance` | 7 -> `prowler kubernetes --list-categories` |

# 💻 Installation
Expand Down
4 changes: 3 additions & 1 deletion prowler/providers/aws/aws_provider.py
Original file line number Diff line number Diff line change
Expand Up @@ -1262,7 +1262,9 @@ def test_connection(
logger.critical(
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
raise error
if raise_on_exception:
raise error
return Connection(error=error)

@staticmethod
def create_sts_session(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
"Url": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-availability-zone.html"
}
},
"Categories": [],
"Categories": [
"redundancy"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
"Url": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/DMS/multi-az.html#"
}
},
"Categories": [],
"Categories": [
"redundancy"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
"Url": "https://redis.io/blog/highly-available-in-memory-cloud-datastores/"
}
},
"Categories": [],
"Categories": [
"redundancy"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
"Url": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/ElastiCache/elasticache-multi-az.html#"
}
},
"Categories": [],
"Categories": [
"redundancy"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
"Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html"
}
},
"Categories": [],
"Categories": [
"redundancy"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
"Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-subnets.html"
}
},
"Categories": [],
"Categories": [
"redundancy"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,9 @@
"Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-broker-architecture.html#rabbitmq-broker-architecture-cluster"
}
},
"Categories": [],
"Categories": [
"redundancy"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
"Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-9"
}
},
"Categories": [],
"Categories": [
"redundancy"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,9 @@
"Url": "https://aws.amazon.com/es/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/"
}
},
"Categories": [],
"Categories": [
"redundancy"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
"Url": "https://aws.amazon.com/rds/features/multi-az/"
}
},
"Categories": [],
"Categories": [
"redundancy"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
Expand Down
Empty file.
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"Provider": "aws",
"CheckID": "rds_cluster_protected_by_backup_plan",
"CheckTitle": "Check if RDS clusters are protected by a backup plan.",
"CheckType": [
"Software and Configuration Checks, AWS Security Best Practices"
],
"ServiceName": "rds",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
"Severity": "medium",
"ResourceType": "AwsRdsDbInstance",
"Description": "Check if RDS clusters are protected by a backup plan.",
"Risk": "Without a backup plan, RDS clusters are vulnerable to data loss, accidental deletion, or corruption. This could lead to significant operational disruptions or loss of critical data.",
"RelatedUrl": "https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html",
"Remediation": {
"Code": {
"CLI": "aws backup create-backup-plan --backup-plan , aws backup tag-resource --resource-arn <rds-cluster-arn> --tags Key=backup,Value=true",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-26",
"Terraform": ""
},
"Recommendation": {
"Text": "Create a backup plan for the RDS cluster to protect it from data loss, accidental deletion, or corruption.",
"Url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html"
}
},
"Categories": [],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.backup.backup_client import backup_client
from prowler.providers.aws.services.rds.rds_client import rds_client


class rds_cluster_protected_by_backup_plan(Check):
def execute(self):
findings = []
for db_cluster_arn, db_cluster in rds_client.db_clusters.items():
report = Check_Report_AWS(self.metadata())
report.region = db_cluster.region
report.resource_id = db_cluster.id
report.resource_arn = db_cluster_arn
report.resource_tags = db_cluster.tags
report.status = "FAIL"
report.status_extended = (
f"RDS Cluster {db_cluster.id} is not protected by a backup plan."
)

if (
db_cluster_arn in backup_client.protected_resources
or f"arn:{rds_client.audited_partition}:rds:*:*:cluster:*"
in backup_client.protected_resources
or "*" in backup_client.protected_resources
):
report.status = "PASS"
report.status_extended = (
f"RDS Cluster {db_cluster.id} is protected by a backup plan."
)

findings.append(report)

return findings
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
"Url": "https://aws.amazon.com/rds/features/multi-az/"
}
},
"Categories": [],
"Categories": [
"redundancy"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,9 @@
"Url": "https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html"
}
},
"Categories": [],
"Categories": [
"redundancy"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
Expand Down
2 changes: 1 addition & 1 deletion prowler/providers/gcp/gcp_provider.py
Original file line number Diff line number Diff line change
Expand Up @@ -411,7 +411,7 @@ def print_credentials(self):

@staticmethod
def get_projects(
credentials: Credentials, organization_id: str
credentials: Credentials, organization_id: str = None
) -> dict[str, GCPProject]:
"""
Get the projects accessible by the provided credentials. If an organization ID is provided, only the projects under that organization are returned.
Expand Down
12 changes: 12 additions & 0 deletions tests/providers/aws/aws_provider_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -1443,6 +1443,18 @@ def test_test_connection_with_different_account_dont_raise(self):
)
assert connection.error.code == 1015

@mock_aws
def test_test_connection_generic_exception(self):
with patch(
"prowler.providers.aws.aws_provider.AwsProvider.setup_session",
side_effect=Exception(),
):
connection = AwsProvider.test_connection(raise_on_exception=False)

assert isinstance(connection, Connection)
assert not connection.is_connected
assert isinstance(connection.error, Exception)

@mock_aws
def test_create_sts_session(self):
current_session = session.Session()
Expand Down
Loading

0 comments on commit d84d0e7

Please sign in to comment.