feat(aws): add new check fsx_windows_file_system_multi_az (#5491)

Co-authored-by: Sergio <[email protected]>
prowler-cloud · Oct 23, 2024 · 93d2579 · 93d2579
1 parent 28f8915
commit 93d2579
Show file tree

Hide file tree

Showing 6 changed files with 207 additions and 1 deletion.
diff --git a/prowler/providers/aws/services/fsx/fsx_service.py b/prowler/providers/aws/services/fsx/fsx_service.py
@@ -51,6 +51,7 @@ def _describe_file_systems(self, regional_client):
                             type=file_system["FileSystemType"],
                             copy_tags_to_backups=copy_tags_to_backups_aux,
                             copy_tags_to_volumes=copy_tags_to_volumes_aux,
+                            subnet_ids=file_system.get("SubnetIds", []),
                             region=regional_client.region,
                             tags=file_system.get("Tags", []),
                         )
@@ -67,4 +68,5 @@ class FileSystem(BaseModel):
     type: str
     copy_tags_to_backups: Optional[bool]
     copy_tags_to_volumes: Optional[bool]
+    subnet_ids: Optional[list] = []
     tags: Optional[list] = []
diff --git a/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/__init__.py b/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/__init__.py
diff --git a/...ndows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.metadata.json b/...ndows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.metadata.json
@@ -0,0 +1,32 @@
+{
+  "Provider": "aws",
+  "CheckID": "fsx_windows_file_system_multi_az_enabled",
+  "CheckTitle": "Check if FSx Windows file systems are configured with Multi-AZ.",
+  "CheckType": [],
+  "ServiceName": "fsx",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:aws:fsx:{region}:{account-id}:file-system/{file-system-id}",
+  "Severity": "low",
+  "ResourceType": "AwsFSxFileSystem",
+  "Description": "Check if FSx Windows file systems are configured with Multi-AZ. The control fails if this configuration isn't enabled.",
+  "Risk": "Relative to Single-AZ deployment, Multi-AZ deployments provide enhanced durability by further replicating data across AZs, and enhanced availability during planned system maintenance and unplanned service disruption by failing over automatically to the standby AZ. This allows you to continue accessing your data, and helps to protect your data against instance failure and AZ disruption.",
+  "RelatedUrl": "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/high-availability-multiAZ.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Configure your FSx Windows file system to be highly available with ENIs in Multiple AZs.",
+      "Url": "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/high-availability-multiAZ.html"
+    }
+  },
+  "Categories": [
+    "redundancy"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
diff --git a/.../fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.py b/.../fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.py
@@ -0,0 +1,25 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.fsx.fsx_client import fsx_client
+
+
+class fsx_windows_file_system_multi_az_enabled(Check):
+    def execute(self):
+        findings = []
+        for file_system in fsx_client.file_systems.values():
+            if file_system.type == "WINDOWS":
+                report = Check_Report_AWS(self.metadata())
+                report.region = file_system.region
+                report.resource_id = file_system.id
+                report.resource_arn = file_system.arn
+                report.resource_tags = file_system.tags
+                if len(file_system.subnet_ids) > 1:
+                    report.status = "PASS"
+                    report.status_extended = f"FSx Windows file system {file_system.id} is configured for Multi-AZ deployment."
+
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = f"FSx Windows file system {file_system.id} is not configured for Multi-AZ deployment."
+
+                findings.append(report)
+
+        return findings
diff --git a/...ws/services/fsx/fsx_file_system_multi_az_enabled/fsx_file_system_multi_az_enabled_test.py b/...ws/services/fsx/fsx_file_system_multi_az_enabled/fsx_file_system_multi_az_enabled_test.py
@@ -0,0 +1,144 @@
+from unittest import mock
+
+from boto3 import client
+from moto import mock_aws
+
+from prowler.providers.aws.services.fsx.fsx_service import FSx
+from tests.providers.aws.utils import AWS_REGION_EU_WEST_1, set_mocked_aws_provider
+
+
+class Test_fsx_windows_file_system_multi_az:
+    @mock_aws
+    def test_fsx_no_file_system(self):
+        client("fsx", region_name=AWS_REGION_EU_WEST_1)
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled.fsx_client",
+            new=FSx(aws_provider),
+        ):
+            from prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled import (
+                fsx_windows_file_system_multi_az_enabled,
+            )
+
+            check = fsx_windows_file_system_multi_az_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    @mock_aws
+    def test_fsx_file_system_not_windows(self):
+        fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1)
+        fsx_client.create_file_system(
+            FileSystemType="LUSTRE",
+            StorageCapacity=1200,
+            LustreConfiguration={"CopyTagsToBackups": True},
+            Tags=[{"Key": "Name", "Value": "Test"}],
+            SubnetIds=["subnet-12345678"],
+        )
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled.fsx_client",
+            new=FSx(aws_provider),
+        ):
+            from prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled import (
+                fsx_windows_file_system_multi_az_enabled,
+            )
+
+            check = fsx_windows_file_system_multi_az_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    @mock_aws
+    def test_fsx_windows_not_multi_az(self):
+        fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1)
+        file_system = fsx_client.create_file_system(
+            FileSystemType="WINDOWS",
+            StorageCapacity=1200,
+            OpenZFSConfiguration={
+                "CopyTagsToVolumes": False,
+                "DeploymentType": "SINGLE_AZ_1",
+                "ThroughputCapacity": 12,
+            },
+            Tags=[{"Key": "Name", "Value": "Test"}],
+            SubnetIds=["subnet-12345678"],
+        )
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled.fsx_client",
+            new=FSx(aws_provider),
+        ):
+            from prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled import (
+                fsx_windows_file_system_multi_az_enabled,
+            )
+
+            check = fsx_windows_file_system_multi_az_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"FSx Windows file system {file_system['FileSystem']['FileSystemId']} is not configured for Multi-AZ deployment."
+            )
+            assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"]
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}"
+            )
+            assert result[0].region == AWS_REGION_EU_WEST_1
+
+    @mock_aws
+    def test_fsx_windows_multi_az(self):
+        fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1)
+        file_system = fsx_client.create_file_system(
+            FileSystemType="WINDOWS",
+            StorageCapacity=1200,
+            OpenZFSConfiguration={
+                "CopyTagsToVolumes": True,
+                "DeploymentType": "MULTI_AZ_1",
+                "ThroughputCapacity": 12,
+            },
+            Tags=[{"Key": "Name", "Value": "Test"}],
+            SubnetIds=["subnet-12345678", "subnet-12345670"],
+        )
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled.fsx_client",
+            new=FSx(aws_provider),
+        ):
+            from prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled import (
+                fsx_windows_file_system_multi_az_enabled,
+            )
+
+            check = fsx_windows_file_system_multi_az_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"FSx Windows file system {file_system['FileSystem']['FileSystemId']} is configured for Multi-AZ deployment."
+            )
+            assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"]
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}"
+            )
+            assert result[0].region == AWS_REGION_EU_WEST_1
diff --git a/tests/providers/aws/services/fsx/fsx_service_test.py b/tests/providers/aws/services/fsx/fsx_service_test.py
@@ -56,7 +56,7 @@ def test_describe_file_systems(self):
             StorageCapacity=1200,
             LustreConfiguration={"CopyTagsToBackups": True},
             Tags=[{"Key": "Name", "Value": "Test"}],
-            SubnetIds=["subnet-12345678"],
+            SubnetIds=["subnet-12345678", "subnet-12345670"],
         )
         arn = f"arn:aws:fsx:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system['FileSystem']['FileSystemId']}"
         aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
@@ -67,3 +67,6 @@ def test_describe_file_systems(self):
         assert fsx.file_systems[arn].copy_tags_to_backups
         assert fsx.file_systems[arn].region == AWS_REGION_US_EAST_1
         assert fsx.file_systems[arn].tags == [{"Key": "Name", "Value": "Test"}]
+        assert (
+            fsx.file_systems[arn].subnet_ids == file_system["FileSystem"]["SubnetIds"]
+        )