fix: conflict in poetry

prowler-cloud · Sep 11, 2024 · f4efcf2 · f4efcf2
2 parents d5862d9 + 1298620
commit f4efcf2
Show file tree

Hide file tree

Showing 37 changed files with 1,876 additions and 194 deletions.
diff --git a/README.md b/README.md
@@ -63,7 +63,7 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe
 
 | Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) |
 |---|---|---|---|---|
-| AWS | 409 | 67 -> `prowler aws --list-services` | 28 -> `prowler aws --list-compliance` | 7 -> `prowler aws --list-categories` |
+| AWS | 415 | 67 -> `prowler aws --list-services` | 28 -> `prowler aws --list-compliance` | 9 -> `prowler aws --list-categories` |
 | GCP | 77 | 13 -> `prowler gcp --list-services` | 1 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|
 | Azure | 135 | 16 -> `prowler azure --list-services` | 2 -> `prowler azure --list-compliance` | 2 -> `prowler azure --list-categories` |
 | Kubernetes | 83 | 7 -> `prowler kubernetes --list-services` | 1 -> `prowler kubernetes --list-compliance` | 7 -> `prowler kubernetes --list-categories` |

diff --git a/poetry.lock b/poetry.lock
diff --git a/prowler/__main__.py b/prowler/__main__.py
@@ -226,7 +226,8 @@ def prowler():
     # Once the provider is set and we have the eventual checks based on the resource identifier,
     # it is time to check what Prowler's checks are going to be executed
     checks_from_resources = global_provider.get_checks_to_execute_by_audit_resources()
-    if checks_from_resources:
+    # Intersect checks from resources with checks to execute so we only run the checks that apply to the resources with the specified ARNs or tags
+    if getattr(args, "resource_arn", None) or getattr(args, "resource_tag", None):
         checks_to_execute = checks_to_execute.intersection(checks_from_resources)
 
     # Sort final check list

diff --git a/prowler/providers/aws/services/backup/backup_service.py b/prowler/providers/aws/services/backup/backup_service.py
@@ -23,6 +23,8 @@ def __init__(self, provider):
         self.__threading_call__(self._list_backup_plans)
         self.backup_report_plans = []
         self.__threading_call__(self._list_backup_report_plans)
+        self.protected_resources = {}
+        self.__threading_call__(self._list_protected_resources)
 
     def _list_backup_vaults(self, regional_client):
         logger.info("Backup - Listing Backup Vaults...")
@@ -138,6 +140,33 @@ def _list_backup_report_plans(self, regional_client):
                 f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
 
+    def _list_protected_resources(self, regional_client):
+        logger.info("Backup - Listing Protected Resources...")
+
+        try:
+            list_protected_resources_paginator = regional_client.get_paginator(
+                "list_protected_resources"
+            )
+            for page in list_protected_resources_paginator.paginate():
+                for resource in page.get("Results", []):
+                    arn = resource.get("ResourceArn", "")
+                    if not self.audit_resources or (
+                        is_resource_filtered(
+                            arn,
+                            self.audit_resources,
+                        )
+                    ):
+                        self.protected_resources[arn] = ProtectedResource(
+                            arn=arn,
+                            resource_type=resource.get("ResourceType"),
+                            region=regional_client.region,
+                            last_backup_time=resource.get("LastBackupTime"),
+                        )
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
 
 class BackupVault(BaseModel):
     arn: str
@@ -166,3 +195,10 @@ class BackupReportPlan(BaseModel):
     name: str
     last_attempted_execution_date: Optional[datetime]
     last_successful_execution_date: Optional[datetime]
+
+
+class ProtectedResource(BaseModel):
+    arn: str
+    resource_type: str
+    region: str
+    last_backup_time: Optional[datetime]
diff --git a/...using_deprecated_ssl_protocols/cloudfront_distributions_using_deprecated_ssl_protocols.py b/...using_deprecated_ssl_protocols/cloudfront_distributions_using_deprecated_ssl_protocols.py
@@ -21,17 +21,16 @@ def execute(self):
 
             bad_ssl_protocol = False
             for origin in distribution.origins:
-                if "CustomOriginConfig" in origin:
-                    for ssl_protocol in origin["CustomOriginConfig"][
-                        "OriginSslProtocols"
-                    ]["Items"]:
+                if origin.origin_ssl_protocols:
+                    for ssl_protocol in origin.origin_ssl_protocols:
                         if ssl_protocol in (
                             OriginsSSLProtocols.SSLv3.value,
                             OriginsSSLProtocols.TLSv1.value,
                             OriginsSSLProtocols.TLSv1_1.value,
                         ):
                             bad_ssl_protocol = True
                             break
+
                 if bad_ssl_protocol:
                     report.status = "FAIL"
                     report.status_extended = f"CloudFront Distribution {distribution.id} is using a deprecated SSL protocol."

diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_service.py b/prowler/providers/aws/services/cloudfront/cloudfront_service.py
@@ -30,7 +30,22 @@ def _list_distributions(self, client, region) -> dict:
                         ):
                             distribution_id = item["Id"]
                             distribution_arn = item["ARN"]
-                            origins = item["Origins"]["Items"]
+                            origins = []
+                            for origin in item.get("Origins", {}).get("Items", []):
+                                origins.append(
+                                    Origin(
+                                        id=origin["Id"],
+                                        domain_name=origin["DomainName"],
+                                        origin_protocol_policy=origin.get(
+                                            "CustomOriginConfig", {}
+                                        ).get("OriginProtocolPolicy", ""),
+                                        origin_ssl_protocols=origin.get(
+                                            "CustomOriginConfig", {}
+                                        )
+                                        .get("OriginSslProtocols", {})
+                                        .get("Items", []),
+                                    )
+                                )
                             distribution = Distribution(
                                 arn=distribution_arn,
                                 id=distribution_id,
@@ -130,6 +145,13 @@ class DefaultCacheConfigBehaviour(BaseModel):
     field_level_encryption_id: str
 
 
+class Origin(BaseModel):
+    id: str
+    domain_name: str
+    origin_protocol_policy: str
+    origin_ssl_protocols: list[str]
+
+
 class Distribution(BaseModel):
     """Distribution holds a CloudFront Distribution resource"""
 
@@ -139,6 +161,6 @@ class Distribution(BaseModel):
     logging_enabled: bool = False
     default_cache_config: Optional[DefaultCacheConfigBehaviour]
     geo_restriction_type: Optional[GeoRestrictionType]
-    origins: list
+    origins: list[Origin]
     web_acl_id: str = ""
     tags: Optional[list] = []
diff --git a/prowler/providers/aws/services/rds/rds_cluster_critical_event_subscription/__init__.py b/prowler/providers/aws/services/rds/rds_cluster_critical_event_subscription/__init__.py
diff --git a/...cluster_critical_event_subscription/rds_cluster_critical_event_subscription.metadata.json b/...cluster_critical_event_subscription/rds_cluster_critical_event_subscription.metadata.json
@@ -0,0 +1,32 @@
+{
+  "Provider": "aws",
+  "CheckID": "rds_cluster_critical_event_subscription",
+  "CheckTitle": "Check if RDS Cluster critical events are subscribed.",
+  "CheckType": [
+    "Software and Configuration Checks, AWS Security Best Practices"
+  ],
+  "ServiceName": "rds",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster",
+  "Severity": "low",
+  "ResourceType": "AwsRdsEventSubscription",
+  "Description": "Ensure that Amazon RDS event notification subscriptions are enabled for database cluster events, particularly maintenance and failure.",
+  "Risk": "Without event subscriptions for critical events, such as maintenance and failures, you may not be aware of issues affecting your RDS clusters, leading to downtime or security vulnerabilities.",
+  "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws rds create-event-subscription --source-type db-cluster --event-categories 'failure' 'maintenance' --sns-topic-arn <sns-topic-arn>",
+      "NativeIaC": "",
+      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-19",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "To subscribe to RDS cluster event notifications, see Subscribing to Amazon RDS event notification in the Amazon RDS User Guide.",
+      "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.Subscribing.html"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}