From 58500ce118c437f4c1be441b4a9f57795d02229e Mon Sep 17 00:00:00 2001 From: kagahd Date: Tue, 17 Dec 2024 18:11:40 +0100 Subject: [PATCH 1/4] disallow child-accounts to overwrite policy for "ai_services_opt_out" --- ...s_opt_out_ai_services_policy.metadata.json | 6 +- ...rganizations_opt_out_ai_services_policy.py | 12 +- ...zations_opt_out_ai_services_policy_test.py | 131 +++++++++++++++++- 3 files changed, 136 insertions(+), 13 deletions(-) diff --git a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.metadata.json b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.metadata.json index ef3e8c536e1..14afb963507 100644 --- a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.metadata.json +++ b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.metadata.json @@ -1,14 +1,14 @@ { "Provider": "aws", "CheckID": "organizations_opt_out_ai_services_policy", - "CheckTitle": "Ensure that AWS Organizations opt-out of AI services policy is enabled.", + "CheckTitle": "Ensure that AWS Organizations opt-out of AI services policy is enabled and disallow child-accounts to overwrite this policy.", "CheckType": [], "ServiceName": "organizations", "SubServiceName": "", "ResourceIdTemplate": "arn:partition:service::account-id:organization/organization-id", "Severity": "low", "ResourceType": "Other", - "Description": "This control checks whether the AWS Organizations opt-out of AI services policy is enabled. The control fails if the policy is not enabled.", + "Description": "This control checks whether the AWS Organizations opt-out of AI services policy is enabled and whether child-accounts are disallowed to overwrite this policy. The control fails if the policy is not enabled or if child-accounts are not disallowed to overwrite this policy.", "Risk": "By default, AWS may be using your data to train its AI models. This may include data from your AWS CloudTrail logs, AWS Config rules, and AWS GuardDuty findings. If you opt out of AI services, AWS will not use your data to train its AI models.", "RelatedUrl": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_all.html", "Remediation": { @@ -19,7 +19,7 @@ "Terraform": "" }, "Recommendation": { - "Text": "Artificial Intelligence (AI) services opt-out policies enable you to control whether AWS AI services can store and use your content. Enable the AWS Organizations opt-out of AI services policy.", + "Text": "Artificial Intelligence (AI) services opt-out policies enable you to control whether AWS AI services can store and use your content. Enable the AWS Organizations opt-out of AI services policy and disallow child-accounts to overwrite this policy.", "Url": "https://docs.aws.amazon.com/organizations/latest/userguide/disable-policy-type.html" } }, diff --git a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py index 3894f723eb5..9f6915d13a0 100644 --- a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py +++ b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py @@ -21,19 +21,21 @@ def execute(self): "AWS Organizations is not in-use for this AWS Account." ) if organizations_client.organization.status == "ACTIVE": - report.status_extended = f"AWS Organization {organizations_client.organization.id} has not opted out of all AI services, granting consent for AWS to access its data." + report.status_extended = f"AWS Organization {organizations_client.organization.id} has not opted out of all AI services, granting consent for AWS to access its data, or does not disallow child-accounts to overwrite this policy." for policy in organizations_client.organization.policies.get( "AISERVICES_OPT_OUT_POLICY", [] ): - if ( + opt_out_policy = ( policy.content.get("services", {}) .get("default", {}) .get("opt_out_policy", {}) - .get("@@assign") - == "optOut" + ) + if ( + opt_out_policy.get("@@assign") == "optOut" + and opt_out_policy.get("@@operators_allowed_for_child_policies") == ["@@none"] ): report.status = "PASS" - report.status_extended = f"AWS Organization {organizations_client.organization.id} has opted out of all AI services, not granting consent for AWS to access its data." + report.status_extended = f"AWS Organization {organizations_client.organization.id} has opted out of all AI services, not granting consent for AWS to access its data, and also disallows child-accounts to overwrite this policy." break findings.append(report) diff --git a/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py b/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py index a583ac2265c..93ed299b9c8 100644 --- a/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py +++ b/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py @@ -87,7 +87,7 @@ def test_organization_with_AI_optout_no_policies(self): assert result[0].status == "FAIL" assert ( result[0].status_extended - == "AWS Organization o-1234567890 has not opted out of all AI services, granting consent for AWS to access its data." + == "AWS Organization o-1234567890 has not opted out of all AI services, granting consent for AWS to access its data, or does not disallow child-accounts to overwrite this policy." ) assert result[0].resource_id == "o-1234567890" assert ( @@ -96,7 +96,7 @@ def test_organization_with_AI_optout_no_policies(self): ) assert result[0].region == AWS_REGION_EU_WEST_1 - def test_organization_with_AI_optout_policy(self): + def test_organization_with_AI_optout_policy_complete(self): organizations_client = mock.MagicMock organizations_client.region = AWS_REGION_EU_WEST_1 organizations_client.audited_partition = "aws" @@ -118,7 +118,7 @@ def test_organization_with_AI_optout_policy(self): aws_managed=False, content={ "services": { - "default": {"opt_out_policy": {"@@assign": "optOut"}} + "default": {"opt_out_policy": {"@@operators_allowed_for_child_policies": ["@@none"], "@@assign": "optOut"}} } }, targets=[], @@ -153,7 +153,7 @@ def test_organization_with_AI_optout_policy(self): assert result[0].status == "PASS" assert ( result[0].status_extended - == "AWS Organization o-1234567890 has opted out of all AI services, not granting consent for AWS to access its data." + == "AWS Organization o-1234567890 has opted out of all AI services, not granting consent for AWS to access its data, and also disallows child-accounts to overwrite this policy." ) assert result[0].resource_id == "o-1234567890" assert ( @@ -209,7 +209,67 @@ def test_organization_with_AI_optout_policy_no_content(self): assert result[0].status == "FAIL" assert ( result[0].status_extended - == "AWS Organization o-1234567890 has not opted out of all AI services, granting consent for AWS to access its data." + == "AWS Organization o-1234567890 has not opted out of all AI services, granting consent for AWS to access its data, or does not disallow child-accounts to overwrite this policy." + ) + assert result[0].resource_id == "o-1234567890" + assert ( + result[0].resource_arn + == "arn:aws:organizations::1234567890:organization/o-1234567890" + ) + assert result[0].region == AWS_REGION_EU_WEST_1 + + def test_organization_with_AI_optout_policy_no_disallow(self): + organizations_client = mock.MagicMock + organizations_client.region = AWS_REGION_EU_WEST_1 + organizations_client.audited_partition = "aws" + organizations_client.audited_account = "0123456789012" + organizations_client.organization = Organization( + id="o-1234567890", + arn="arn:aws:organizations::1234567890:organization/o-1234567890", + status="ACTIVE", + master_id="1234567890", + policies={ + "AISERVICES_OPT_OUT_POLICY": [ + Policy( + id="p-1234567890", + arn="arn:aws:organizations::1234567890:policy/o-1234567890/p-1234567890", + type="AISERVICES_OPT_OUT_POLICY", + aws_managed=False, + content={ + "services": { + "default": {"opt_out_policy": {"@@assign": "optOut"}} + } + }, + targets=[], + ) + ] + }, + delegated_administrators=None, + ) + + aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ): + with mock.patch( + "prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy.organizations_client", + new=organizations_client, + ): + # Test Check + from prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy import ( + organizations_opt_out_ai_services_policy, + ) + + check = organizations_opt_out_ai_services_policy() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == "AWS Organization o-1234567890 has not opted out of all AI services, granting consent for AWS to access its data, or does not disallow child-accounts to overwrite this policy." ) assert result[0].resource_id == "o-1234567890" assert ( @@ -217,3 +277,64 @@ def test_organization_with_AI_optout_policy_no_content(self): == "arn:aws:organizations::1234567890:organization/o-1234567890" ) assert result[0].region == AWS_REGION_EU_WEST_1 + + def test_organization_with_AI_optout_policy_no_opt_out(self): + organizations_client = mock.MagicMock + organizations_client.region = AWS_REGION_EU_WEST_1 + organizations_client.audited_partition = "aws" + organizations_client.audited_account = "0123456789012" + organizations_client.organization = Organization( + id="o-1234567890", + arn="arn:aws:organizations::1234567890:organization/o-1234567890", + status="ACTIVE", + master_id="1234567890", + policies={ + "AISERVICES_OPT_OUT_POLICY": [ + Policy( + id="p-1234567890", + arn="arn:aws:organizations::1234567890:policy/o-1234567890/p-1234567890", + type="AISERVICES_OPT_OUT_POLICY", + aws_managed=False, + content={ + "services": { + "default": {"opt_out_policy": {"@@operators_allowed_for_child_policies": ["@@none"]}} + } + }, + targets=[], + ) + ] + }, + delegated_administrators=None, + ) + + aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ): + with mock.patch( + "prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy.organizations_client", + new=organizations_client, + ): + # Test Check + from prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy import ( + organizations_opt_out_ai_services_policy, + ) + + check = organizations_opt_out_ai_services_policy() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == "AWS Organization o-1234567890 has not opted out of all AI services, granting consent for AWS to access its data, or does not disallow child-accounts to overwrite this policy." + ) + assert result[0].resource_id == "o-1234567890" + assert ( + result[0].resource_arn + == "arn:aws:organizations::1234567890:organization/o-1234567890" + ) + assert result[0].region == AWS_REGION_EU_WEST_1 + From b2597b2d5ffdabd413683149627c6115cd104c11 Mon Sep 17 00:00:00 2001 From: kagahd Date: Tue, 17 Dec 2024 19:30:43 +0100 Subject: [PATCH 2/4] make flake happy --- ...organizations_opt_out_ai_services_policy.py | 11 +++++++---- ...izations_opt_out_ai_services_policy_test.py | 18 +++++++++++++++--- 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py index 9f6915d13a0..232d014898c 100644 --- a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py +++ b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py @@ -30,10 +30,13 @@ def execute(self): .get("default", {}) .get("opt_out_policy", {}) ) - if ( - opt_out_policy.get("@@assign") == "optOut" - and opt_out_policy.get("@@operators_allowed_for_child_policies") == ["@@none"] - ): + if opt_out_policy.get( + "@@assign" + ) == "optOut" and opt_out_policy.get( + "@@operators_allowed_for_child_policies" + ) == [ + "@@none" + ]: report.status = "PASS" report.status_extended = f"AWS Organization {organizations_client.organization.id} has opted out of all AI services, not granting consent for AWS to access its data, and also disallows child-accounts to overwrite this policy." break diff --git a/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py b/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py index 93ed299b9c8..63f572ad8da 100644 --- a/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py +++ b/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py @@ -118,7 +118,14 @@ def test_organization_with_AI_optout_policy_complete(self): aws_managed=False, content={ "services": { - "default": {"opt_out_policy": {"@@operators_allowed_for_child_policies": ["@@none"], "@@assign": "optOut"}} + "default": { + "opt_out_policy": { + "@@operators_allowed_for_child_policies": [ + "@@none" + ], + "@@assign": "optOut", + } + } } }, targets=[], @@ -297,7 +304,13 @@ def test_organization_with_AI_optout_policy_no_opt_out(self): aws_managed=False, content={ "services": { - "default": {"opt_out_policy": {"@@operators_allowed_for_child_policies": ["@@none"]}} + "default": { + "opt_out_policy": { + "@@operators_allowed_for_child_policies": [ + "@@none" + ] + } + } } }, targets=[], @@ -337,4 +350,3 @@ def test_organization_with_AI_optout_policy_no_opt_out(self): == "arn:aws:organizations::1234567890:organization/o-1234567890" ) assert result[0].region == AWS_REGION_EU_WEST_1 - From 6e24809315157a379d2d7a8b5fd8332d1bdd7314 Mon Sep 17 00:00:00 2001 From: kagahd Date: Thu, 19 Dec 2024 15:37:51 +0100 Subject: [PATCH 3/4] split failed findings --- ...rganizations_opt_out_ai_services_policy.py | 58 +++++++++++++------ ...zations_opt_out_ai_services_policy_test.py | 10 ++-- 2 files changed, 46 insertions(+), 22 deletions(-) diff --git a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py index 232d014898c..d2f69f43f96 100644 --- a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py +++ b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py @@ -20,26 +20,50 @@ def execute(self): report.status_extended = ( "AWS Organizations is not in-use for this AWS Account." ) + if organizations_client.organization.status == "ACTIVE": - report.status_extended = f"AWS Organization {organizations_client.organization.id} has not opted out of all AI services, granting consent for AWS to access its data, or does not disallow child-accounts to overwrite this policy." - for policy in organizations_client.organization.policies.get( + conditions_failed = [] + all_conditions_passed = False + opt_out_policies = organizations_client.organization.policies.get( "AISERVICES_OPT_OUT_POLICY", [] - ): - opt_out_policy = ( - policy.content.get("services", {}) - .get("default", {}) - .get("opt_out_policy", {}) - ) - if opt_out_policy.get( - "@@assign" - ) == "optOut" and opt_out_policy.get( - "@@operators_allowed_for_child_policies" - ) == [ - "@@none" - ]: + ) + + if not opt_out_policies: + report.status_extended = f"AWS Organization {organizations_client.organization.id} has no opt-out policy for AI services." + else: + for policy in opt_out_policies: + opt_out_policy = ( + policy.content.get("services", {}) + .get("default", {}) + .get("opt_out_policy", {}) + ) + + condition_1 = opt_out_policy.get("@@assign") == "optOut" + condition_2 = opt_out_policy.get( + "@@operators_allowed_for_child_policies" + ) == ["@@none"] + + if condition_1 and condition_2: + all_conditions_passed = True + break + + if not condition_1: + conditions_failed.append( + "Organization has not opted out of all AI services." + ) + if not condition_2: + conditions_failed.append( + "Organization does not disallow child-accounts to overwrite the policy." + ) + + if all_conditions_passed: report.status = "PASS" - report.status_extended = f"AWS Organization {organizations_client.organization.id} has opted out of all AI services, not granting consent for AWS to access its data, and also disallows child-accounts to overwrite this policy." - break + report.status_extended = f"AWS Organization {organizations_client.organization.id} has opted out of all AI services and also disallows child-accounts to overwrite this policy." + else: + report.status_extended = ( + f"AWS Organization {organizations_client.organization.id} failed the check due to the following reason(s): " + + " ".join(conditions_failed) + ) findings.append(report) diff --git a/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py b/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py index 63f572ad8da..bc3b182eff3 100644 --- a/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py +++ b/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py @@ -87,7 +87,7 @@ def test_organization_with_AI_optout_no_policies(self): assert result[0].status == "FAIL" assert ( result[0].status_extended - == "AWS Organization o-1234567890 has not opted out of all AI services, granting consent for AWS to access its data, or does not disallow child-accounts to overwrite this policy." + == "AWS Organization o-1234567890 has no opt-out policy for AI services." ) assert result[0].resource_id == "o-1234567890" assert ( @@ -160,7 +160,7 @@ def test_organization_with_AI_optout_policy_complete(self): assert result[0].status == "PASS" assert ( result[0].status_extended - == "AWS Organization o-1234567890 has opted out of all AI services, not granting consent for AWS to access its data, and also disallows child-accounts to overwrite this policy." + == "AWS Organization o-1234567890 has opted out of all AI services and also disallows child-accounts to overwrite this policy." ) assert result[0].resource_id == "o-1234567890" assert ( @@ -216,7 +216,7 @@ def test_organization_with_AI_optout_policy_no_content(self): assert result[0].status == "FAIL" assert ( result[0].status_extended - == "AWS Organization o-1234567890 has not opted out of all AI services, granting consent for AWS to access its data, or does not disallow child-accounts to overwrite this policy." + == "AWS Organization o-1234567890 failed the check due to the following reason(s): Organization has not opted out of all AI services. Organization does not disallow child-accounts to overwrite the policy." ) assert result[0].resource_id == "o-1234567890" assert ( @@ -276,7 +276,7 @@ def test_organization_with_AI_optout_policy_no_disallow(self): assert result[0].status == "FAIL" assert ( result[0].status_extended - == "AWS Organization o-1234567890 has not opted out of all AI services, granting consent for AWS to access its data, or does not disallow child-accounts to overwrite this policy." + == "AWS Organization o-1234567890 failed the check due to the following reason(s): Organization does not disallow child-accounts to overwrite the policy." ) assert result[0].resource_id == "o-1234567890" assert ( @@ -342,7 +342,7 @@ def test_organization_with_AI_optout_policy_no_opt_out(self): assert result[0].status == "FAIL" assert ( result[0].status_extended - == "AWS Organization o-1234567890 has not opted out of all AI services, granting consent for AWS to access its data, or does not disallow child-accounts to overwrite this policy." + == "AWS Organization o-1234567890 failed the check due to the following reason(s): Organization has not opted out of all AI services." ) assert result[0].resource_id == "o-1234567890" assert ( From 1a47e14df1157872256b02d704e8a06757ba7e8f Mon Sep 17 00:00:00 2001 From: MrCloudSec Date: Fri, 20 Dec 2024 09:16:08 -0500 Subject: [PATCH 4/4] chore: revision --- ...s_opt_out_ai_services_policy.metadata.json | 2 +- ...rganizations_opt_out_ai_services_policy.py | 20 ++++++------------ ...zations_opt_out_ai_services_policy_test.py | 21 +++++++++++-------- 3 files changed, 19 insertions(+), 24 deletions(-) diff --git a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.metadata.json b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.metadata.json index 14afb963507..5df3fe269d1 100644 --- a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.metadata.json +++ b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.metadata.json @@ -13,7 +13,7 @@ "RelatedUrl": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_all.html", "Remediation": { "Code": { - "CLI": "aws organizations enable-policy-type --root-id --policy-type AI_SERVICES_OPT_OUT {'services': {'default': {'opt_out_policy': {'@@assign': 'optOut'}}}}", + "CLI": "", "NativeIaC": "", "Other": "", "Terraform": "" diff --git a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py index d2f69f43f96..d7aa4db3f75 100644 --- a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py +++ b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py @@ -22,7 +22,6 @@ def execute(self): ) if organizations_client.organization.status == "ACTIVE": - conditions_failed = [] all_conditions_passed = False opt_out_policies = organizations_client.organization.policies.get( "AISERVICES_OPT_OUT_POLICY", [] @@ -47,23 +46,16 @@ def execute(self): all_conditions_passed = True break - if not condition_1: - conditions_failed.append( - "Organization has not opted out of all AI services." - ) - if not condition_2: - conditions_failed.append( - "Organization does not disallow child-accounts to overwrite the policy." - ) + if not condition_1 and not condition_2: + report.status_extended = f"AWS Organization {organizations_client.organization.id} has not opted out of all AI services and it does not disallow child-accounts to overwrite the policy." + elif not condition_1: + report.status_extended = f"AWS Organization {organizations_client.organization.id} has not opted out of all AI services." + elif not condition_2: + report.status_extended = f"AWS Organization {organizations_client.organization.id} has opted out of all AI services but it does not disallow child-accounts to overwrite the policy." if all_conditions_passed: report.status = "PASS" report.status_extended = f"AWS Organization {organizations_client.organization.id} has opted out of all AI services and also disallows child-accounts to overwrite this policy." - else: - report.status_extended = ( - f"AWS Organization {organizations_client.organization.id} failed the check due to the following reason(s): " - + " ".join(conditions_failed) - ) findings.append(report) diff --git a/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py b/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py index bc3b182eff3..4a92efc85e8 100644 --- a/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py +++ b/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py @@ -141,12 +141,15 @@ def test_organization_with_AI_optout_policy_complete(self): "prowler.providers.common.provider.Provider.get_global_provider", return_value=aws_provider, ): - with mock.patch( - "prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy.organizations_client", - new=organizations_client, - ), mock.patch( - "prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy.organizations_client.get_unknown_arn", - return_value="arn:aws:organizations:eu-west-1:0123456789012:unknown", + with ( + mock.patch( + "prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy.organizations_client", + new=organizations_client, + ), + mock.patch( + "prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy.organizations_client.get_unknown_arn", + return_value="arn:aws:organizations:eu-west-1:0123456789012:unknown", + ), ): # Test Check from prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy import ( @@ -216,7 +219,7 @@ def test_organization_with_AI_optout_policy_no_content(self): assert result[0].status == "FAIL" assert ( result[0].status_extended - == "AWS Organization o-1234567890 failed the check due to the following reason(s): Organization has not opted out of all AI services. Organization does not disallow child-accounts to overwrite the policy." + == "AWS Organization o-1234567890 has not opted out of all AI services and it does not disallow child-accounts to overwrite the policy." ) assert result[0].resource_id == "o-1234567890" assert ( @@ -276,7 +279,7 @@ def test_organization_with_AI_optout_policy_no_disallow(self): assert result[0].status == "FAIL" assert ( result[0].status_extended - == "AWS Organization o-1234567890 failed the check due to the following reason(s): Organization does not disallow child-accounts to overwrite the policy." + == "AWS Organization o-1234567890 has opted out of all AI services but it does not disallow child-accounts to overwrite the policy." ) assert result[0].resource_id == "o-1234567890" assert ( @@ -342,7 +345,7 @@ def test_organization_with_AI_optout_policy_no_opt_out(self): assert result[0].status == "FAIL" assert ( result[0].status_extended - == "AWS Organization o-1234567890 failed the check due to the following reason(s): Organization has not opted out of all AI services." + == "AWS Organization o-1234567890 has not opted out of all AI services." ) assert result[0].resource_id == "o-1234567890" assert (