From 6d9a016b1fa06511648ebd7e31b5e16c7dded7da Mon Sep 17 00:00:00 2001 From: MrCloudSec Date: Fri, 17 Jan 2025 08:58:18 -0500 Subject: [PATCH 01/12] chore: enable resource metadata in outputs --- prowler/lib/check/models.py | 53 +++++++------------ prowler/lib/outputs/common.py | 2 +- prowler/lib/outputs/finding.py | 2 +- prowler/lib/outputs/ocsf/ocsf.py | 5 +- ...hanges_to_network_acls_alarm_configured.py | 2 +- ...es_to_network_gateways_alarm_configured.py | 2 +- ...o_network_route_tables_alarm_configured.py | 2 +- ...dwatch_changes_to_vpcs_alarm_configured.py | 2 +- ...ws_config_configuration_changes_enabled.py | 2 +- ...loudtrail_configuration_changes_enabled.py | 2 +- ...g_metric_filter_authentication_failures.py | 2 +- ...metric_filter_aws_organizations_changes.py | 2 +- ...isable_or_scheduled_deletion_of_kms_cmk.py | 2 +- ...ric_filter_for_s3_bucket_policy_changes.py | 2 +- ...dwatch_log_metric_filter_policy_changes.py | 2 +- ...cloudwatch_log_metric_filter_root_usage.py | 2 +- ...og_metric_filter_security_group_changes.py | 2 +- ...h_log_metric_filter_sign_in_without_mfa.py | 2 +- ...og_metric_filter_unauthorized_api_calls.py | 2 +- ...s_policy_require_mfa_for_management_api.py | 2 +- ...ra_global_admin_in_less_than_five_users.py | 3 +- .../entra_non_privileged_user_has_mfa.py | 2 +- 22 files changed, 42 insertions(+), 57 deletions(-) diff --git a/prowler/lib/check/models.py b/prowler/lib/check/models.py index 52767e59d14..1147bdb1679 100644 --- a/prowler/lib/check/models.py +++ b/prowler/lib/check/models.py @@ -410,7 +410,7 @@ class Check_Report: resource_tags: list muted: bool - def __init__(self, metadata: Dict, resource: Any = None) -> None: + def __init__(self, metadata: Dict, resource: Any) -> None: """Initialize the Check's finding information. Args: @@ -449,20 +449,15 @@ class Check_Report_AWS(Check_Report): resource_arn: str region: str - def __init__(self, metadata, resource_metadata=None): + def __init__(self, metadata: Dict, resource_metadata: Any) -> None: super().__init__(metadata, resource_metadata) - if resource_metadata: - self.resource_id = ( - getattr(resource_metadata, "id", None) - or getattr(resource_metadata, "name", None) - or "" - ) - self.resource_arn = getattr(resource_metadata, "arn", "") - self.region = getattr(resource_metadata, "region", "") - else: - self.resource_id = "" - self.resource_arn = "" - self.region = "" + self.resource_id = ( + getattr(resource_metadata, "id", None) + or getattr(resource_metadata, "name", None) + or "" + ) + self.resource_arn = getattr(resource_metadata, "arn", "") + self.region = getattr(resource_metadata, "region", "") @dataclass @@ -474,7 +469,7 @@ class Check_Report_Azure(Check_Report): subscription: str location: str - def __init__(self, metadata: Dict, resource_metadata: Any = None) -> None: + def __init__(self, metadata: Dict, resource_metadata: Any) -> None: """Initialize the Azure Check's finding information. Args: @@ -482,23 +477,11 @@ def __init__(self, metadata: Dict, resource_metadata: Any = None) -> None: resource_metadata: Basic information about the resource. Defaults to None. """ super().__init__(metadata, resource_metadata) - self.resource_name = ( - resource_metadata.name - if hasattr(resource_metadata, "name") - else ( - resource_metadata.resource_name - if hasattr(resource_metadata, "resource_name") - else "" - ) + self.resource_name = getattr( + resource_metadata, "name", getattr(resource_metadata, "resource_name", "") ) - self.resource_id = ( - resource_metadata.id - if hasattr(resource_metadata, "id") - else ( - resource_metadata.resource_id - if hasattr(resource_metadata, "resource_id") - else "" - ) + self.resource_id = getattr( + resource_metadata, "id", getattr(resource_metadata, "resource_id", "") ) self.subscription = "" self.location = getattr(resource_metadata, "location", "global") @@ -515,13 +498,13 @@ class Check_Report_GCP(Check_Report): def __init__( self, - metadata, - resource_metadata, + metadata: Dict, + resource_metadata: Any, location=None, resource_name=None, resource_id=None, project_id=None, - ): + ) -> None: super().__init__(metadata, resource_metadata) self.resource_id = ( resource_id @@ -547,7 +530,7 @@ class Check_Report_Kubernetes(Check_Report): resource_id: str namespace: str - def __init__(self, metadata, resource_metadata): + def __init__(self, metadata: Dict, resource_metadata: Any) -> None: super().__init__(metadata, resource_metadata) self.resource_id = ( getattr(resource_metadata, "uid", None) diff --git a/prowler/lib/outputs/common.py b/prowler/lib/outputs/common.py index 37b2c269053..9616c08b001 100644 --- a/prowler/lib/outputs/common.py +++ b/prowler/lib/outputs/common.py @@ -14,7 +14,7 @@ def fill_common_finding_data(finding: dict, unix_timestamp: bool) -> dict: "status_extended": finding.status_extended, "muted": finding.muted, "resource_details": finding.resource_details, - # "resource_metadata": finding.resource_metadata, TODO: add resource_metadata to the finding + "resource_metadata": finding.resource_metadata, "resource_tags": unroll_tags(finding.resource_tags), } return finding_data diff --git a/prowler/lib/outputs/finding.py b/prowler/lib/outputs/finding.py index 97b497c3154..c9ad89bacbc 100644 --- a/prowler/lib/outputs/finding.py +++ b/prowler/lib/outputs/finding.py @@ -35,7 +35,7 @@ class Finding(BaseModel): status_extended: str muted: bool = False resource_uid: str - # resource_metadata: dict = Field(default_factory=dict) TODO: add resource_metadata to the finding + resource_metadata: dict = Field(default_factory=dict) resource_name: str resource_details: str resource_tags: dict = Field(default_factory=dict) diff --git a/prowler/lib/outputs/ocsf/ocsf.py b/prowler/lib/outputs/ocsf/ocsf.py index e7a2e454d8b..11e8da1b2e6 100644 --- a/prowler/lib/outputs/ocsf/ocsf.py +++ b/prowler/lib/outputs/ocsf/ocsf.py @@ -113,7 +113,7 @@ def transform(self, findings: List[Finding]) -> None: region=finding.region, data={ "details": finding.resource_details, - # "metadata": finding.resource_metadata, TODO: add the resource_metadata to the finding + "metadata": finding.resource_metadata, }, ) ] @@ -127,7 +127,7 @@ def transform(self, findings: List[Finding]) -> None: type=finding.metadata.ResourceType, data={ "details": finding.resource_details, - # "metadata": finding.resource_metadata, TODO: add the resource_metadata to the finding + "metadata": finding.resource_metadata, }, namespace=finding.region.replace("namespace: ", ""), ) @@ -206,6 +206,7 @@ def batch_write_data_to_file(self) -> None: self._file_descriptor.write("]") self._file_descriptor.close() except Exception as error: + print(finding) logger.error( f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" ) diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py index 712c5b0b4cf..3eb5e36e4c8 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py @@ -27,7 +27,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logs_client.log_groups + metadata=self.metadata(), resource_metadata={} ) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py index c4fb2061842..e5cb9c6e067 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py @@ -27,7 +27,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logs_client.log_groups + metadata=self.metadata(), resource_metadata={} ) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py index c94e1acbf9a..559c3f35922 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py @@ -27,7 +27,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logs_client.log_groups + metadata=self.metadata(), resource_metadata={} ) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py index c91fc312827..58469d1ea89 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py @@ -27,7 +27,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logs_client.log_groups + metadata=self.metadata(), resource_metadata={} ) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py index 8e2f9b50024..95d6f29ecf9 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py @@ -29,7 +29,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logs_client.log_groups + metadata=self.metadata(), resource_metadata={} ) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py index 34c98e8f8c6..a10e3bcce1b 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py @@ -29,7 +29,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logs_client.log_groups + metadata=self.metadata(), resource_metadata={} ) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py index 1aa01bc717d..cd20ac32766 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py @@ -27,7 +27,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logs_client.log_groups + metadata=self.metadata(), resource_metadata={} ) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py index f28de4a7cb0..35b28733561 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py @@ -27,7 +27,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logs_client.log_groups + metadata=self.metadata(), resource_metadata={} ) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py index 912e2e9876f..716a7fe30e7 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py @@ -27,7 +27,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logs_client.log_groups + metadata=self.metadata(), resource_metadata={} ) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py index 3fffec471b6..f8cf5e79ce3 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py @@ -27,7 +27,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logs_client.log_groups + metadata=self.metadata(), resource_metadata={} ) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py index fda6e264b58..ca4d0770b9d 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py @@ -27,7 +27,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logs_client.log_groups + metadata=self.metadata(), resource_metadata={} ) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py index 2023ddabd7a..ab0d2d35dff 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py @@ -27,7 +27,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logs_client.log_groups + metadata=self.metadata(), resource_metadata={} ) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py index 45dad4b046b..4750cc05429 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py @@ -27,7 +27,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logs_client.log_groups + metadata=self.metadata(), resource_metadata={} ) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py index 3004b852f32..4ff1616a6c4 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py @@ -27,7 +27,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logs_client.log_groups + metadata=self.metadata(), resource_metadata={} ) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py index 7c507a2919a..e4cd26b9e02 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py @@ -27,7 +27,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logs_client.log_groups + metadata=self.metadata(), resource_metadata={} ) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." diff --git a/prowler/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_management_api/entra_conditional_access_policy_require_mfa_for_management_api.py b/prowler/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_management_api/entra_conditional_access_policy_require_mfa_for_management_api.py index ce113af7a45..8baa858b43d 100644 --- a/prowler/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_management_api/entra_conditional_access_policy_require_mfa_for_management_api.py +++ b/prowler/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_management_api/entra_conditional_access_policy_require_mfa_for_management_api.py @@ -34,7 +34,7 @@ def execute(self) -> Check_Report_Azure: else: report = Check_Report_Azure( metadata=self.metadata(), - resource_metadata=conditional_access_policies.values(), + resource_metadata=conditional_access_policies, ) report.subscription = f"Tenant: {tenant_name}" report.resource_name = "Conditional Access Policy" diff --git a/prowler/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users.py b/prowler/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users.py index 5c415aa500b..62ba2b789ea 100644 --- a/prowler/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users.py +++ b/prowler/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users.py @@ -8,7 +8,8 @@ def execute(self) -> Check_Report_Azure: for tenant_domain, directory_roles in entra_client.directory_roles.items(): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=entra_client.users + metadata=self.metadata(), + resource_metadata=directory_roles["Global Administrator"], ) report.status = "FAIL" report.subscription = f"Tenant: {tenant_domain}" diff --git a/prowler/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa.py b/prowler/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa.py index 11d98e4ba70..305f6123c88 100644 --- a/prowler/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa.py +++ b/prowler/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa.py @@ -10,7 +10,7 @@ def execute(self) -> Check_Report_Azure: findings = [] for tenant_domain, users in entra_client.users.items(): - for user_domain_name, user in users.items(): + for user in users.values(): if not is_privileged_user( user, entra_client.directory_roles[tenant_domain] ): From 12dfbcc93e4e22812dfe374b788c0adf8264fbb0 Mon Sep 17 00:00:00 2001 From: MrCloudSec Date: Fri, 17 Jan 2025 08:58:58 -0500 Subject: [PATCH 02/12] chore: rename resource_metadata to resource --- prowler/lib/check/models.py | 68 +++++++++---------- prowler/lib/outputs/common.py | 2 +- prowler/lib/outputs/finding.py | 2 +- prowler/lib/outputs/ocsf/ocsf.py | 4 +- .../accessanalyzer_enabled.py | 4 +- ...accessanalyzer_enabled_without_findings.py | 4 +- ...ccount_maintain_current_contact_details.py | 2 +- ...ails_to_security_billing_and_operations.py | 2 +- ...urity_contact_information_is_registered.py | 2 +- ...tions_are_registered_in_the_aws_account.py | 2 +- .../acm_certificates_expiration_check.py | 2 +- ..._certificates_transparency_logs_enabled.py | 2 +- ...certificates_with_secure_key_algorithms.py | 2 +- .../apigateway_restapi_authorizers_enabled.py | 4 +- .../apigateway_restapi_cache_encrypted.py | 4 +- ...eway_restapi_client_certificate_enabled.py | 4 +- .../apigateway_restapi_logging_enabled.py | 4 +- .../apigateway_restapi_public.py | 4 +- ...igateway_restapi_public_with_authorizer.py | 4 +- .../apigateway_restapi_tracing_enabled.py | 4 +- .../apigateway_restapi_waf_acl_attached.py | 4 +- ...apigatewayv2_api_access_logging_enabled.py | 2 +- .../apigatewayv2_api_authorizers_enabled.py | 2 +- ..._fleet_default_internet_access_disabled.py | 2 +- ...ppstream_fleet_maximum_session_duration.py | 2 +- ...stream_fleet_session_disconnect_timeout.py | 2 +- ...m_fleet_session_idle_disconnect_timeout.py | 2 +- .../appsync_field_level_logging_enabled.py | 2 +- ...c_graphql_api_no_api_key_authentication.py | 4 +- .../athena_workgroup_encryption.py | 4 +- .../athena_workgroup_enforce_configuration.py | 4 +- .../athena_workgroup_logging_enabled.py | 4 +- ...g_find_secrets_ec2_launch_configuration.py | 4 +- ...caling_group_capacity_rebalance_enabled.py | 4 +- ...oscaling_group_elb_health_check_enabled.py | 4 +- ...group_launch_configuration_no_public_ip.py | 4 +- ...up_launch_configuration_requires_imdsv2.py | 4 +- .../autoscaling_group_multiple_az.py | 2 +- ...toscaling_group_multiple_instance_types.py | 2 +- ...scaling_group_using_ec2_launch_template.py | 2 +- .../awslambda_function_inside_vpc.py | 4 +- ...i_operations_cloudtrail_logging_enabled.py | 4 +- .../awslambda_function_no_secrets_in_code.py | 2 +- ...lambda_function_no_secrets_in_variables.py | 4 +- ...lambda_function_not_publicly_accessible.py | 4 +- .../awslambda_function_url_cors_policy.py | 4 +- .../awslambda_function_url_public.py | 4 +- ...ambda_function_using_supported_runtimes.py | 4 +- .../awslambda_function_vpc_multi_az.py | 4 +- .../backup_plans_exist/backup_plans_exist.py | 4 +- .../backup_recovery_point_encrypted.py | 4 +- .../backup_reportplans_exist.py | 4 +- .../backup_vaults_encrypted.py | 2 +- .../backup_vaults_exist.py | 4 +- .../bedrock_agent_guardrail_enabled.py | 2 +- ..._guardrail_prompt_attack_filter_enabled.py | 4 +- ...il_sensitive_information_filter_enabled.py | 4 +- ...edrock_model_invocation_logging_enabled.py | 4 +- ...odel_invocation_logs_encryption_enabled.py | 4 +- ...tion_stack_cdktoolkit_bootstrap_version.py | 4 +- ...oudformation_stack_outputs_find_secrets.py | 2 +- ...n_stacks_termination_protection_enabled.py | 4 +- ...nt_distributions_custom_ssl_certificate.py | 4 +- ...front_distributions_default_root_object.py | 4 +- ...ibutions_field_level_encryption_enabled.py | 4 +- ..._distributions_geo_restrictions_enabled.py | 4 +- .../cloudfront_distributions_https_enabled.py | 4 +- ...udfront_distributions_https_sni_enabled.py | 2 +- ...loudfront_distributions_logging_enabled.py | 4 +- ...ons_multiple_origin_failover_configured.py | 4 +- ..._distributions_origin_traffic_encrypted.py | 4 +- ..._distributions_s3_origin_access_control.py | 4 +- ...ributions_s3_origin_non_existent_bucket.py | 4 +- ...ibutions_using_deprecated_ssl_protocols.py | 4 +- .../cloudfront_distributions_using_waf.py | 4 +- .../cloudtrail_bucket_requires_mfa_delete.py | 4 +- .../cloudtrail_cloudwatch_logging_enabled.py | 4 +- .../cloudtrail_insights_exist.py | 4 +- .../cloudtrail_kms_encryption_enabled.py | 4 +- .../cloudtrail_log_file_validation_enabled.py | 4 +- ...l_logs_s3_bucket_access_logging_enabled.py | 4 +- ...gs_s3_bucket_is_not_publicly_accessible.py | 4 +- .../cloudtrail_multi_region_enabled.py | 2 +- ...egion_enabled_logging_management_events.py | 4 +- .../cloudtrail_s3_dataevents_read_enabled.py | 6 +- .../cloudtrail_s3_dataevents_write_enabled.py | 6 +- ...cloudtrail_threat_detection_enumeration.py | 4 +- ...cloudtrail_threat_detection_llm_jacking.py | 4 +- ...l_threat_detection_privilege_escalation.py | 4 +- ...ch_alarm_actions_alarm_state_configured.py | 4 +- .../cloudwatch_alarm_actions_enabled.py | 4 +- ...hanges_to_network_acls_alarm_configured.py | 4 +- ...es_to_network_gateways_alarm_configured.py | 4 +- ...o_network_route_tables_alarm_configured.py | 4 +- ...dwatch_changes_to_vpcs_alarm_configured.py | 4 +- ...oudwatch_cross_account_sharing_disabled.py | 6 +- ...dwatch_log_group_kms_encryption_enabled.py | 4 +- ...cloudwatch_log_group_no_secrets_in_logs.py | 4 +- ...watch_log_group_not_publicly_accessible.py | 4 +- ..._retention_policy_specific_days_enabled.py | 4 +- ...ws_config_configuration_changes_enabled.py | 4 +- ...loudtrail_configuration_changes_enabled.py | 4 +- ...g_metric_filter_authentication_failures.py | 4 +- ...metric_filter_aws_organizations_changes.py | 4 +- ...isable_or_scheduled_deletion_of_kms_cmk.py | 4 +- ...ric_filter_for_s3_bucket_policy_changes.py | 4 +- ...dwatch_log_metric_filter_policy_changes.py | 4 +- ...cloudwatch_log_metric_filter_root_usage.py | 4 +- ...og_metric_filter_security_group_changes.py | 4 +- ...h_log_metric_filter_sign_in_without_mfa.py | 4 +- ...og_metric_filter_unauthorized_api_calls.py | 4 +- .../services/cloudwatch/lib/metric_filters.py | 2 +- ...ges_external_public_publishing_disabled.py | 4 +- .../codebuild_project_logging_enabled.py | 4 +- ...debuild_project_no_secrets_in_variables.py | 4 +- .../codebuild_project_older_90_days.py | 4 +- .../codebuild_project_s3_logs_encrypted.py | 4 +- ...ource_repo_url_no_sensitive_credentials.py | 4 +- ...build_project_user_controlled_buildspec.py | 4 +- ...codebuild_report_group_export_encrypted.py | 2 +- ...ito_identity_pool_guest_access_disabled.py | 4 +- ...ito_user_pool_advanced_security_enabled.py | 2 +- ...ompromised_credentials_sign_in_attempts.py | 2 +- ...ks_potential_malicious_sign_in_attempts.py | 2 +- ...ol_client_prevent_user_existence_errors.py | 2 +- ...er_pool_client_token_revocation_enabled.py | 2 +- ...o_user_pool_deletion_protection_enabled.py | 2 +- .../cognito_user_pool_mfa_enabled.py | 2 +- ...ito_user_pool_password_policy_lowercase.py | 2 +- ..._pool_password_policy_minimum_length_14.py | 2 +- ...ognito_user_pool_password_policy_number.py | 2 +- ...ognito_user_pool_password_policy_symbol.py | 2 +- ...ito_user_pool_password_policy_uppercase.py | 2 +- ...to_user_pool_self_registration_disabled.py | 4 +- ...user_pool_temporary_password_expiration.py | 2 +- .../cognito_user_pool_waf_acl_attached.py | 2 +- .../config_recorder_all_regions_enabled.py | 4 +- .../config_recorder_using_aws_service_role.py | 4 +- .../datasync_task_logging_enabled.py | 2 +- .../directconnect_connection_redundancy.py | 2 +- ...ectconnect_virtual_interface_redundancy.py | 4 +- ...ervice_directory_log_forwarding_enabled.py | 4 +- ...service_directory_monitor_notifications.py | 4 +- ...ectoryservice_directory_snapshots_limit.py | 4 +- ...toryservice_ldap_certificate_expiration.py | 4 +- ...service_radius_server_security_protocol.py | 4 +- ...oryservice_supported_mfa_radius_enabled.py | 4 +- ...lm_ebs_snapshot_lifecycle_policy_exists.py | 2 +- ...endpoint_mongodb_authentication_enabled.py | 4 +- ...point_neptune_iam_authorization_enabled.py | 4 +- ...int_redis_in_transit_encryption_enabled.py | 4 +- .../dms_endpoint_ssl_enabled.py | 4 +- ..._instance_minor_version_upgrade_enabled.py | 4 +- .../dms_instance_multi_az_enabled.py | 4 +- .../dms_instance_no_public_access.py | 4 +- ...replication_task_source_logging_enabled.py | 2 +- ...replication_task_target_logging_enabled.py | 2 +- .../documentdb_cluster_backup_enabled.py | 4 +- ...ocumentdb_cluster_cloudwatch_log_export.py | 4 +- .../documentdb_cluster_deletion_protection.py | 4 +- .../documentdb_cluster_multi_az_enabled.py | 4 +- .../documentdb_cluster_public_snapshot.py | 4 +- .../documentdb_cluster_storage_encrypted.py | 4 +- .../drs/drs_job_exist/drs_job_exist.py | 2 +- ..._accelerator_cluster_encryption_enabled.py | 4 +- ...r_cluster_in_transit_encryption_enabled.py | 4 +- .../dynamodb_accelerator_cluster_multi_az.py | 4 +- .../dynamodb_table_autoscaling_enabled.py | 2 +- .../dynamodb_table_cross_account_access.py | 2 +- ...amodb_table_deletion_protection_enabled.py | 2 +- ...dynamodb_table_protected_by_backup_plan.py | 2 +- ...amodb_tables_kms_cmk_encryption_enabled.py | 2 +- .../dynamodb_tables_pitr_enabled.py | 2 +- .../ec2/ec2_ami_public/ec2_ami_public.py | 2 +- ...vpn_endpoint_connection_logging_enabled.py | 4 +- .../ec2_ebs_default_encryption.py | 2 +- .../ec2_ebs_public_snapshot.py | 4 +- ...bs_snapshot_account_block_public_access.py | 2 +- .../ec2_ebs_snapshots_encrypted.py | 4 +- .../ec2_ebs_volume_encryption.py | 4 +- ...ec2_ebs_volume_protected_by_backup_plan.py | 4 +- .../ec2_ebs_volume_snapshots_exists.py | 4 +- .../ec2_elastic_ip_shodan.py | 4 +- .../ec2_elastic_ip_unassigned.py | 2 +- .../ec2_instance_account_imdsv2_enabled.py | 2 +- ...c2_instance_detailed_monitoring_enabled.py | 4 +- .../ec2_instance_imdsv2_enabled.py | 4 +- ...e_internet_facing_with_instance_profile.py | 4 +- .../ec2_instance_managed_by_ssm.py | 4 +- .../ec2_instance_older_than_specific_days.py | 4 +- .../ec2_instance_paravirtual_type.py | 4 +- ...ance_port_cassandra_exposed_to_internet.py | 4 +- ..._instance_port_cifs_exposed_to_internet.py | 4 +- ...lasticsearch_kibana_exposed_to_internet.py | 4 +- ...2_instance_port_ftp_exposed_to_internet.py | 4 +- ...instance_port_kafka_exposed_to_internet.py | 4 +- ...tance_port_kerberos_exposed_to_internet.py | 4 +- ..._instance_port_ldap_exposed_to_internet.py | 4 +- ...ance_port_memcached_exposed_to_internet.py | 4 +- ...stance_port_mongodb_exposed_to_internet.py | 4 +- ...instance_port_mysql_exposed_to_internet.py | 4 +- ...nstance_port_oracle_exposed_to_internet.py | 4 +- ...nce_port_postgresql_exposed_to_internet.py | 4 +- ...2_instance_port_rdp_exposed_to_internet.py | 4 +- ...instance_port_redis_exposed_to_internet.py | 4 +- ...ance_port_sqlserver_exposed_to_internet.py | 4 +- ...2_instance_port_ssh_exposed_to_internet.py | 4 +- ...nstance_port_telnet_exposed_to_internet.py | 4 +- .../ec2_instance_profile_attached.py | 4 +- .../ec2_instance_public_ip.py | 4 +- .../ec2_instance_secrets_user_data.py | 4 +- .../ec2_instance_uses_single_eni.py | 4 +- .../ec2_launch_template_imdsv2_required.py | 4 +- .../ec2_launch_template_no_public_ip.py | 4 +- .../ec2_launch_template_no_secrets.py | 4 +- .../ec2_networkacl_allow_ingress_any_port.py | 2 +- ...c2_networkacl_allow_ingress_tcp_port_22.py | 2 +- ..._networkacl_allow_ingress_tcp_port_3389.py | 2 +- .../ec2_networkacl_unused.py | 2 +- ...llow_ingress_from_internet_to_all_ports.py | 2 +- ...allow_ingress_from_internet_to_any_port.py | 2 +- ...ss_from_internet_to_high_risk_tcp_ports.py | 2 +- ...om_internet_to_port_mongodb_27017_27018.py | 2 +- ...ess_from_internet_to_tcp_ftp_port_20_21.py | 2 +- ...ow_ingress_from_internet_to_tcp_port_22.py | 2 +- ..._ingress_from_internet_to_tcp_port_3389.py | 2 +- ...et_to_tcp_port_cassandra_7199_9160_8888.py | 2 +- ...ort_elasticsearch_kibana_9200_9300_5601.py | 2 +- ...ss_from_internet_to_tcp_port_kafka_9092.py | 2 +- ...om_internet_to_tcp_port_memcached_11211.py | 2 +- ...ss_from_internet_to_tcp_port_mysql_3306.py | 2 +- ...m_internet_to_tcp_port_oracle_1521_2483.py | 2 +- ...from_internet_to_tcp_port_postgres_5432.py | 2 +- ...ss_from_internet_to_tcp_port_redis_6379.py | 2 +- ...ternet_to_tcp_port_sql_server_1433_1434.py | 2 +- ...ess_from_internet_to_tcp_port_telnet_23.py | 2 +- ...curitygroup_allow_wide_open_public_ipv4.py | 2 +- ..._securitygroup_default_restrict_traffic.py | 2 +- .../ec2_securitygroup_from_launch_wizard.py | 4 +- .../ec2_securitygroup_not_used.py | 2 +- ...itygroup_with_many_ingress_egress_rules.py | 4 +- ...nsitgateway_auto_accept_vpc_attachments.py | 2 +- ...cr_registry_scan_images_on_push_enabled.py | 4 +- ...r_repositories_lifecycle_policy_enabled.py | 4 +- ...cr_repositories_not_publicly_accessible.py | 4 +- ...epositories_scan_images_on_push_enabled.py | 4 +- ...es_scan_vulnerabilities_in_latest_image.py | 2 +- .../ecr_repositories_tag_immutability.py | 4 +- .../ecs_cluster_container_insights_enabled.py | 4 +- ...service_fargate_latest_platform_version.py | 4 +- .../ecs_service_no_assign_public_ip.py | 4 +- ..._definitions_containers_readonly_access.py | 2 +- ...k_definitions_host_namespace_not_shared.py | 2 +- ..._definitions_host_networking_mode_users.py | 2 +- ...ecs_task_definitions_logging_block_mode.py | 2 +- .../ecs_task_definitions_logging_enabled.py | 2 +- ...task_definitions_no_environment_secrets.py | 2 +- ...sk_definitions_no_privileged_containers.py | 2 +- .../ecs_task_set_no_assign_public_ip.py | 4 +- ...efs_access_point_enforce_root_directory.py | 4 +- .../efs_access_point_enforce_user_identity.py | 4 +- .../efs_encryption_at_rest_enabled.py | 2 +- .../efs_have_backup_enabled.py | 2 +- ...fs_mount_target_not_publicly_accessible.py | 2 +- .../efs_multi_az_enabled.py | 2 +- .../efs_not_publicly_accessible.py | 2 +- ...r_kms_cmk_encryption_in_secrets_enabled.py | 4 +- .../eks_cluster_network_policy_enabled.py | 4 +- .../eks_cluster_not_publicly_accessible.py | 4 +- .../eks_cluster_private_nodes_enabled.py | 4 +- .../eks_cluster_uses_a_supported_version.py | 4 +- ...control_plane_logging_all_types_enabled.py | 4 +- .../elasticache_cluster_uses_public_subnet.py | 4 +- ...dis_cluster_auto_minor_version_upgrades.py | 4 +- ...edis_cluster_automatic_failover_enabled.py | 4 +- ...lasticache_redis_cluster_backup_enabled.py | 4 +- ...s_cluster_in_transit_encryption_enabled.py | 4 +- ...sticache_redis_cluster_multi_az_enabled.py | 4 +- ...e_redis_cluster_rest_encryption_enabled.py | 4 +- ...he_redis_replication_group_auth_enabled.py | 4 +- ..._environment_cloudwatch_logging_enabled.py | 4 +- ...k_environment_enhanced_health_reporting.py | 4 +- ...alk_environment_managed_updates_enabled.py | 4 +- .../elb_connection_draining_enabled.py | 2 +- .../elb_cross_zone_load_balancing_enabled.py | 2 +- .../elb_desync_mitigation_mode.py | 2 +- .../elb_insecure_ssl_ciphers.py | 2 +- .../elb_internet_facing.py | 2 +- .../elb_is_in_multiple_az.py | 2 +- .../elb_logging_enabled.py | 2 +- .../elb_ssl_listeners/elb_ssl_listeners.py | 2 +- .../elb_ssl_listeners_use_acm_certificate.py | 2 +- ...elbv2_cross_zone_load_balancing_enabled.py | 4 +- .../elbv2_deletion_protection.py | 2 +- .../elbv2_desync_mitigation_mode.py | 4 +- .../elbv2_insecure_ssl_ciphers.py | 2 +- .../elbv2_internet_facing.py | 2 +- .../elbv2_is_in_multiple_az.py | 2 +- .../elbv2_listeners_underneath.py | 2 +- .../elbv2_logging_enabled.py | 2 +- .../elbv2_nlb_tls_termination_enabled.py | 4 +- .../elbv2_ssl_listeners.py | 4 +- .../elbv2_waf_acl_attached.py | 4 +- ...mr_cluster_account_public_block_enabled.py | 2 +- .../emr_cluster_master_nodes_no_public_ip.py | 4 +- .../emr_cluster_publicly_accesible.py | 4 +- .../eventbridge_bus_cross_account_access.py | 2 +- .../eventbridge_bus_exposed.py | 2 +- ...obal_endpoint_event_replication_enabled.py | 4 +- ...ge_schema_registry_cross_account_access.py | 4 +- .../firehose_stream_encrypted_at_rest.py | 4 +- .../fms_policy_compliant.py | 4 +- ...ile_system_copy_tags_to_backups_enabled.py | 2 +- ...ile_system_copy_tags_to_volumes_enabled.py | 2 +- ...sx_windows_file_system_multi_az_enabled.py | 2 +- .../glacier_vaults_policy_public_access.py | 2 +- ...connection_passwords_encryption_enabled.py | 2 +- ...ta_catalogs_metadata_encryption_enabled.py | 2 +- ...e_data_catalogs_not_publicly_accessible.py | 4 +- .../glue_database_connections_ssl_enabled.py | 2 +- ...ints_cloudwatch_logs_encryption_enabled.py | 4 +- ...dpoints_job_bookmark_encryption_enabled.py | 4 +- ...lopment_endpoints_s3_encryption_enabled.py | 4 +- ...e_etl_jobs_amazon_s3_encryption_enabled.py | 2 +- ...jobs_cloudwatch_logs_encryption_enabled.py | 2 +- ...tl_jobs_job_bookmark_encryption_enabled.py | 2 +- .../glue_etl_jobs_logging_enabled.py | 2 +- .../glue_ml_transform_encrypted_at_rest.py | 4 +- .../guardduty_centrally_managed.py | 4 +- ...uardduty_ec2_malware_protection_enabled.py | 4 +- .../guardduty_eks_audit_log_enabled.py | 4 +- ...uardduty_eks_runtime_monitoring_enabled.py | 4 +- .../guardduty_is_enabled.py | 4 +- .../guardduty_lambda_protection_enabled.py | 4 +- .../guardduty_no_high_severity_findings.py | 4 +- .../guardduty_rds_protection_enabled.py | 4 +- .../guardduty_s3_protection_enabled.py | 4 +- .../iam_administrator_access_with_mfa.py | 2 +- .../iam_avoid_root_usage.py | 4 +- ...hed_policy_no_administrative_privileges.py | 4 +- .../iam_check_saml_providers_sts.py | 6 +- ...hed_policy_no_administrative_privileges.py | 4 +- ...hed_policy_no_administrative_privileges.py | 4 +- .../iam_group_administrator_access_policy.py | 2 +- ...line_policy_allows_privilege_escalation.py | 4 +- ...ine_policy_no_administrative_privileges.py | 4 +- ...ine_policy_no_full_access_to_cloudtrail.py | 4 +- ...iam_inline_policy_no_full_access_to_kms.py | 4 +- ...ustom_policy_permissive_role_assumption.py | 4 +- ...m_no_expired_server_certificates_stored.py | 4 +- .../iam_no_root_access_key.py | 4 +- ...xpires_passwords_within_90_days_or_less.py | 2 +- .../iam_password_policy_lowercase.py | 2 +- .../iam_password_policy_minimum_length_14.py | 2 +- .../iam_password_policy_number.py | 2 +- .../iam_password_policy_reuse_24.py | 2 +- .../iam_password_policy_symbol.py | 2 +- .../iam_password_policy_uppercase.py | 2 +- .../iam_policy_allows_privilege_escalation.py | 4 +- ..._policy_attached_only_to_group_or_roles.py | 8 +-- ...am_policy_cloudshell_admin_not_attached.py | 2 +- ...iam_policy_no_full_access_to_cloudtrail.py | 4 +- .../iam_policy_no_full_access_to_kms.py | 4 +- .../iam_role_administratoraccess_policy.py | 4 +- ...ole_cross_account_readonlyaccess_policy.py | 4 +- ...ross_service_confused_deputy_prevention.py | 4 +- ...iam_root_credentials_management_enabled.py | 2 +- .../iam_root_hardware_mfa_enabled.py | 2 +- .../iam_root_mfa_enabled.py | 2 +- .../iam_rotate_access_key_90_days.py | 12 ++-- .../iam_securityaudit_role_created.py | 2 +- .../iam_support_role_created.py | 2 +- .../iam_user_accesskey_unused.py | 12 ++-- .../iam_user_administrator_access_policy.py | 2 +- .../iam_user_console_access_unused.py | 2 +- .../iam_user_hardware_mfa_enabled.py | 2 +- .../iam_user_mfa_enabled_console_access.py | 4 +- .../iam_user_no_setup_initial_access_key.py | 2 +- .../iam_user_two_active_access_key.py | 4 +- .../iam_user_with_temporary_credentials.py | 2 +- .../inspector2_active_findings_exist.py | 4 +- .../inspector2_is_enabled.py | 4 +- ...fka_cluster_encryption_at_rest_uses_cmk.py | 4 +- ...fka_cluster_enhanced_monitoring_enabled.py | 4 +- ...a_cluster_in_transit_encryption_enabled.py | 4 +- .../kafka_cluster_is_public.py | 4 +- ...uster_mutual_tls_authentication_enabled.py | 4 +- ...ka_cluster_unrestricted_access_disabled.py | 4 +- .../kafka_cluster_uses_latest_version.py | 4 +- ...connector_in_transit_encryption_enabled.py | 4 +- .../kinesis_stream_data_retention_period.py | 4 +- .../kinesis_stream_encrypted_at_rest.py | 4 +- .../kms/kms_cmk_are_used/kms_cmk_are_used.py | 4 +- .../kms_cmk_not_deleted_unintentionally.py | 4 +- .../kms_cmk_rotation_enabled.py | 2 +- .../kms_key_not_publicly_accessible.py | 4 +- .../lightsail_database_public.py | 4 +- .../lightsail_instance_automated_snapshots.py | 4 +- .../lightsail_instance_public.py | 4 +- .../lightsail_static_ip_unused.py | 4 +- ...omated_sensitive_data_discovery_enabled.py | 4 +- .../macie_is_enabled/macie_is_enabled.py | 4 +- ...ydb_cluster_auto_minor_version_upgrades.py | 4 +- .../mq_broker_active_deployment_mode.py | 4 +- .../mq_broker_auto_minor_version_upgrades.py | 4 +- .../mq_broker_cluster_deployment_mode.py | 4 +- .../mq_broker_logging_enabled.py | 4 +- .../mq_broker_not_publicly_accessible.py | 4 +- .../neptune_cluster_backup_enabled.py | 4 +- .../neptune_cluster_copy_tags_to_snapshots.py | 4 +- .../neptune_cluster_deletion_protection.py | 4 +- ...tune_cluster_iam_authentication_enabled.py | 4 +- ...une_cluster_integration_cloudwatch_logs.py | 4 +- .../neptune_cluster_multi_az.py | 4 +- .../neptune_cluster_public_snapshot.py | 4 +- .../neptune_cluster_snapshot_encrypted.py | 4 +- .../neptune_cluster_storage_encrypted.py | 4 +- .../neptune_cluster_uses_public_subnet.py | 4 +- .../networkfirewall_deletion_protection.py | 4 +- .../networkfirewall_in_all_vpc.py | 4 +- .../networkfirewall_logging_enabled.py | 4 +- .../networkfirewall_multi_az.py | 4 +- ...olicy_default_action_fragmented_packets.py | 4 +- ...wall_policy_default_action_full_packets.py | 4 +- ...rkfirewall_policy_rule_group_associated.py | 4 +- ..._service_domains_access_control_enabled.py | 4 +- ...h_service_domains_audit_logging_enabled.py | 4 +- ...vice_domains_cloudwatch_logging_enabled.py | 4 +- ...vice_domains_encryption_at_rest_enabled.py | 4 +- ...rvice_domains_fault_tolerant_data_nodes.py | 4 +- ...ice_domains_fault_tolerant_master_nodes.py | 4 +- ...e_domains_https_communications_enforced.py | 4 +- ..._domains_internal_user_database_enabled.py | 4 +- ...domains_node_to_node_encryption_enabled.py | 4 +- ...service_domains_not_publicly_accessible.py | 4 +- ..._to_the_latest_service_software_version.py | 4 +- ...s_use_cognito_authentication_for_kibana.py | 4 +- ...nizations_account_part_of_organizations.py | 2 +- .../organizations_delegated_administrators.py | 2 +- ...rganizations_opt_out_ai_services_policy.py | 2 +- .../organizations_scp_check_deny_regions.py | 3 +- ...ions_tags_policies_enabled_and_attached.py | 2 +- .../rds_cluster_backtrack_enabled.py | 2 +- .../rds_cluster_copy_tags_to_snapshots.py | 4 +- ...rds_cluster_critical_event_subscription.py | 6 +- .../rds_cluster_default_admin.py | 2 +- .../rds_cluster_deletion_protection.py | 2 +- .../rds_cluster_iam_authentication_enabled.py | 2 +- ...rds_cluster_integration_cloudwatch_logs.py | 4 +- ...s_cluster_minor_version_upgrade_enabled.py | 2 +- .../rds_cluster_multi_az.py | 4 +- .../rds_cluster_non_default_port.py | 4 +- .../rds_cluster_protected_by_backup_plan.py | 4 +- .../rds_cluster_storage_encrypted.py | 4 +- .../rds_instance_backup_enabled.py | 4 +- .../rds_instance_certificate_expiration.py | 4 +- .../rds_instance_copy_tags_to_snapshots.py | 2 +- ...ds_instance_critical_event_subscription.py | 6 +- .../rds_instance_default_admin.py | 4 +- .../rds_instance_deletion_protection.py | 4 +- .../rds_instance_deprecated_engine_version.py | 4 +- ...ds_instance_enhanced_monitoring_enabled.py | 4 +- ...nce_event_subscription_parameter_groups.py | 6 +- ...ance_event_subscription_security_groups.py | 6 +- ...rds_instance_iam_authentication_enabled.py | 2 +- .../rds_instance_inside_vpc.py | 4 +- ...ds_instance_integration_cloudwatch_logs.py | 4 +- ..._instance_minor_version_upgrade_enabled.py | 4 +- .../rds_instance_multi_az.py | 4 +- .../rds_instance_no_public_access.py | 4 +- .../rds_instance_non_default_port.py | 4 +- .../rds_instance_protected_by_backup_plan.py | 4 +- .../rds_instance_storage_encrypted.py | 4 +- .../rds_instance_transport_encrypted.py | 6 +- .../rds_snapshots_encrypted.py | 8 +-- .../rds_snapshots_public_access.py | 8 +-- .../redshift_cluster_audit_logging.py | 4 +- .../redshift_cluster_automated_snapshot.py | 4 +- .../redshift_cluster_automatic_upgrades.py | 4 +- .../redshift_cluster_encrypted_at_rest.py | 4 +- .../redshift_cluster_enhanced_vpc_routing.py | 4 +- ...t_cluster_in_transit_encryption_enabled.py | 4 +- .../redshift_cluster_multi_az_enabled.py | 4 +- ...shift_cluster_non_default_database_name.py | 4 +- .../redshift_cluster_non_default_username.py | 4 +- .../redshift_cluster_public_access.py | 4 +- .../resourceexplorer2_indexes_found.py | 2 +- .../route53_dangling_ip_subdomain_takeover.py | 2 +- ...te53_domains_privacy_protection_enabled.py | 4 +- .../route53_domains_transferlock_enabled.py | 4 +- ...hosted_zones_cloudwatch_logging_enabled.py | 2 +- .../s3_access_point_public_access_block.py | 4 +- .../s3_account_level_public_access_blocks.py | 2 +- .../s3_bucket_acl_prohibited.py | 4 +- .../s3_bucket_cross_account_access.py | 4 +- .../s3_bucket_cross_region_replication.py | 4 +- .../s3_bucket_default_encryption.py | 4 +- .../s3_bucket_event_notifications_enabled.py | 4 +- .../s3_bucket_kms_encryption.py | 4 +- .../s3_bucket_level_public_access_block.py | 4 +- .../s3_bucket_lifecycle_enabled.py | 4 +- .../s3_bucket_no_mfa_delete.py | 4 +- .../s3_bucket_object_lock.py | 4 +- .../s3_bucket_object_versioning.py | 4 +- .../s3_bucket_policy_public_write_access.py | 4 +- .../s3_bucket_public_access.py | 6 +- .../s3_bucket_public_list_acl.py | 6 +- .../s3_bucket_public_write_acl.py | 6 +- .../s3_bucket_secure_transport_policy.py | 4 +- ...s3_bucket_server_access_logging_enabled.py | 4 +- ...region_access_point_public_access_block.py | 2 +- ..._endpoint_config_prod_variant_instances.py | 2 +- ...emaker_models_network_isolation_enabled.py | 2 +- ...agemaker_models_vpc_settings_configured.py | 2 +- ...er_notebook_instance_encryption_enabled.py | 2 +- ..._notebook_instance_root_access_disabled.py | 2 +- ...tebook_instance_vpc_settings_configured.py | 2 +- ...thout_direct_internet_access_configured.py | 2 +- ..._jobs_intercontainer_encryption_enabled.py | 4 +- ...training_jobs_network_isolation_enabled.py | 4 +- ...bs_volume_and_output_encryption_enabled.py | 4 +- ...r_training_jobs_vpc_settings_configured.py | 4 +- ...cretsmanager_automatic_rotation_enabled.py | 4 +- .../secretsmanager_not_publicly_accessible.py | 4 +- ...retsmanager_secret_rotated_periodically.py | 4 +- .../secretsmanager_secret_unused.py | 4 +- .../securityhub_enabled.py | 4 +- ...rtfolio_shared_within_organization_only.py | 2 +- .../ses_identity_not_publicly_accessible.py | 4 +- ...ed_protection_in_associated_elastic_ips.py | 4 +- ...ed_protection_in_classic_load_balancers.py | 4 +- ..._protection_in_cloudfront_distributions.py | 2 +- ...anced_protection_in_global_accelerators.py | 2 +- ...ction_in_internet_facing_load_balancers.py | 4 +- ...nced_protection_in_route53_hosted_zones.py | 2 +- ...s_subscription_not_using_http_endpoints.py | 2 +- ...s_topics_kms_encryption_at_rest_enabled.py | 2 +- .../sns_topics_not_publicly_accessible.py | 2 +- .../sqs_queues_not_publicly_accessible.py | 2 +- ...s_queues_server_side_encryption_enabled.py | 2 +- .../ssm_document_secrets.py | 4 +- .../ssm_documents_set_as_public.py | 4 +- .../ssm_managed_compliant_patching.py | 4 +- .../ssmincidents_enabled_with_plans.py | 2 +- ...pfunctions_statemachine_logging_enabled.py | 4 +- ...agegateway_fileshare_encryption_enabled.py | 4 +- .../storagegateway_gateway_fault_tolerant.py | 4 +- ...er_server_in_transit_encryption_enabled.py | 4 +- .../trustedadvisor_errors_and_warnings.py | 4 +- ...advisor_premium_support_plan_subscribed.py | 2 +- .../vpc_different_regions.py | 2 +- ...c_endpoint_connections_trust_boundaries.py | 4 +- .../vpc_endpoint_for_ec2_enabled.py | 4 +- .../vpc_endpoint_multi_az_enabled.py | 4 +- ...ces_allowed_principals_trust_boundaries.py | 4 +- .../vpc_flow_logs_enabled.py | 4 +- ...ing_routing_tables_with_least_privilege.py | 2 +- .../vpc_subnet_different_az.py | 4 +- .../vpc_subnet_no_public_ip_by_default.py | 4 +- .../vpc_subnet_separate_private_public.py | 4 +- .../vpc_vpn_connection_tunnels_up.py | 4 +- .../waf_global_rule_with_conditions.py | 2 +- .../waf_global_rulegroup_not_empty.py | 4 +- .../waf_global_webacl_logging_enabled.py | 2 +- .../waf_global_webacl_with_rules.py | 2 +- .../waf_regional_rule_with_conditions.py | 2 +- .../waf_regional_rulegroup_not_empty.py | 4 +- .../waf_regional_webacl_with_rules.py | 2 +- .../wafv2_webacl_logging_enabled.py | 4 +- .../wafv2_webacl_rule_logging_enabled.py | 4 +- .../wafv2_webacl_with_rules.py | 4 +- ...tected_workload_no_high_or_medium_risks.py | 4 +- .../workspaces_volume_encryption_enabled.py | 4 +- ...spaces_vpc_2private_1public_subnets_nat.py | 4 +- ...isearch_service_not_publicly_accessible.py | 2 +- .../aks_cluster_rbac_enabled.py | 4 +- ...aks_clusters_created_with_private_nodes.py | 4 +- .../aks_clusters_public_access_disabled.py | 4 +- .../aks_network_policy_enabled.py | 4 +- .../app_client_certificates_on.py | 4 +- .../app_ensure_auth_is_set_up.py | 4 +- .../app_ensure_http_is_redirected_to_https.py | 4 +- .../app_ensure_java_version_is_latest.py | 4 +- .../app_ensure_php_version_is_latest.py | 4 +- .../app_ensure_python_version_is_latest.py | 4 +- .../app_ensure_using_http20.py | 4 +- .../app_ftp_deployment_disabled.py | 4 +- .../app_function_access_keys_configured.py | 4 +- ...p_function_application_insights_enabled.py | 4 +- .../app_function_ftps_deployment_disabled.py | 4 +- .../app_function_identity_is_configured.py | 4 +- ...ction_identity_without_admin_privileges.py | 2 +- .../app_function_latest_runtime_version.py | 4 +- .../app_function_not_publicly_accessible.py | 4 +- .../app_function_vnet_integration_enabled.py | 4 +- .../app_http_logs_enabled.py | 4 +- .../app_minimum_tls_version_12.py | 4 +- .../app_register_with_identity.py | 4 +- .../appinsights_ensure_is_configured.py | 2 +- .../containerregistry_admin_user_disabled.py | 2 +- ...ntainerregistry_not_publicly_accessible.py | 2 +- .../containerregistry_uses_private_link.py | 2 +- ..._account_firewall_use_selected_networks.py | 4 +- .../cosmosdb_account_use_aad_and_rbac.py | 4 +- .../cosmosdb_account_use_private_endpoints.py | 4 +- ...mail_configured_with_a_security_contact.py | 4 +- ...sments_vm_endpoint_protection_installed.py | 2 +- ...provisioning_log_analytics_agent_vms_on.py | 2 +- ...ng_vulnerabilty_assessments_machines_on.py | 2 +- ...ntainer_images_resolved_vulnerabilities.py | 2 +- .../defender_container_images_scan_enabled.py | 2 +- ..._ensure_defender_for_app_services_is_on.py | 2 +- .../defender_ensure_defender_for_arm_is_on.py | 2 +- ..._defender_for_azure_sql_databases_is_on.py | 2 +- ...er_ensure_defender_for_containers_is_on.py | 2 +- ...nder_ensure_defender_for_cosmosdb_is_on.py | 2 +- ...der_ensure_defender_for_databases_is_on.py | 2 +- .../defender_ensure_defender_for_dns_is_on.py | 2 +- ...nder_ensure_defender_for_keyvault_is_on.py | 2 +- ...ender_for_os_relational_databases_is_on.py | 2 +- ...fender_ensure_defender_for_server_is_on.py | 2 +- ...r_ensure_defender_for_sql_servers_is_on.py | 2 +- ...ender_ensure_defender_for_storage_is_on.py | 2 +- .../defender_ensure_iot_hub_defender_is_on.py | 6 +- .../defender_ensure_mcas_is_enabled.py | 6 +- ...r_ensure_notify_alerts_severity_is_high.py | 4 +- ...defender_ensure_notify_emails_to_owners.py | 4 +- ...ender_ensure_system_updates_are_applied.py | 2 +- .../defender_ensure_wdatp_is_enabled.py | 6 +- ...s_policy_require_mfa_for_management_api.py | 4 +- ...ra_global_admin_in_less_than_five_users.py | 2 +- .../entra_non_privileged_user_has_mfa.py | 4 +- ...ult_users_cannot_create_security_groups.py | 4 +- ..._ensure_default_user_cannot_create_apps.py | 4 +- ...sure_default_user_cannot_create_tenants.py | 4 +- ...olicy_guest_invite_only_for_admin_roles.py | 4 +- ..._policy_guest_users_access_restrictions.py | 4 +- ..._policy_restricts_user_consent_for_apps.py | 4 +- ...a_policy_user_consent_for_verified_apps.py | 4 +- .../entra_privileged_user_has_mfa.py | 4 +- .../entra_security_defaults_enabled.py | 2 +- .../entra_trusted_named_locations_exists.py | 4 +- .../entra_user_with_vm_access_has_mfa.py | 2 +- ...sers_cannot_create_microsoft_365_groups.py | 2 +- ...ermissions_to_administer_resource_locks.py | 2 +- ...cription_roles_owner_custom_not_created.py | 2 +- ...keyvault_key_expiration_set_in_non_rbac.py | 2 +- .../keyvault_key_rotation_enabled.py | 2 +- .../keyvault_logging_enabled.py | 4 +- ...keyvault_non_rbac_secret_expiration_set.py | 2 +- .../keyvault_private_endpoints.py | 4 +- .../keyvault_rbac_enabled.py | 4 +- .../keyvault_rbac_key_expiration_set.py | 2 +- .../keyvault_rbac_secret_expiration_set.py | 2 +- .../keyvault_recoverable.py | 4 +- .../monitor_alert_create_policy_assignment.py | 6 +- .../monitor_alert_create_update_nsg.py | 6 +- ...rt_create_update_public_ip_address_rule.py | 6 +- ...r_alert_create_update_security_solution.py | 6 +- ...onitor_alert_create_update_sqlserver_fr.py | 6 +- .../monitor_alert_delete_nsg.py | 6 +- .../monitor_alert_delete_policy_assignment.py | 6 +- ...tor_alert_delete_public_ip_address_rule.py | 6 +- .../monitor_alert_delete_security_solution.py | 6 +- .../monitor_alert_delete_sqlserver_fr.py | 6 +- ...tic_setting_with_appropriate_categories.py | 2 +- .../monitor_diagnostic_settings_exists.py | 2 +- ...ccount_with_activity_logs_cmk_encrypted.py | 2 +- ...e_account_with_activity_logs_is_private.py | 2 +- ...e_server_audit_log_connection_activated.py | 4 +- ...mysql_flexible_server_audit_log_enabled.py | 4 +- ..._flexible_server_minimum_tls_version_12.py | 4 +- ..._flexible_server_ssl_connection_enabled.py | 4 +- .../network_bastion_host_exists.py | 2 +- .../network_flow_log_captured_sent.py | 2 +- .../network_flow_log_more_than_90_days.py | 2 +- ...network_http_internet_access_restricted.py | 2 +- .../network_public_ip_shodan.py | 4 +- .../network_rdp_internet_access_restricted.py | 2 +- .../network_ssh_internet_access_restricted.py | 2 +- .../network_udp_internet_access_restricted.py | 2 +- .../network_watcher_enabled.py | 2 +- .../policy_ensure_asc_enforcement_enabled.py | 2 +- ...e_server_allow_access_services_disabled.py | 4 +- ...lexible_server_connection_throttling_on.py | 4 +- ...sql_flexible_server_enforce_ssl_enabled.py | 4 +- ...esql_flexible_server_log_checkpoints_on.py | 4 +- ...esql_flexible_server_log_connections_on.py | 4 +- ...l_flexible_server_log_disconnections_on.py | 4 +- ...ble_server_log_retention_days_greater_3.py | 4 +- .../sqlserver_auditing_enabled.py | 2 +- .../sqlserver_auditing_retention_90_days.py | 2 +- ...sqlserver_azuread_administrator_enabled.py | 2 +- .../sqlserver_microsoft_defender_enabled.py | 2 +- ...lserver_recommended_minimal_tls_version.py | 2 +- .../sqlserver_tde_encrypted_with_cmk.py | 2 +- .../sqlserver_tde_encryption_enabled.py | 2 +- .../sqlserver_unrestricted_inbound_access.py | 2 +- ..._va_emails_notifications_admins_enabled.py | 2 +- ...ver_va_periodic_recurring_scans_enabled.py | 2 +- .../sqlserver_va_scan_reports_configured.py | 2 +- ...server_vulnerability_assessment_enabled.py | 2 +- ...ge_blob_public_access_level_is_disabled.py | 2 +- ...e_default_network_access_rule_is_denied.py | 2 +- ...rvices_are_trusted_to_access_is_enabled.py | 2 +- ...e_encryption_with_customer_managed_keys.py | 2 +- .../storage_ensure_minimum_tls_version_12.py | 2 +- ...e_private_endpoints_in_storage_accounts.py | 2 +- .../storage_ensure_soft_delete_is_enabled.py | 2 +- ...ge_infrastructure_encryption_is_enabled.py | 2 +- .../storage_key_rotation_90_days.py | 2 +- ...age_secure_transfer_required_is_enabled.py | 2 +- ...nsure_attached_disks_encrypted_with_cmk.py | 4 +- ...ure_unattached_disks_encrypted_with_cmk.py | 4 +- .../vm_ensure_using_managed_disks.py | 4 +- .../vm_trusted_launch_enabled.py | 4 +- .../apikeys_api_restrictions_configured.py | 2 +- .../apikeys_key_exists/apikeys_key_exists.py | 2 +- .../apikeys_key_rotated_in_90_days.py | 2 +- .../artifacts_container_analysis_enabled.py | 2 +- .../bigquery_dataset_cmk_encryption.py | 4 +- .../bigquery_dataset_public_access.py | 4 +- .../bigquery_table_cmk_encryption.py | 2 +- .../cloudsql_instance_automated_backups.py | 4 +- ...oudsql_instance_mysql_local_infile_flag.py | 4 +- ..._instance_mysql_skip_show_database_flag.py | 4 +- ...l_instance_postgres_enable_pgaudit_flag.py | 4 +- ..._instance_postgres_log_connections_flag.py | 4 +- ...stance_postgres_log_disconnections_flag.py | 4 +- ...tance_postgres_log_error_verbosity_flag.py | 4 +- ...ostgres_log_min_duration_statement_flag.py | 4 +- ...e_postgres_log_min_error_statement_flag.py | 4 +- ...instance_postgres_log_min_messages_flag.py | 4 +- ...ql_instance_postgres_log_statement_flag.py | 4 +- ...cloudsql_instance_private_ip_assignment.py | 4 +- .../cloudsql_instance_public_access.py | 4 +- .../cloudsql_instance_public_ip.py | 4 +- ..._contained_database_authentication_flag.py | 4 +- ...server_cross_db_ownership_chaining_flag.py | 4 +- ...sqlserver_external_scripts_enabled_flag.py | 4 +- ...l_instance_sqlserver_remote_access_flag.py | 4 +- .../cloudsql_instance_sqlserver_trace_flag.py | 4 +- ...nstance_sqlserver_user_connections_flag.py | 4 +- ...ql_instance_sqlserver_user_options_flag.py | 4 +- .../cloudsql_instance_ssl_connections.py | 4 +- ...torage_bucket_log_retention_policy_lock.py | 4 +- .../cloudstorage_bucket_public_access.py | 4 +- ...rage_bucket_uniform_bucket_level_access.py | 4 +- ...ll_rdp_access_from_the_internet_allowed.py | 2 +- ...ll_ssh_access_from_the_internet_allowed.py | 2 +- ...ce_block_project_wide_ssh_keys_disabled.py | 4 +- ...instance_confidential_computing_enabled.py | 4 +- ...instance_default_service_account_in_use.py | 4 +- ...ice_account_in_use_with_full_api_access.py | 4 +- ...e_instance_encryption_with_csek_enabled.py | 4 +- ...mpute_instance_ip_forwarding_is_enabled.py | 4 +- .../compute_instance_public_ip.py | 4 +- .../compute_instance_serial_ports_in_use.py | 4 +- .../compute_instance_shielded_vm_enabled.py | 4 +- .../compute_loadbalancer_logging_enabled.py | 2 +- .../compute_network_default_in_use.py | 4 +- .../compute_network_dns_logging_enabled.py | 2 +- .../compute_network_not_legacy.py | 2 +- .../compute_project_os_login_enabled.py | 2 +- .../compute_public_address_shodan.py | 2 +- .../compute_subnet_flow_logs_enabled.py | 4 +- .../dataproc_encrypted_with_cmks_disabled.py | 2 +- .../dns_dnssec_disabled.py | 2 +- ...ns_rsasha1_in_use_to_key_sign_in_dnssec.py | 2 +- ...s_rsasha1_in_use_to_zone_sign_in_dnssec.py | 2 +- .../gcr_container_scanning_enabled.py | 2 +- .../gke_cluster_no_default_service_account.py | 4 +- .../iam_account_access_approval_enabled.py | 2 +- .../iam_audit_logs_enabled.py | 2 +- .../iam_cloud_asset_inventory_enabled.py | 2 +- .../iam_no_service_roles_at_project_level.py | 4 +- ...anization_essential_contacts_configured.py | 2 +- ...m_role_kms_enforce_separation_of_duties.py | 2 +- ...am_role_sa_enforce_separation_of_duties.py | 2 +- .../iam_sa_no_administrative_privileges.py | 3 +- .../iam_sa_no_user_managed_keys.py | 2 +- .../iam_sa_user_managed_key_rotate_90_days.py | 2 +- .../kms_key_not_publicly_accessible.py | 2 +- .../kms_key_rotation_enabled.py | 2 +- ...for_audit_configuration_changes_enabled.py | 4 +- ...t_for_bucket_permission_changes_enabled.py | 4 +- ...d_alert_for_custom_role_changes_enabled.py | 4 +- ...t_for_project_ownership_changes_enabled.py | 4 +- ..._instance_configuration_changes_enabled.py | 4 +- ...t_for_vpc_firewall_rule_changes_enabled.py | 4 +- ...d_alert_for_vpc_network_changes_enabled.py | 4 +- ...t_for_vpc_network_route_changes_enabled.py | 4 +- .../logging_sink_created.py | 4 +- .../apiserver_always_pull_images_plugin.py | 4 +- .../apiserver_anonymous_requests.py | 4 +- .../apiserver_audit_log_maxage_set.py | 4 +- .../apiserver_audit_log_maxbackup_set.py | 4 +- .../apiserver_audit_log_maxsize_set.py | 4 +- .../apiserver_audit_log_path_set.py | 4 +- .../apiserver_auth_mode_include_node.py | 4 +- .../apiserver_auth_mode_include_rbac.py | 4 +- .../apiserver_auth_mode_not_always_allow.py | 4 +- .../apiserver_client_ca_file_set.py | 4 +- .../apiserver_deny_service_external_ips.py | 4 +- .../apiserver_disable_profiling.py | 4 +- ...piserver_encryption_provider_config_set.py | 4 +- .../apiserver_etcd_cafile_set.py | 4 +- .../apiserver_etcd_tls_config.py | 4 +- .../apiserver_event_rate_limit.py | 4 +- .../apiserver_kubelet_cert_auth.py | 4 +- .../apiserver_kubelet_tls_auth.py | 4 +- .../apiserver_namespace_lifecycle_plugin.py | 4 +- .../apiserver_no_always_admit_plugin.py | 4 +- .../apiserver_no_token_auth_file.py | 4 +- .../apiserver_node_restriction_plugin.py | 4 +- .../apiserver_request_timeout_set.py | 4 +- .../apiserver_security_context_deny_plugin.py | 4 +- .../apiserver_service_account_key_file_set.py | 4 +- .../apiserver_service_account_lookup_true.py | 4 +- .../apiserver_service_account_plugin.py | 4 +- .../apiserver_strong_ciphers_only.py | 4 +- .../apiserver_tls_config.py | 4 +- .../controllermanager_bind_address.py | 4 +- .../controllermanager_disable_profiling.py | 4 +- .../controllermanager_garbage_collection.py | 4 +- .../controllermanager_root_ca_file_set.py | 4 +- ...ollermanager_rotate_kubelet_server_cert.py | 4 +- ...llermanager_service_account_credentials.py | 4 +- ...anager_service_account_private_key_file.py | 4 +- ..._minimize_admission_hostport_containers.py | 4 +- ...dmission_windows_hostprocess_containers.py | 4 +- ...ize_allowPrivilegeEscalation_containers.py | 4 +- ..._minimize_containers_added_capabilities.py | 4 +- ...nimize_containers_capabilities_assigned.py | 4 +- .../core_minimize_hostIPC_containers.py | 4 +- .../core_minimize_hostNetwork_containers.py | 4 +- .../core_minimize_hostPID_containers.py | 4 +- ...e_minimize_net_raw_capability_admission.py | 4 +- .../core_minimize_privileged_containers.py | 4 +- ...core_minimize_root_containers_admission.py | 4 +- .../core_no_secrets_envs.py | 4 +- .../core_seccomp_profile_docker_default.py | 4 +- .../etcd_client_cert_auth.py | 4 +- .../etcd/etcd_no_auto_tls/etcd_no_auto_tls.py | 4 +- .../etcd_no_peer_auto_tls.py | 4 +- .../etcd_peer_client_cert_auth.py | 4 +- .../etcd_peer_tls_config.py | 4 +- .../etcd_tls_encryption.py | 4 +- .../etcd/etcd_unique_ca/etcd_unique_ca.py | 4 +- .../kubelet_authorization_mode.py | 4 +- .../kubelet_client_ca_file_set.py | 4 +- .../kubelet_conf_file_ownership.py | 4 +- .../kubelet_conf_file_permissions.py | 4 +- .../kubelet_config_yaml_ownership.py | 4 +- .../kubelet_config_yaml_permissions.py | 4 +- .../kubelet_disable_anonymous_auth.py | 4 +- .../kubelet_disable_read_only_port.py | 4 +- .../kubelet_event_record_qps.py | 4 +- .../kubelet_manage_iptables.py | 4 +- .../kubelet_rotate_certificates.py | 4 +- .../kubelet_service_file_ownership_root.py | 4 +- .../kubelet_service_file_permissions.py | 4 +- .../kubelet_streaming_connection_timeout.py | 4 +- .../kubelet_strong_ciphers_only.py | 4 +- .../kubelet_tls_cert_and_key.py | 4 +- .../rbac_cluster_admin_usage.py | 2 +- .../rbac_minimize_csr_approval_access.py | 2 +- ..._minimize_node_proxy_subresource_access.py | 2 +- .../rbac_minimize_pod_creation_access.py | 4 +- .../rbac_minimize_pv_creation_access.py | 2 +- .../rbac_minimize_secret_access.py | 4 +- ...minimize_service_account_token_creation.py | 2 +- .../rbac_minimize_webhook_config_access.py | 2 +- .../rbac_minimize_wildcard_use_roles.py | 4 +- .../scheduler_bind_address.py | 4 +- .../scheduler_profiling.py | 4 +- 876 files changed, 971 insertions(+), 2093 deletions(-) diff --git a/prowler/lib/check/models.py b/prowler/lib/check/models.py index 1147bdb1679..e649bbc3790 100644 --- a/prowler/lib/check/models.py +++ b/prowler/lib/check/models.py @@ -405,7 +405,7 @@ class Check_Report: status: str status_extended: str check_metadata: CheckMetadata - resource_metadata: dict + resource: dict resource_details: str resource_tags: list muted: bool @@ -421,20 +421,20 @@ def __init__(self, metadata: Dict, resource: Any) -> None: self.status = "" self.check_metadata = CheckMetadata.parse_raw(metadata) if isinstance(resource, dict): - self.resource_metadata = resource + self.resource = resource elif isinstance(resource, list): - self.resource_metadata = dict(enumerate(resource)) + self.resource = dict(enumerate(resource)) elif hasattr(resource, "dict"): - self.resource_metadata = resource.dict() + self.resource = resource.dict() elif hasattr(resource, "to_dict"): - self.resource_metadata = resource.to_dict() + self.resource = resource.to_dict() elif hasattr(resource, "__dict__"): - self.resource_metadata = resource.__dict__ + self.resource = resource.__dict__ else: logger.error( f"Resource metadata {type(resource)} could not be converted to dict" ) - self.resource_metadata = {} + self.resource = {} self.status_extended = "" self.resource_details = "" self.resource_tags = getattr(resource, "tags", []) if resource else [] @@ -449,15 +449,13 @@ class Check_Report_AWS(Check_Report): resource_arn: str region: str - def __init__(self, metadata: Dict, resource_metadata: Any) -> None: - super().__init__(metadata, resource_metadata) + def __init__(self, metadata: Dict, resource: Any) -> None: + super().__init__(metadata, resource) self.resource_id = ( - getattr(resource_metadata, "id", None) - or getattr(resource_metadata, "name", None) - or "" + getattr(resource, "id", None) or getattr(resource, "name", None) or "" ) - self.resource_arn = getattr(resource_metadata, "arn", "") - self.region = getattr(resource_metadata, "region", "") + self.resource_arn = getattr(resource, "arn", "") + self.region = getattr(resource, "region", "") @dataclass @@ -469,22 +467,20 @@ class Check_Report_Azure(Check_Report): subscription: str location: str - def __init__(self, metadata: Dict, resource_metadata: Any) -> None: + def __init__(self, metadata: Dict, resource: Any) -> None: """Initialize the Azure Check's finding information. Args: metadata: The metadata of the check. - resource_metadata: Basic information about the resource. Defaults to None. + resource: Basic information about the resource. Defaults to None. """ - super().__init__(metadata, resource_metadata) + super().__init__(metadata, resource) self.resource_name = getattr( - resource_metadata, "name", getattr(resource_metadata, "resource_name", "") - ) - self.resource_id = getattr( - resource_metadata, "id", getattr(resource_metadata, "resource_id", "") + resource, "name", getattr(resource, "resource_name", "") ) + self.resource_id = getattr(resource, "id", getattr(resource, "resource_id", "")) self.subscription = "" - self.location = getattr(resource_metadata, "location", "global") + self.location = getattr(resource, "location", "global") @dataclass @@ -499,25 +495,25 @@ class Check_Report_GCP(Check_Report): def __init__( self, metadata: Dict, - resource_metadata: Any, + resource: Any, location=None, resource_name=None, resource_id=None, project_id=None, ) -> None: - super().__init__(metadata, resource_metadata) + super().__init__(metadata, resource) self.resource_id = ( resource_id - or getattr(resource_metadata, "id", None) - or getattr(resource_metadata, "name", None) + or getattr(resource, "id", None) + or getattr(resource, "name", None) or "" ) - self.resource_name = resource_name or getattr(resource_metadata, "name", "") - self.project_id = project_id or getattr(resource_metadata, "project_id", "") + self.resource_name = resource_name or getattr(resource, "name", "") + self.project_id = project_id or getattr(resource, "project_id", "") self.location = ( location - or getattr(resource_metadata, "location", "") - or getattr(resource_metadata, "region", "") + or getattr(resource, "location", "") + or getattr(resource, "region", "") ) @@ -530,15 +526,13 @@ class Check_Report_Kubernetes(Check_Report): resource_id: str namespace: str - def __init__(self, metadata: Dict, resource_metadata: Any) -> None: - super().__init__(metadata, resource_metadata) + def __init__(self, metadata: Dict, resource: Any) -> None: + super().__init__(metadata, resource) self.resource_id = ( - getattr(resource_metadata, "uid", None) - or getattr(resource_metadata, "name", None) - or "" + getattr(resource, "uid", None) or getattr(resource, "name", None) or "" ) - self.resource_name = getattr(resource_metadata, "name", "") - self.namespace = getattr(resource_metadata, "namespace", "cluster-wide") + self.resource_name = getattr(resource, "name", "") + self.namespace = getattr(resource, "namespace", "cluster-wide") if not self.namespace: self.namespace = "cluster-wide" diff --git a/prowler/lib/outputs/common.py b/prowler/lib/outputs/common.py index 9616c08b001..402e5250144 100644 --- a/prowler/lib/outputs/common.py +++ b/prowler/lib/outputs/common.py @@ -14,7 +14,7 @@ def fill_common_finding_data(finding: dict, unix_timestamp: bool) -> dict: "status_extended": finding.status_extended, "muted": finding.muted, "resource_details": finding.resource_details, - "resource_metadata": finding.resource_metadata, + "resource": finding.resource, "resource_tags": unroll_tags(finding.resource_tags), } return finding_data diff --git a/prowler/lib/outputs/finding.py b/prowler/lib/outputs/finding.py index c9ad89bacbc..e8b72b3f847 100644 --- a/prowler/lib/outputs/finding.py +++ b/prowler/lib/outputs/finding.py @@ -35,7 +35,7 @@ class Finding(BaseModel): status_extended: str muted: bool = False resource_uid: str - resource_metadata: dict = Field(default_factory=dict) + resource: dict = Field(default_factory=dict) resource_name: str resource_details: str resource_tags: dict = Field(default_factory=dict) diff --git a/prowler/lib/outputs/ocsf/ocsf.py b/prowler/lib/outputs/ocsf/ocsf.py index 11e8da1b2e6..89442d20a3a 100644 --- a/prowler/lib/outputs/ocsf/ocsf.py +++ b/prowler/lib/outputs/ocsf/ocsf.py @@ -113,7 +113,7 @@ def transform(self, findings: List[Finding]) -> None: region=finding.region, data={ "details": finding.resource_details, - "metadata": finding.resource_metadata, + "metadata": finding.resource, }, ) ] @@ -127,7 +127,7 @@ def transform(self, findings: List[Finding]) -> None: type=finding.metadata.ResourceType, data={ "details": finding.resource_details, - "metadata": finding.resource_metadata, + "metadata": finding.resource, }, namespace=finding.region.replace("namespace: ", ""), ) diff --git a/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.py b/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.py index d89a0476901..5e3311be9d4 100644 --- a/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.py +++ b/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled.py @@ -8,9 +8,7 @@ class accessanalyzer_enabled(Check): def execute(self): findings = [] for analyzer in accessanalyzer_client.analyzers: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=analyzer - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=analyzer) if analyzer.status == "ACTIVE": report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled_without_findings/accessanalyzer_enabled_without_findings.py b/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled_without_findings/accessanalyzer_enabled_without_findings.py index b54116601ba..a72f12d21d8 100644 --- a/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled_without_findings/accessanalyzer_enabled_without_findings.py +++ b/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled_without_findings/accessanalyzer_enabled_without_findings.py @@ -8,9 +8,7 @@ class accessanalyzer_enabled_without_findings(Check): def execute(self): findings = [] for analyzer in accessanalyzer_client.analyzers: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=analyzer - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=analyzer) if analyzer.status == "ACTIVE": report.status = "PASS" report.status_extended = f"IAM Access Analyzer {analyzer.name} does not have active findings." diff --git a/prowler/providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.py b/prowler/providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.py index c47776afd20..f326594b585 100644 --- a/prowler/providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.py +++ b/prowler/providers/aws/services/account/account_maintain_current_contact_details/account_maintain_current_contact_details.py @@ -7,7 +7,7 @@ class account_maintain_current_contact_details(Check): def execute(self): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=account_client.contact_base + metadata=self.metadata(), resource=account_client.contact_base ) report.region = account_client.region report.resource_id = account_client.audited_account diff --git a/prowler/providers/aws/services/account/account_maintain_different_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.py b/prowler/providers/aws/services/account/account_maintain_different_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.py index c54cd126ae1..c1201bf9070 100644 --- a/prowler/providers/aws/services/account/account_maintain_different_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.py +++ b/prowler/providers/aws/services/account/account_maintain_different_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.py @@ -9,7 +9,7 @@ def execute(self): findings = [] if account_client.contact_base: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=account_client.contact_base + metadata=self.metadata(), resource=account_client.contact_base ) report.resource_id = account_client.audited_account report.resource_arn = account_client.audited_account_arn diff --git a/prowler/providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.py b/prowler/providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.py index 6de2d9db5d7..a7aab3e0088 100644 --- a/prowler/providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.py +++ b/prowler/providers/aws/services/account/account_security_contact_information_is_registered/account_security_contact_information_is_registered.py @@ -7,7 +7,7 @@ class account_security_contact_information_is_registered(Check): def execute(self): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=account_client.contact_base + metadata=self.metadata(), resource=account_client.contact_base ) report.region = account_client.region report.resource_id = account_client.audited_account diff --git a/prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.py b/prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.py index 84bc4a1a1d5..f6d9ae90919 100644 --- a/prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.py +++ b/prowler/providers/aws/services/account/account_security_questions_are_registered_in_the_aws_account/account_security_questions_are_registered_in_the_aws_account.py @@ -7,7 +7,7 @@ class account_security_questions_are_registered_in_the_aws_account(Check): def execute(self): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=account_client.contacts_security + metadata=self.metadata(), resource=account_client.contacts_security ) report.region = account_client.region report.resource_id = account_client.audited_account diff --git a/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py b/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py index e7ac961d83b..97de6f9a1a4 100644 --- a/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py +++ b/prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py @@ -8,7 +8,7 @@ def execute(self): for certificate in acm_client.certificates.values(): if certificate.in_use or acm_client.provider.scan_unused_services: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=certificate + metadata=self.metadata(), resource=certificate ) if certificate.expiration_days > acm_client.audit_config.get( "days_to_expire_threshold", 7 diff --git a/prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.py b/prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.py index f4f6cf00220..76f3236f492 100644 --- a/prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.py +++ b/prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.py @@ -8,7 +8,7 @@ def execute(self): for certificate in acm_client.certificates.values(): if certificate.in_use or acm_client.provider.scan_unused_services: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=certificate + metadata=self.metadata(), resource=certificate ) if certificate.type == "IMPORTED": report.status = "PASS" diff --git a/prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.py b/prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.py index 7ef99c0bd98..f2135cf77a7 100644 --- a/prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.py +++ b/prowler/providers/aws/services/acm/acm_certificates_with_secure_key_algorithms/acm_certificates_with_secure_key_algorithms.py @@ -8,7 +8,7 @@ def execute(self): for certificate in acm_client.certificates.values(): if certificate.in_use or acm_client.provider.scan_unused_services: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=certificate + metadata=self.metadata(), resource=certificate ) report.status = "PASS" diff --git a/prowler/providers/aws/services/apigateway/apigateway_restapi_authorizers_enabled/apigateway_restapi_authorizers_enabled.py b/prowler/providers/aws/services/apigateway/apigateway_restapi_authorizers_enabled/apigateway_restapi_authorizers_enabled.py index b8148533823..f7634eacb9e 100644 --- a/prowler/providers/aws/services/apigateway/apigateway_restapi_authorizers_enabled/apigateway_restapi_authorizers_enabled.py +++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_authorizers_enabled/apigateway_restapi_authorizers_enabled.py @@ -8,9 +8,7 @@ class apigateway_restapi_authorizers_enabled(Check): def execute(self): findings = [] for rest_api in apigateway_client.rest_apis: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=rest_api - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=rest_api) report.resource_id = rest_api.name # it there are not authorizers at api level and resources without methods (default case) -> diff --git a/prowler/providers/aws/services/apigateway/apigateway_restapi_cache_encrypted/apigateway_restapi_cache_encrypted.py b/prowler/providers/aws/services/apigateway/apigateway_restapi_cache_encrypted/apigateway_restapi_cache_encrypted.py index 59f622ee0bf..515449d9d26 100644 --- a/prowler/providers/aws/services/apigateway/apigateway_restapi_cache_encrypted/apigateway_restapi_cache_encrypted.py +++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_cache_encrypted/apigateway_restapi_cache_encrypted.py @@ -10,9 +10,7 @@ def execute(self): for rest_api in apigateway_client.rest_apis: for stage in rest_api.stages: if stage.cache_enabled: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=stage - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=stage) report.region = rest_api.region report.resource_id = rest_api.name report.status = "PASS" diff --git a/prowler/providers/aws/services/apigateway/apigateway_restapi_client_certificate_enabled/apigateway_restapi_client_certificate_enabled.py b/prowler/providers/aws/services/apigateway/apigateway_restapi_client_certificate_enabled/apigateway_restapi_client_certificate_enabled.py index 2c66a27f157..20bfb0f32ab 100644 --- a/prowler/providers/aws/services/apigateway/apigateway_restapi_client_certificate_enabled/apigateway_restapi_client_certificate_enabled.py +++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_client_certificate_enabled/apigateway_restapi_client_certificate_enabled.py @@ -9,9 +9,7 @@ def execute(self): findings = [] for rest_api in apigateway_client.rest_apis: for stage in rest_api.stages: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=stage - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=stage) report.resource_id = rest_api.name report.region = rest_api.region if stage.client_certificate: diff --git a/prowler/providers/aws/services/apigateway/apigateway_restapi_logging_enabled/apigateway_restapi_logging_enabled.py b/prowler/providers/aws/services/apigateway/apigateway_restapi_logging_enabled/apigateway_restapi_logging_enabled.py index a519d980ed0..a69f1d52327 100644 --- a/prowler/providers/aws/services/apigateway/apigateway_restapi_logging_enabled/apigateway_restapi_logging_enabled.py +++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_logging_enabled/apigateway_restapi_logging_enabled.py @@ -9,9 +9,7 @@ def execute(self): findings = [] for rest_api in apigateway_client.rest_apis: for stage in rest_api.stages: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=stage - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=stage) report.resource_id = rest_api.name report.region = rest_api.region if stage.logging: diff --git a/prowler/providers/aws/services/apigateway/apigateway_restapi_public/apigateway_restapi_public.py b/prowler/providers/aws/services/apigateway/apigateway_restapi_public/apigateway_restapi_public.py index 8ffa5058a53..a0c99a2a8f2 100644 --- a/prowler/providers/aws/services/apigateway/apigateway_restapi_public/apigateway_restapi_public.py +++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_public/apigateway_restapi_public.py @@ -8,9 +8,7 @@ class apigateway_restapi_public(Check): def execute(self): findings = [] for rest_api in apigateway_client.rest_apis: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=rest_api - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=rest_api) report.resource_id = rest_api.name if rest_api.public_endpoint: diff --git a/prowler/providers/aws/services/apigateway/apigateway_restapi_public_with_authorizer/apigateway_restapi_public_with_authorizer.py b/prowler/providers/aws/services/apigateway/apigateway_restapi_public_with_authorizer/apigateway_restapi_public_with_authorizer.py index f934558f399..663e149d5cd 100644 --- a/prowler/providers/aws/services/apigateway/apigateway_restapi_public_with_authorizer/apigateway_restapi_public_with_authorizer.py +++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_public_with_authorizer/apigateway_restapi_public_with_authorizer.py @@ -9,9 +9,7 @@ def execute(self): findings = [] for rest_api in apigateway_client.rest_apis: if rest_api.public_endpoint: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=rest_api - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=rest_api) report.resource_id = rest_api.name report.status = "PASS" diff --git a/prowler/providers/aws/services/apigateway/apigateway_restapi_tracing_enabled/apigateway_restapi_tracing_enabled.py b/prowler/providers/aws/services/apigateway/apigateway_restapi_tracing_enabled/apigateway_restapi_tracing_enabled.py index 99e8149a699..ac80eabef0c 100644 --- a/prowler/providers/aws/services/apigateway/apigateway_restapi_tracing_enabled/apigateway_restapi_tracing_enabled.py +++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_tracing_enabled/apigateway_restapi_tracing_enabled.py @@ -9,9 +9,7 @@ def execute(self): findings = [] for rest_api in apigateway_client.rest_apis: for stage in rest_api.stages: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=stage - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=stage) report.region = rest_api.region report.resource_id = rest_api.name report.status = "FAIL" diff --git a/prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.py b/prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.py index e719711186a..2cd5a477231 100644 --- a/prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.py +++ b/prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.py @@ -9,9 +9,7 @@ def execute(self): findings = [] for rest_api in apigateway_client.rest_apis: for stage in rest_api.stages: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=stage - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=stage) report.resource_id = rest_api.name report.region = rest_api.region if stage.waf: diff --git a/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_access_logging_enabled/apigatewayv2_api_access_logging_enabled.py b/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_access_logging_enabled/apigatewayv2_api_access_logging_enabled.py index cc64e6191cd..f338244d599 100644 --- a/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_access_logging_enabled/apigatewayv2_api_access_logging_enabled.py +++ b/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_access_logging_enabled/apigatewayv2_api_access_logging_enabled.py @@ -8,7 +8,7 @@ class apigatewayv2_api_access_logging_enabled(Check): def execute(self): findings = [] for api in apigatewayv2_client.apis: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=api) + report = Check_Report_AWS(metadata=self.metadata(), resource=api) for stage in api.stages: if stage.logging: report.status = "PASS" diff --git a/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_authorizers_enabled/apigatewayv2_api_authorizers_enabled.py b/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_authorizers_enabled/apigatewayv2_api_authorizers_enabled.py index be898f3c921..6749adef2ac 100644 --- a/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_authorizers_enabled/apigatewayv2_api_authorizers_enabled.py +++ b/prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_authorizers_enabled/apigatewayv2_api_authorizers_enabled.py @@ -8,7 +8,7 @@ class apigatewayv2_api_authorizers_enabled(Check): def execute(self): findings = [] for api in apigatewayv2_client.apis: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=api) + report = Check_Report_AWS(metadata=self.metadata(), resource=api) report.resource_id = api.name report.status = "FAIL" report.status_extended = f"API Gateway V2 {api.name} ID {api.id} does not have an authorizer configured." diff --git a/prowler/providers/aws/services/appstream/appstream_fleet_default_internet_access_disabled/appstream_fleet_default_internet_access_disabled.py b/prowler/providers/aws/services/appstream/appstream_fleet_default_internet_access_disabled/appstream_fleet_default_internet_access_disabled.py index 947bc4a3458..6be179a0fc0 100644 --- a/prowler/providers/aws/services/appstream/appstream_fleet_default_internet_access_disabled/appstream_fleet_default_internet_access_disabled.py +++ b/prowler/providers/aws/services/appstream/appstream_fleet_default_internet_access_disabled/appstream_fleet_default_internet_access_disabled.py @@ -10,7 +10,7 @@ def execute(self): """Execute the appstream_fleet_default_internet_access_disabled check""" findings = [] for fleet in appstream_client.fleets: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=fleet) + report = Check_Report_AWS(metadata=self.metadata(), resource=fleet) if fleet.enable_default_internet_access: report.status = "FAIL" diff --git a/prowler/providers/aws/services/appstream/appstream_fleet_maximum_session_duration/appstream_fleet_maximum_session_duration.py b/prowler/providers/aws/services/appstream/appstream_fleet_maximum_session_duration/appstream_fleet_maximum_session_duration.py index 2b5360bbcc8..dc693969b8b 100644 --- a/prowler/providers/aws/services/appstream/appstream_fleet_maximum_session_duration/appstream_fleet_maximum_session_duration.py +++ b/prowler/providers/aws/services/appstream/appstream_fleet_maximum_session_duration/appstream_fleet_maximum_session_duration.py @@ -15,7 +15,7 @@ def execute(self): findings = [] for fleet in appstream_client.fleets: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=fleet) + report = Check_Report_AWS(metadata=self.metadata(), resource=fleet) if fleet.max_user_duration_in_seconds < max_session_duration_seconds: report.status = "PASS" diff --git a/prowler/providers/aws/services/appstream/appstream_fleet_session_disconnect_timeout/appstream_fleet_session_disconnect_timeout.py b/prowler/providers/aws/services/appstream/appstream_fleet_session_disconnect_timeout/appstream_fleet_session_disconnect_timeout.py index d0845a58bc1..402b87737d6 100644 --- a/prowler/providers/aws/services/appstream/appstream_fleet_session_disconnect_timeout/appstream_fleet_session_disconnect_timeout.py +++ b/prowler/providers/aws/services/appstream/appstream_fleet_session_disconnect_timeout/appstream_fleet_session_disconnect_timeout.py @@ -15,7 +15,7 @@ def execute(self): findings = [] for fleet in appstream_client.fleets: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=fleet) + report = Check_Report_AWS(metadata=self.metadata(), resource=fleet) if fleet.disconnect_timeout_in_seconds <= max_disconnect_timeout_in_seconds: report.status = "PASS" diff --git a/prowler/providers/aws/services/appstream/appstream_fleet_session_idle_disconnect_timeout/appstream_fleet_session_idle_disconnect_timeout.py b/prowler/providers/aws/services/appstream/appstream_fleet_session_idle_disconnect_timeout/appstream_fleet_session_idle_disconnect_timeout.py index 972490270c3..ba4de541fbf 100644 --- a/prowler/providers/aws/services/appstream/appstream_fleet_session_idle_disconnect_timeout/appstream_fleet_session_idle_disconnect_timeout.py +++ b/prowler/providers/aws/services/appstream/appstream_fleet_session_idle_disconnect_timeout/appstream_fleet_session_idle_disconnect_timeout.py @@ -15,7 +15,7 @@ def execute(self): findings = [] for fleet in appstream_client.fleets: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=fleet) + report = Check_Report_AWS(metadata=self.metadata(), resource=fleet) if ( fleet.idle_disconnect_timeout_in_seconds diff --git a/prowler/providers/aws/services/appsync/appsync_field_level_logging_enabled/appsync_field_level_logging_enabled.py b/prowler/providers/aws/services/appsync/appsync_field_level_logging_enabled/appsync_field_level_logging_enabled.py index 2980d17d53a..2743ed84f39 100644 --- a/prowler/providers/aws/services/appsync/appsync_field_level_logging_enabled/appsync_field_level_logging_enabled.py +++ b/prowler/providers/aws/services/appsync/appsync_field_level_logging_enabled/appsync_field_level_logging_enabled.py @@ -7,7 +7,7 @@ def execute(self): findings = [] # Check only GraphQL APIs because boto3 does not have a method to get other types of AppSync APIs (list_apis is not working) for api in appsync_client.graphql_apis.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=api) + report = Check_Report_AWS(metadata=self.metadata(), resource=api) report.status = "PASS" report.status_extended = ( f"AppSync API {api.name} has field log level enabled." diff --git a/prowler/providers/aws/services/appsync/appsync_graphql_api_no_api_key_authentication/appsync_graphql_api_no_api_key_authentication.py b/prowler/providers/aws/services/appsync/appsync_graphql_api_no_api_key_authentication/appsync_graphql_api_no_api_key_authentication.py index 8bbdd49cac3..33bde874fb6 100644 --- a/prowler/providers/aws/services/appsync/appsync_graphql_api_no_api_key_authentication/appsync_graphql_api_no_api_key_authentication.py +++ b/prowler/providers/aws/services/appsync/appsync_graphql_api_no_api_key_authentication/appsync_graphql_api_no_api_key_authentication.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for api in appsync_client.graphql_apis.values(): if api.type == "GRAPHQL": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=api - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=api) report.status = "PASS" report.status_extended = f"AppSync GraphQL API {api.name} is not using an API KEY for authentication." if api.authentication_type == "API_KEY": diff --git a/prowler/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption.py b/prowler/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption.py index ffa47321116..b54ec0ac497 100644 --- a/prowler/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption.py +++ b/prowler/providers/aws/services/athena/athena_workgroup_encryption/athena_workgroup_encryption.py @@ -13,9 +13,7 @@ def execute(self): if ( workgroup.state == "ENABLED" and workgroup.queries ) or athena_client.provider.scan_unused_services: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=workgroup - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=workgroup) if workgroup.encryption_configuration.encrypted: report.status = "PASS" diff --git a/prowler/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration.py b/prowler/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration.py index 987b88f0246..2ef603e361f 100644 --- a/prowler/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration.py +++ b/prowler/providers/aws/services/athena/athena_workgroup_enforce_configuration/athena_workgroup_enforce_configuration.py @@ -13,9 +13,7 @@ def execute(self): if ( workgroup.state == "ENABLED" and workgroup.queries ) or athena_client.provider.scan_unused_services: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=workgroup - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=workgroup) if workgroup.enforce_workgroup_configuration: report.status = "PASS" diff --git a/prowler/providers/aws/services/athena/athena_workgroup_logging_enabled/athena_workgroup_logging_enabled.py b/prowler/providers/aws/services/athena/athena_workgroup_logging_enabled/athena_workgroup_logging_enabled.py index 4b408e1e9f1..ce8db95555a 100644 --- a/prowler/providers/aws/services/athena/athena_workgroup_logging_enabled/athena_workgroup_logging_enabled.py +++ b/prowler/providers/aws/services/athena/athena_workgroup_logging_enabled/athena_workgroup_logging_enabled.py @@ -21,9 +21,7 @@ def execute(self) -> List[Check_Report_AWS]: if ( workgroup.state == "ENABLED" and workgroup.queries ) or athena_client.provider.scan_unused_services: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=workgroup - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=workgroup) report.status = "PASS" report.status_extended = ( f"Athena WorkGroup {workgroup.name} has CloudWatch logging enabled." diff --git a/prowler/providers/aws/services/autoscaling/autoscaling_find_secrets_ec2_launch_configuration/autoscaling_find_secrets_ec2_launch_configuration.py b/prowler/providers/aws/services/autoscaling/autoscaling_find_secrets_ec2_launch_configuration/autoscaling_find_secrets_ec2_launch_configuration.py index c1c787e2015..d4a75535b9e 100644 --- a/prowler/providers/aws/services/autoscaling/autoscaling_find_secrets_ec2_launch_configuration/autoscaling_find_secrets_ec2_launch_configuration.py +++ b/prowler/providers/aws/services/autoscaling/autoscaling_find_secrets_ec2_launch_configuration/autoscaling_find_secrets_ec2_launch_configuration.py @@ -20,9 +20,7 @@ def execute(self): configuration_arn, configuration, ) in autoscaling_client.launch_configurations.items(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=configuration - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=configuration) if configuration.user_data: user_data = b64decode(configuration.user_data) diff --git a/prowler/providers/aws/services/autoscaling/autoscaling_group_capacity_rebalance_enabled/autoscaling_group_capacity_rebalance_enabled.py b/prowler/providers/aws/services/autoscaling/autoscaling_group_capacity_rebalance_enabled/autoscaling_group_capacity_rebalance_enabled.py index 791adcab6e9..21adc9cde5d 100644 --- a/prowler/providers/aws/services/autoscaling/autoscaling_group_capacity_rebalance_enabled/autoscaling_group_capacity_rebalance_enabled.py +++ b/prowler/providers/aws/services/autoscaling/autoscaling_group_capacity_rebalance_enabled/autoscaling_group_capacity_rebalance_enabled.py @@ -9,9 +9,7 @@ def execute(self): findings = [] for group in autoscaling_client.groups: if group.load_balancers and group.target_groups: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=group) report.status = "FAIL" report.status_extended = f"Autoscaling group {group.name} does not have capacity rebalance enabled." diff --git a/prowler/providers/aws/services/autoscaling/autoscaling_group_elb_health_check_enabled/autoscaling_group_elb_health_check_enabled.py b/prowler/providers/aws/services/autoscaling/autoscaling_group_elb_health_check_enabled/autoscaling_group_elb_health_check_enabled.py index 8ea149e415f..9c073dddee6 100644 --- a/prowler/providers/aws/services/autoscaling/autoscaling_group_elb_health_check_enabled/autoscaling_group_elb_health_check_enabled.py +++ b/prowler/providers/aws/services/autoscaling/autoscaling_group_elb_health_check_enabled/autoscaling_group_elb_health_check_enabled.py @@ -9,9 +9,7 @@ def execute(self): findings = [] for group in autoscaling_client.groups: if group.load_balancers and group.target_groups: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=group) report.status = "FAIL" report.status_extended = f"Autoscaling group {group.name} is associated with a load balancer but does not have ELB health checks enabled, instead it has {group.health_check_type} health checks." diff --git a/prowler/providers/aws/services/autoscaling/autoscaling_group_launch_configuration_no_public_ip/autoscaling_group_launch_configuration_no_public_ip.py b/prowler/providers/aws/services/autoscaling/autoscaling_group_launch_configuration_no_public_ip/autoscaling_group_launch_configuration_no_public_ip.py index 3e06d39a021..8a2017ee99a 100644 --- a/prowler/providers/aws/services/autoscaling/autoscaling_group_launch_configuration_no_public_ip/autoscaling_group_launch_configuration_no_public_ip.py +++ b/prowler/providers/aws/services/autoscaling/autoscaling_group_launch_configuration_no_public_ip/autoscaling_group_launch_configuration_no_public_ip.py @@ -10,9 +10,7 @@ def execute(self): for group in autoscaling_client.groups: for lc in autoscaling_client.launch_configurations.values(): if lc.name == group.launch_configuration_name: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=group) report.status = "PASS" report.status_extended = f"Autoscaling group {group.name} does not have an associated launch configuration assigning a public IP address." diff --git a/prowler/providers/aws/services/autoscaling/autoscaling_group_launch_configuration_requires_imdsv2/autoscaling_group_launch_configuration_requires_imdsv2.py b/prowler/providers/aws/services/autoscaling/autoscaling_group_launch_configuration_requires_imdsv2/autoscaling_group_launch_configuration_requires_imdsv2.py index fea8b084e7c..a75b66b30ab 100644 --- a/prowler/providers/aws/services/autoscaling/autoscaling_group_launch_configuration_requires_imdsv2/autoscaling_group_launch_configuration_requires_imdsv2.py +++ b/prowler/providers/aws/services/autoscaling/autoscaling_group_launch_configuration_requires_imdsv2/autoscaling_group_launch_configuration_requires_imdsv2.py @@ -12,9 +12,7 @@ def execute(self): launch_configuration ) in autoscaling_client.launch_configurations.values(): if launch_configuration.name == group.launch_configuration_name: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=group) report.status = "FAIL" report.status_extended = f"Autoscaling group {group.name} has IMDSv2 disabled or not required." diff --git a/prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_az/autoscaling_group_multiple_az.py b/prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_az/autoscaling_group_multiple_az.py index a294f11548d..3d9d4744eee 100644 --- a/prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_az/autoscaling_group_multiple_az.py +++ b/prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_az/autoscaling_group_multiple_az.py @@ -8,7 +8,7 @@ class autoscaling_group_multiple_az(Check): def execute(self): findings = [] for group in autoscaling_client.groups: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=group) + report = Check_Report_AWS(metadata=self.metadata(), resource=group) report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_instance_types/autoscaling_group_multiple_instance_types.py b/prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_instance_types/autoscaling_group_multiple_instance_types.py index 19498e87c44..3f9362fe5b8 100644 --- a/prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_instance_types/autoscaling_group_multiple_instance_types.py +++ b/prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_instance_types/autoscaling_group_multiple_instance_types.py @@ -8,7 +8,7 @@ class autoscaling_group_multiple_instance_types(Check): def execute(self): findings = [] for group in autoscaling_client.groups: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=group) + report = Check_Report_AWS(metadata=self.metadata(), resource=group) report.status = "FAIL" report.status_extended = f"Autoscaling group {group.name} does not have multiple instance types in multiple Availability Zones." diff --git a/prowler/providers/aws/services/autoscaling/autoscaling_group_using_ec2_launch_template/autoscaling_group_using_ec2_launch_template.py b/prowler/providers/aws/services/autoscaling/autoscaling_group_using_ec2_launch_template/autoscaling_group_using_ec2_launch_template.py index 1bd61ade66b..06cb8a1c1d9 100644 --- a/prowler/providers/aws/services/autoscaling/autoscaling_group_using_ec2_launch_template/autoscaling_group_using_ec2_launch_template.py +++ b/prowler/providers/aws/services/autoscaling/autoscaling_group_using_ec2_launch_template/autoscaling_group_using_ec2_launch_template.py @@ -8,7 +8,7 @@ class autoscaling_group_using_ec2_launch_template(Check): def execute(self): findings = [] for group in autoscaling_client.groups: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=group) + report = Check_Report_AWS(metadata=self.metadata(), resource=group) report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_inside_vpc/awslambda_function_inside_vpc.py b/prowler/providers/aws/services/awslambda/awslambda_function_inside_vpc/awslambda_function_inside_vpc.py index 3f6651e7311..de0d1d287c6 100644 --- a/prowler/providers/aws/services/awslambda/awslambda_function_inside_vpc/awslambda_function_inside_vpc.py +++ b/prowler/providers/aws/services/awslambda/awslambda_function_inside_vpc/awslambda_function_inside_vpc.py @@ -8,9 +8,7 @@ class awslambda_function_inside_vpc(Check): def execute(self) -> List[Check_Report_AWS]: findings = [] for function_arn, function in awslambda_client.functions.items(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=function - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=function) report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py b/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py index ff00b1d8281..ae828fd1b26 100644 --- a/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py +++ b/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py @@ -9,9 +9,7 @@ class awslambda_function_invoke_api_operations_cloudtrail_logging_enabled(Check) def execute(self): findings = [] for function in awslambda_client.functions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=function - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=function) report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.py b/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.py index d1fe05379ca..05ffd2bdc5d 100644 --- a/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.py +++ b/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_code/awslambda_function_no_secrets_in_code.py @@ -16,7 +16,7 @@ def execute(self): for function, function_code in awslambda_client._get_function_code(): if function_code: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=function + metadata=self.metadata(), resource=function ) report.status = "PASS" diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables.py b/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables.py index 7a3dd74a669..3be5bafa188 100644 --- a/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables.py +++ b/prowler/providers/aws/services/awslambda/awslambda_function_no_secrets_in_variables/awslambda_function_no_secrets_in_variables.py @@ -13,9 +13,7 @@ def execute(self): "secrets_ignore_patterns", [] ) for function in awslambda_client.functions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=function - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=function) report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.py b/prowler/providers/aws/services/awslambda/awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.py index dd8046bd461..4ab57e0de8b 100644 --- a/prowler/providers/aws/services/awslambda/awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.py +++ b/prowler/providers/aws/services/awslambda/awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.py @@ -7,9 +7,7 @@ class awslambda_function_not_publicly_accessible(Check): def execute(self): findings = [] for function in awslambda_client.functions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=function - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=function) report.status = "PASS" report.status_extended = f"Lambda function {function.name} has a policy resource-based policy not public." diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_url_cors_policy/awslambda_function_url_cors_policy.py b/prowler/providers/aws/services/awslambda/awslambda_function_url_cors_policy/awslambda_function_url_cors_policy.py index 6c756563798..8252337ff49 100644 --- a/prowler/providers/aws/services/awslambda/awslambda_function_url_cors_policy/awslambda_function_url_cors_policy.py +++ b/prowler/providers/aws/services/awslambda/awslambda_function_url_cors_policy/awslambda_function_url_cors_policy.py @@ -6,9 +6,7 @@ class awslambda_function_url_cors_policy(Check): def execute(self): findings = [] for function in awslambda_client.functions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=function - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=function) if function.url_config: if "*" in function.url_config.cors_config.allow_origins: diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_url_public/awslambda_function_url_public.py b/prowler/providers/aws/services/awslambda/awslambda_function_url_public/awslambda_function_url_public.py index 6a4bd383b34..cf4247f2191 100644 --- a/prowler/providers/aws/services/awslambda/awslambda_function_url_public/awslambda_function_url_public.py +++ b/prowler/providers/aws/services/awslambda/awslambda_function_url_public/awslambda_function_url_public.py @@ -7,9 +7,7 @@ class awslambda_function_url_public(Check): def execute(self): findings = [] for function in awslambda_client.functions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=function - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=function) if function.url_config: if function.url_config.auth_type == AuthType.AWS_IAM: diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.py b/prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.py index c34f24e06f0..8845f1e54df 100644 --- a/prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.py +++ b/prowler/providers/aws/services/awslambda/awslambda_function_using_supported_runtimes/awslambda_function_using_supported_runtimes.py @@ -33,9 +33,7 @@ def execute(self): findings = [] for function in awslambda_client.functions.values(): if function.runtime: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=function - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=function) if function.runtime in awslambda_client.audit_config.get( "obsolete_lambda_runtimes", default_obsolete_lambda_runtimes diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_vpc_multi_az/awslambda_function_vpc_multi_az.py b/prowler/providers/aws/services/awslambda/awslambda_function_vpc_multi_az/awslambda_function_vpc_multi_az.py index 27bc24483e7..50e32f869fa 100644 --- a/prowler/providers/aws/services/awslambda/awslambda_function_vpc_multi_az/awslambda_function_vpc_multi_az.py +++ b/prowler/providers/aws/services/awslambda/awslambda_function_vpc_multi_az/awslambda_function_vpc_multi_az.py @@ -16,9 +16,7 @@ def execute(self) -> list[Check_Report_AWS]: awslambda_function_inside_vpc.__name__, function_arn, ): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=function - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=function) report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py b/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py index 84f60beee54..25c45be4e06 100644 --- a/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py +++ b/prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py @@ -8,14 +8,14 @@ def execute(self): if backup_client.backup_plans: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=backup_client.backup_plans[0], + resource=backup_client.backup_plans[0], ) report.status = "PASS" report.status_extended = f"At least one Backup Plan exists: {backup_client.backup_plans[0].name}." report.resource_id = backup_client.backup_plans[0].name findings.append(report) elif backup_client.backup_vaults: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata={}) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.region = backup_client.region report.status = "FAIL" report.status_extended = "No Backup Plan exist." diff --git a/prowler/providers/aws/services/backup/backup_recovery_point_encrypted/backup_recovery_point_encrypted.py b/prowler/providers/aws/services/backup/backup_recovery_point_encrypted/backup_recovery_point_encrypted.py index bcd80ab82ec..913980b2eef 100644 --- a/prowler/providers/aws/services/backup/backup_recovery_point_encrypted/backup_recovery_point_encrypted.py +++ b/prowler/providers/aws/services/backup/backup_recovery_point_encrypted/backup_recovery_point_encrypted.py @@ -6,9 +6,7 @@ class backup_recovery_point_encrypted(Check): def execute(self): findings = [] for recovery_point in backup_client.recovery_points: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=recovery_point - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=recovery_point) report.region = recovery_point.backup_vault_region report.status = "FAIL" report.status_extended = f"Backup Recovery Point {recovery_point.id} for Backup Vault {recovery_point.backup_vault_name} is not encrypted at rest." diff --git a/prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.py b/prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.py index 2998054f6ce..f838ee0a82a 100644 --- a/prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.py +++ b/prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.py @@ -9,7 +9,7 @@ def execute(self): if backup_client.backup_plans: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=backup_client.backup_plans[0], + resource=backup_client.backup_plans[0], ) report.resource_arn = backup_client.report_plan_arn_template report.resource_id = backup_client.audited_account @@ -19,7 +19,7 @@ def execute(self): if backup_client.backup_report_plans: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=backup_client.backup_report_plans[0], + resource=backup_client.backup_report_plans[0], ) report.status = "PASS" report.status_extended = f"At least one backup report plan exists: {backup_client.backup_report_plans[0].name}." diff --git a/prowler/providers/aws/services/backup/backup_vaults_encrypted/backup_vaults_encrypted.py b/prowler/providers/aws/services/backup/backup_vaults_encrypted/backup_vaults_encrypted.py index 8dd09ec73b8..b307b7ed483 100644 --- a/prowler/providers/aws/services/backup/backup_vaults_encrypted/backup_vaults_encrypted.py +++ b/prowler/providers/aws/services/backup/backup_vaults_encrypted/backup_vaults_encrypted.py @@ -8,7 +8,7 @@ def execute(self): if backup_client.backup_vaults: for backup_vault in backup_client.backup_vaults: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=backup_vault + metadata=self.metadata(), resource=backup_vault ) report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py b/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py index e7da76c2f91..4f861a96bc6 100644 --- a/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py +++ b/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py @@ -7,7 +7,7 @@ def execute(self): findings = [] if backup_client.backup_vaults is not None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=backup_client.backup_vaults + metadata=self.metadata(), resource=backup_client.backup_vaults ) report.resource_arn = backup_client.backup_vault_arn_template report.resource_id = backup_client.audited_account @@ -18,7 +18,7 @@ def execute(self): if backup_client.backup_vaults: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=backup_client.backup_vaults[0], + resource=backup_client.backup_vaults[0], ) report.status = "PASS" report.status_extended = f"At least one backup vault exists: {backup_client.backup_vaults[0].name}." diff --git a/prowler/providers/aws/services/bedrock/bedrock_agent_guardrail_enabled/bedrock_agent_guardrail_enabled.py b/prowler/providers/aws/services/bedrock/bedrock_agent_guardrail_enabled/bedrock_agent_guardrail_enabled.py index c7ffd6baf29..233de972cd9 100644 --- a/prowler/providers/aws/services/bedrock/bedrock_agent_guardrail_enabled/bedrock_agent_guardrail_enabled.py +++ b/prowler/providers/aws/services/bedrock/bedrock_agent_guardrail_enabled/bedrock_agent_guardrail_enabled.py @@ -8,7 +8,7 @@ class bedrock_agent_guardrail_enabled(Check): def execute(self): findings = [] for agent in bedrock_agent_client.agents.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=agent) + report = Check_Report_AWS(metadata=self.metadata(), resource=agent) report.status = "FAIL" report.status_extended = f"Bedrock Agent {agent.name} is not using any guardrail to protect agent sessions." if agent.guardrail_id: diff --git a/prowler/providers/aws/services/bedrock/bedrock_guardrail_prompt_attack_filter_enabled/bedrock_guardrail_prompt_attack_filter_enabled.py b/prowler/providers/aws/services/bedrock/bedrock_guardrail_prompt_attack_filter_enabled/bedrock_guardrail_prompt_attack_filter_enabled.py index ff173385104..c6ee5f17f32 100644 --- a/prowler/providers/aws/services/bedrock/bedrock_guardrail_prompt_attack_filter_enabled/bedrock_guardrail_prompt_attack_filter_enabled.py +++ b/prowler/providers/aws/services/bedrock/bedrock_guardrail_prompt_attack_filter_enabled/bedrock_guardrail_prompt_attack_filter_enabled.py @@ -6,9 +6,7 @@ class bedrock_guardrail_prompt_attack_filter_enabled(Check): def execute(self): findings = [] for guardrail in bedrock_client.guardrails.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=guardrail - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=guardrail) report.status = "PASS" report.status_extended = f"Bedrock Guardrail {guardrail.name} is configured to detect and block prompt attacks with a HIGH strength." if not guardrail.prompt_attack_filter_strength: diff --git a/prowler/providers/aws/services/bedrock/bedrock_guardrail_sensitive_information_filter_enabled/bedrock_guardrail_sensitive_information_filter_enabled.py b/prowler/providers/aws/services/bedrock/bedrock_guardrail_sensitive_information_filter_enabled/bedrock_guardrail_sensitive_information_filter_enabled.py index 4789f2fe9f0..5050ee1eb6b 100644 --- a/prowler/providers/aws/services/bedrock/bedrock_guardrail_sensitive_information_filter_enabled/bedrock_guardrail_sensitive_information_filter_enabled.py +++ b/prowler/providers/aws/services/bedrock/bedrock_guardrail_sensitive_information_filter_enabled/bedrock_guardrail_sensitive_information_filter_enabled.py @@ -6,9 +6,7 @@ class bedrock_guardrail_sensitive_information_filter_enabled(Check): def execute(self): findings = [] for guardrail in bedrock_client.guardrails.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=guardrail - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=guardrail) report.status = "PASS" report.status_extended = f"Bedrock Guardrail {guardrail.name} is blocking or masking sensitive information." if not guardrail.sensitive_information_filter: diff --git a/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logging_enabled/bedrock_model_invocation_logging_enabled.py b/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logging_enabled/bedrock_model_invocation_logging_enabled.py index 94106128eab..e3f26def23b 100644 --- a/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logging_enabled/bedrock_model_invocation_logging_enabled.py +++ b/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logging_enabled/bedrock_model_invocation_logging_enabled.py @@ -6,9 +6,7 @@ class bedrock_model_invocation_logging_enabled(Check): def execute(self): findings = [] for region, logging in bedrock_client.logging_configurations.items(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logging - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=logging) report.region = region report.resource_id = "model-invocation-logging" report.resource_arn = ( diff --git a/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logs_encryption_enabled/bedrock_model_invocation_logs_encryption_enabled.py b/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logs_encryption_enabled/bedrock_model_invocation_logs_encryption_enabled.py index 3a9fe73ec8a..c4adddc3446 100644 --- a/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logs_encryption_enabled/bedrock_model_invocation_logs_encryption_enabled.py +++ b/prowler/providers/aws/services/bedrock/bedrock_model_invocation_logs_encryption_enabled/bedrock_model_invocation_logs_encryption_enabled.py @@ -11,9 +11,7 @@ def execute(self): if logging.enabled: s3_encryption = True cloudwatch_encryption = True - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=logging - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=logging) report.region = region report.resource_id = "model-invocation-logging" report.resource_arn = ( diff --git a/prowler/providers/aws/services/cloudformation/cloudformation_stack_cdktoolkit_bootstrap_version/cloudformation_stack_cdktoolkit_bootstrap_version.py b/prowler/providers/aws/services/cloudformation/cloudformation_stack_cdktoolkit_bootstrap_version/cloudformation_stack_cdktoolkit_bootstrap_version.py index 43ec3f8b9c0..13a185255b6 100644 --- a/prowler/providers/aws/services/cloudformation/cloudformation_stack_cdktoolkit_bootstrap_version/cloudformation_stack_cdktoolkit_bootstrap_version.py +++ b/prowler/providers/aws/services/cloudformation/cloudformation_stack_cdktoolkit_bootstrap_version/cloudformation_stack_cdktoolkit_bootstrap_version.py @@ -23,9 +23,7 @@ def execute(self): bootstrap_version = int(output.split(":")[1]) break if bootstrap_version: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=stack - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=stack) report.status = "PASS" report.status_extended = f"CloudFormation Stack CDKToolkit has a Bootstrap version {bootstrap_version}, which meets the recommended version." if bootstrap_version < recommended_cdk_bootstrap_version: diff --git a/prowler/providers/aws/services/cloudformation/cloudformation_stack_outputs_find_secrets/cloudformation_stack_outputs_find_secrets.py b/prowler/providers/aws/services/cloudformation/cloudformation_stack_outputs_find_secrets/cloudformation_stack_outputs_find_secrets.py index e831159379c..5a3e3b88894 100644 --- a/prowler/providers/aws/services/cloudformation/cloudformation_stack_outputs_find_secrets/cloudformation_stack_outputs_find_secrets.py +++ b/prowler/providers/aws/services/cloudformation/cloudformation_stack_outputs_find_secrets/cloudformation_stack_outputs_find_secrets.py @@ -15,7 +15,7 @@ def execute(self): "secrets_ignore_patterns", [] ) for stack in cloudformation_client.stacks: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=stack) + report = Check_Report_AWS(metadata=self.metadata(), resource=stack) report.status = "PASS" report.status_extended = ( f"No secrets found in CloudFormation Stack {stack.name} Outputs." diff --git a/prowler/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled.py b/prowler/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled.py index 1f1ec927892..3d60c51349c 100644 --- a/prowler/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled.py +++ b/prowler/providers/aws/services/cloudformation/cloudformation_stacks_termination_protection_enabled/cloudformation_stacks_termination_protection_enabled.py @@ -12,9 +12,7 @@ def execute(self): findings = [] for stack in cloudformation_client.stacks: if not stack.is_nested_stack: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=stack - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=stack) if stack.enable_termination_protection: report.status = "PASS" diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_custom_ssl_certificate/cloudfront_distributions_custom_ssl_certificate.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_custom_ssl_certificate/cloudfront_distributions_custom_ssl_certificate.py index eff654193c7..f1784980606 100644 --- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_custom_ssl_certificate/cloudfront_distributions_custom_ssl_certificate.py +++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_custom_ssl_certificate/cloudfront_distributions_custom_ssl_certificate.py @@ -8,9 +8,7 @@ class cloudfront_distributions_custom_ssl_certificate(Check): def execute(self): findings = [] for distribution in cloudfront_client.distributions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=distribution - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=distribution) report.status = "PASS" report.status_extended = f"CloudFront Distribution {distribution.id} is using a custom SSL/TLS certificate." diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_default_root_object/cloudfront_distributions_default_root_object.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_default_root_object/cloudfront_distributions_default_root_object.py index a50e0328fd8..5893f392eb0 100644 --- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_default_root_object/cloudfront_distributions_default_root_object.py +++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_default_root_object/cloudfront_distributions_default_root_object.py @@ -8,9 +8,7 @@ class cloudfront_distributions_default_root_object(Check): def execute(self): findings = [] for distribution in cloudfront_client.distributions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=distribution - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=distribution) if distribution.default_root_object: report.status = "PASS" diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_field_level_encryption_enabled/cloudfront_distributions_field_level_encryption_enabled.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_field_level_encryption_enabled/cloudfront_distributions_field_level_encryption_enabled.py index 36ba2af5f72..04715773060 100644 --- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_field_level_encryption_enabled/cloudfront_distributions_field_level_encryption_enabled.py +++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_field_level_encryption_enabled/cloudfront_distributions_field_level_encryption_enabled.py @@ -8,9 +8,7 @@ class cloudfront_distributions_field_level_encryption_enabled(Check): def execute(self): findings = [] for distribution in cloudfront_client.distributions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=distribution - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=distribution) if ( distribution.default_cache_config and distribution.default_cache_config.field_level_encryption_id diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_geo_restrictions_enabled/cloudfront_distributions_geo_restrictions_enabled.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_geo_restrictions_enabled/cloudfront_distributions_geo_restrictions_enabled.py index d6b0f9aea58..aa329e010be 100644 --- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_geo_restrictions_enabled/cloudfront_distributions_geo_restrictions_enabled.py +++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_geo_restrictions_enabled/cloudfront_distributions_geo_restrictions_enabled.py @@ -11,9 +11,7 @@ class cloudfront_distributions_geo_restrictions_enabled(Check): def execute(self): findings = [] for distribution in cloudfront_client.distributions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=distribution - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=distribution) if distribution.geo_restriction_type == GeoRestrictionType.none: report.status = "FAIL" diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_enabled/cloudfront_distributions_https_enabled.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_enabled/cloudfront_distributions_https_enabled.py index b4ad118d2d8..4e79b626bac 100644 --- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_enabled/cloudfront_distributions_https_enabled.py +++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_enabled/cloudfront_distributions_https_enabled.py @@ -11,9 +11,7 @@ class cloudfront_distributions_https_enabled(Check): def execute(self): findings = [] for distribution in cloudfront_client.distributions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=distribution - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=distribution) if ( distribution.default_cache_config diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled.py index 1ba4aba396b..8c205800e93 100644 --- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled.py +++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_https_sni_enabled/cloudfront_distributions_https_sni_enabled.py @@ -13,7 +13,7 @@ def execute(self): for distribution in cloudfront_client.distributions.values(): if distribution.certificate: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=distribution + metadata=self.metadata(), resource=distribution ) if distribution.ssl_support_method == SSLSupportMethod.sni_only: diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_logging_enabled/cloudfront_distributions_logging_enabled.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_logging_enabled/cloudfront_distributions_logging_enabled.py index 3400632da5a..a3728731a98 100644 --- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_logging_enabled/cloudfront_distributions_logging_enabled.py +++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_logging_enabled/cloudfront_distributions_logging_enabled.py @@ -8,9 +8,7 @@ class cloudfront_distributions_logging_enabled(Check): def execute(self): findings = [] for distribution in cloudfront_client.distributions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=distribution - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=distribution) if distribution.logging_enabled or ( distribution.default_cache_config and distribution.default_cache_config.realtime_log_config_arn diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_multiple_origin_failover_configured/cloudfront_distributions_multiple_origin_failover_configured.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_multiple_origin_failover_configured/cloudfront_distributions_multiple_origin_failover_configured.py index fcaf73ef625..f0e8d0ed1ec 100644 --- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_multiple_origin_failover_configured/cloudfront_distributions_multiple_origin_failover_configured.py +++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_multiple_origin_failover_configured/cloudfront_distributions_multiple_origin_failover_configured.py @@ -8,9 +8,7 @@ class cloudfront_distributions_multiple_origin_failover_configured(Check): def execute(self): findings = [] for distribution in cloudfront_client.distributions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=distribution - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=distribution) report.status = "FAIL" report.status_extended = f"CloudFront Distribution {distribution.id} does not have an origin group configured with at least 2 origins." diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted.py index 50a7ce27216..0046ecb570a 100644 --- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted.py +++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted.py @@ -8,9 +8,7 @@ class cloudfront_distributions_origin_traffic_encrypted(Check): def execute(self): findings = [] for distribution in cloudfront_client.distributions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=distribution - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=distribution) report.status = "PASS" report.status_extended = f"CloudFront Distribution {distribution.id} does encrypt traffic to custom origins." unencrypted_origins = [] diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_s3_origin_access_control/cloudfront_distributions_s3_origin_access_control.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_s3_origin_access_control/cloudfront_distributions_s3_origin_access_control.py index ef4dddd24f0..cfc66dbd999 100644 --- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_s3_origin_access_control/cloudfront_distributions_s3_origin_access_control.py +++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_s3_origin_access_control/cloudfront_distributions_s3_origin_access_control.py @@ -8,9 +8,7 @@ class cloudfront_distributions_s3_origin_access_control(Check): def execute(self): findings = [] for distribution in cloudfront_client.distributions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=distribution - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=distribution) if any(origin.s3_origin_config for origin in distribution.origins): s3_buckets_with_no_oac = [] diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_s3_origin_non_existent_bucket/cloudfront_distributions_s3_origin_non_existent_bucket.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_s3_origin_non_existent_bucket/cloudfront_distributions_s3_origin_non_existent_bucket.py index d110e5e9bf6..a9da703239a 100644 --- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_s3_origin_non_existent_bucket/cloudfront_distributions_s3_origin_non_existent_bucket.py +++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_s3_origin_non_existent_bucket/cloudfront_distributions_s3_origin_non_existent_bucket.py @@ -9,9 +9,7 @@ class cloudfront_distributions_s3_origin_non_existent_bucket(Check): def execute(self): findings = [] for distribution in cloudfront_client.distributions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=distribution - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=distribution) report.status = "PASS" report.status_extended = f"CloudFront Distribution {distribution.id} does not have non-existent S3 buckets as origins." non_existent_buckets = [] diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_deprecated_ssl_protocols/cloudfront_distributions_using_deprecated_ssl_protocols.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_deprecated_ssl_protocols/cloudfront_distributions_using_deprecated_ssl_protocols.py index 32cd6632bb4..2cd37b6a261 100644 --- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_deprecated_ssl_protocols/cloudfront_distributions_using_deprecated_ssl_protocols.py +++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_deprecated_ssl_protocols/cloudfront_distributions_using_deprecated_ssl_protocols.py @@ -11,9 +11,7 @@ class cloudfront_distributions_using_deprecated_ssl_protocols(Check): def execute(self): findings = [] for distribution in cloudfront_client.distributions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=distribution - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=distribution) report.status = "PASS" report.status_extended = f"CloudFront Distribution {distribution.id} is not using a deprecated SSL protocol." diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_waf/cloudfront_distributions_using_waf.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_waf/cloudfront_distributions_using_waf.py index ed734e1cb43..6554bda7981 100644 --- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_waf/cloudfront_distributions_using_waf.py +++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_using_waf/cloudfront_distributions_using_waf.py @@ -8,9 +8,7 @@ class cloudfront_distributions_using_waf(Check): def execute(self): findings = [] for distribution in cloudfront_client.distributions.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=distribution - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=distribution) if distribution.web_acl_id: report.status = "PASS" report.status_extended = f"CloudFront Distribution {distribution.id} is using AWS WAF web ACL {distribution.web_acl_id}." diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.py index cad1117bf90..8d528fda823 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_bucket_requires_mfa_delete/cloudtrail_bucket_requires_mfa_delete.py @@ -13,9 +13,7 @@ def execute(self): if trail.is_logging: trail_bucket_is_in_account = False trail_bucket = trail.s3_bucket - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=trail - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=trail) report.region = trail.home_region report.status = "FAIL" report.status_extended = f"Trail {trail.name} bucket ({trail_bucket}) does not have MFA delete enabled." diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled.py index 3d8f679a68f..1b589d5cacc 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_cloudwatch_logging_enabled/cloudtrail_cloudwatch_logging_enabled.py @@ -14,9 +14,7 @@ def execute(self): if cloudtrail_client.trails is not None: for trail in cloudtrail_client.trails.values(): if trail.name: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=trail - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=trail) report.region = trail.home_region report.status = "PASS" if trail.is_multiregion: diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_insights_exist/cloudtrail_insights_exist.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_insights_exist/cloudtrail_insights_exist.py index c8d3ccd1445..974a97e6c21 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_insights_exist/cloudtrail_insights_exist.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_insights_exist/cloudtrail_insights_exist.py @@ -10,9 +10,7 @@ def execute(self): if cloudtrail_client.trails is not None: for trail in cloudtrail_client.trails.values(): if trail.is_logging: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=trail - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=trail) report.region = trail.home_region report.status = "FAIL" report.status_extended = f"Trail {trail.name} does not have insight selectors and it is logging." diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_kms_encryption_enabled/cloudtrail_kms_encryption_enabled.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_kms_encryption_enabled/cloudtrail_kms_encryption_enabled.py index a77434a672b..872633a696e 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_kms_encryption_enabled/cloudtrail_kms_encryption_enabled.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_kms_encryption_enabled/cloudtrail_kms_encryption_enabled.py @@ -10,9 +10,7 @@ def execute(self): if cloudtrail_client.trails is not None: for trail in cloudtrail_client.trails.values(): if trail.name: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=trail - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=trail) report.region = trail.home_region report.status = "FAIL" if trail.is_multiregion: diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_log_file_validation_enabled/cloudtrail_log_file_validation_enabled.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_log_file_validation_enabled/cloudtrail_log_file_validation_enabled.py index f94a8013324..05bb0b48434 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_log_file_validation_enabled/cloudtrail_log_file_validation_enabled.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_log_file_validation_enabled/cloudtrail_log_file_validation_enabled.py @@ -10,9 +10,7 @@ def execute(self): if cloudtrail_client.trails is not None: for trail in cloudtrail_client.trails.values(): if trail.name: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=trail - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=trail) report.region = trail.home_region report.status = "FAIL" if trail.is_multiregion: diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py index 05db2774342..f148a83e679 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_access_logging_enabled/cloudtrail_logs_s3_bucket_access_logging_enabled.py @@ -13,9 +13,7 @@ def execute(self): if trail.name: trail_bucket_is_in_account = False trail_bucket = trail.s3_bucket - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=trail - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=trail) report.region = trail.home_region report.status = "FAIL" if trail.is_multiregion: diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.py index 99dc193821b..d673c444fae 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_logs_s3_bucket_is_not_publicly_accessible/cloudtrail_logs_s3_bucket_is_not_publicly_accessible.py @@ -13,9 +13,7 @@ def execute(self): if trail.name: trail_bucket_is_in_account = False trail_bucket = trail.s3_bucket - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=trail - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=trail) report.region = trail.home_region report.status = "PASS" if trail.is_multiregion: diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.py index 1602cb105fe..0c8ca0439f3 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.py @@ -12,7 +12,7 @@ def execute(self): for trail in cloudtrail_client.trails.values(): if trail.region == region or trail.is_multiregion: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=trail + metadata=self.metadata(), resource=trail ) report.region = region if trail.is_logging: diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events.py index 90219b46159..6997ed9969d 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events.py @@ -10,7 +10,7 @@ def execute(self): if cloudtrail_client.trails is not None: for region in cloudtrail_client.regional_clients.keys(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cloudtrail_client.trails + metadata=self.metadata(), resource=cloudtrail_client.trails ) report.status = "FAIL" report.status_extended = "No CloudTrail trails enabled and logging management events were found." @@ -48,7 +48,7 @@ def execute(self): trail_is_logging_management_events = True if trail_is_logging_management_events: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=trail + metadata=self.metadata(), resource=trail ) report.region = region report.status = "PASS" diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py index b95be4d1159..34d7a3dc209 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py @@ -29,7 +29,7 @@ def execute(self): ): report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=trail, + resource=trail, ) report.region = trail.home_region report.status = "PASS" @@ -45,7 +45,7 @@ def execute(self): and field_selector["Equals"][0] == "AWS::S3::Object" ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=trail + metadata=self.metadata(), resource=trail ) report.region = trail.home_region report.status = "PASS" @@ -55,7 +55,7 @@ def execute(self): s3_client.buckets or cloudtrail_client.provider.scan_unused_services ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cloudtrail_client.trails + metadata=self.metadata(), resource=cloudtrail_client.trails ) report.region = cloudtrail_client.region report.resource_arn = cloudtrail_client.trail_arn_template diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py index 5e6b8a0a282..5a0e5c43a43 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py @@ -29,7 +29,7 @@ def execute(self): ): report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=trail, + resource=trail, ) report.region = trail.home_region report.status = "PASS" @@ -45,7 +45,7 @@ def execute(self): and field_selector["Equals"][0] == "AWS::S3::Object" ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=trail + metadata=self.metadata(), resource=trail ) report.region = trail.home_region report.status = "PASS" @@ -55,7 +55,7 @@ def execute(self): s3_client.buckets or cloudtrail_client.provider.scan_unused_services ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cloudtrail_client.trails + metadata=self.metadata(), resource=cloudtrail_client.trails ) report.region = cloudtrail_client.region report.resource_arn = cloudtrail_client.trail_arn_template diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_enumeration/cloudtrail_threat_detection_enumeration.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_enumeration/cloudtrail_threat_detection_enumeration.py index b072d4acca7..32b2ecc8462 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_enumeration/cloudtrail_threat_detection_enumeration.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_enumeration/cloudtrail_threat_detection_enumeration.py @@ -160,7 +160,7 @@ def execute(self): if len(actions) / len(enumeration_actions) > threshold: found_potential_enumeration = True report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cloudtrail_client.trails + metadata=self.metadata(), resource=cloudtrail_client.trails ) report.region = cloudtrail_client.region report.resource_id = aws_identity_arn.split("/")[-1] @@ -170,7 +170,7 @@ def execute(self): findings.append(report) if not found_potential_enumeration: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cloudtrail_client.trails + metadata=self.metadata(), resource=cloudtrail_client.trails ) report.region = cloudtrail_client.region report.resource_id = cloudtrail_client.audited_account diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_llm_jacking/cloudtrail_threat_detection_llm_jacking.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_llm_jacking/cloudtrail_threat_detection_llm_jacking.py index 9eb3ab23ec4..8a10c1d1874 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_llm_jacking/cloudtrail_threat_detection_llm_jacking.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_llm_jacking/cloudtrail_threat_detection_llm_jacking.py @@ -82,7 +82,7 @@ def execute(self): if len(actions) / len(llm_jacking_actions) > threshold: found_potential_llm_jacking = True report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cloudtrail_client.trails + metadata=self.metadata(), resource=cloudtrail_client.trails ) report.region = cloudtrail_client.region report.resource_id = aws_identity_arn.split("/")[-1] @@ -92,7 +92,7 @@ def execute(self): findings.append(report) if not found_potential_llm_jacking: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cloudtrail_client.trails + metadata=self.metadata(), resource=cloudtrail_client.trails ) report.region = cloudtrail_client.region report.resource_id = cloudtrail_client.audited_account diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_privilege_escalation/cloudtrail_threat_detection_privilege_escalation.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_privilege_escalation/cloudtrail_threat_detection_privilege_escalation.py index 8ae7ce3a5c9..da69627d489 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_privilege_escalation/cloudtrail_threat_detection_privilege_escalation.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_threat_detection_privilege_escalation/cloudtrail_threat_detection_privilege_escalation.py @@ -123,7 +123,7 @@ def execute(self): if len(actions) / len(privilege_escalation_actions) > threshold: found_potential_privilege_escalation = True report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cloudtrail_client.trails + metadata=self.metadata(), resource=cloudtrail_client.trails ) report.region = cloudtrail_client.region report.resource_id = aws_identity_arn.split("/")[-1] @@ -133,7 +133,7 @@ def execute(self): findings.append(report) if not found_potential_privilege_escalation: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cloudtrail_client.trails + metadata=self.metadata(), resource=cloudtrail_client.trails ) report.region = cloudtrail_client.region report.resource_id = cloudtrail_client.audited_account diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_alarm_state_configured/cloudwatch_alarm_actions_alarm_state_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_alarm_state_configured/cloudwatch_alarm_actions_alarm_state_configured.py index 87e40da8290..c54f8420277 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_alarm_state_configured/cloudwatch_alarm_actions_alarm_state_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_alarm_state_configured/cloudwatch_alarm_actions_alarm_state_configured.py @@ -8,9 +8,7 @@ class cloudwatch_alarm_actions_alarm_state_configured(Check): def execute(self): findings = [] for metric_alarm in cloudwatch_client.metric_alarms: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=metric_alarm - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=metric_alarm) report.status = "PASS" report.status_extended = f"CloudWatch metric alarm {metric_alarm.name} has actions configured for the ALARM state." if not metric_alarm.alarm_actions: diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_enabled/cloudwatch_alarm_actions_enabled.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_enabled/cloudwatch_alarm_actions_enabled.py index 5a76e480b7f..1dbe5f084e8 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_enabled/cloudwatch_alarm_actions_enabled.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_alarm_actions_enabled/cloudwatch_alarm_actions_enabled.py @@ -8,9 +8,7 @@ class cloudwatch_alarm_actions_enabled(Check): def execute(self): findings = [] for metric_alarm in cloudwatch_client.metric_alarms: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=metric_alarm - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=metric_alarm) report.status = "PASS" report.status_extended = ( f"CloudWatch metric alarm {metric_alarm.name} has actions enabled." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py index 3eb5e36e4c8..20d68a0121e 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py @@ -26,9 +26,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." report.region = logs_client.region diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py index e5cb9c6e067..5f6eda39730 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py @@ -26,9 +26,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." report.region = logs_client.region diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py index 559c3f35922..f8fcc8eacbc 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py @@ -26,9 +26,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." report.region = logs_client.region diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py index 58469d1ea89..d7606647c48 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py @@ -26,9 +26,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." report.region = logs_client.region diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py index db6c5735070..e986f91debe 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py @@ -7,7 +7,7 @@ def execute(self): findings = [] if iam_client.roles is not None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=iam_client.roles + metadata=self.metadata(), resource=iam_client.roles ) report.status = "PASS" report.status_extended = "CloudWatch doesn't allow cross-account sharing." @@ -16,9 +16,7 @@ def execute(self): report.resource_id = iam_client.audited_account for role in iam_client.roles: if role.name == "CloudWatch-CrossAccountSharingRole": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=role - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=role) report.region = iam_client.region report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_kms_encryption_enabled/cloudwatch_log_group_kms_encryption_enabled.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_kms_encryption_enabled/cloudwatch_log_group_kms_encryption_enabled.py index 3eedcb4fbd0..1ca9fdf2128 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_kms_encryption_enabled/cloudwatch_log_group_kms_encryption_enabled.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_kms_encryption_enabled/cloudwatch_log_group_kms_encryption_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] if logs_client.log_groups: for log_group in logs_client.log_groups.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=log_group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=log_group) if log_group.kms_id: report.status = "PASS" report.status_extended = f"Log Group {log_group.name} does have AWS KMS key {log_group.kms_id} associated." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_no_secrets_in_logs/cloudwatch_log_group_no_secrets_in_logs.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_no_secrets_in_logs/cloudwatch_log_group_no_secrets_in_logs.py index d77a27e2686..010a5b81fb5 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_no_secrets_in_logs/cloudwatch_log_group_no_secrets_in_logs.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_no_secrets_in_logs/cloudwatch_log_group_no_secrets_in_logs.py @@ -16,9 +16,7 @@ def execute(self): "secrets_ignore_patterns", [] ) for log_group in logs_client.log_groups.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=log_group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=log_group) report.status = "PASS" report.status_extended = ( f"No secrets found in {log_group.name} log group." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_not_publicly_accessible/cloudwatch_log_group_not_publicly_accessible.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_not_publicly_accessible/cloudwatch_log_group_not_publicly_accessible.py index d8d0d412bb5..1f46d026ad2 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_not_publicly_accessible/cloudwatch_log_group_not_publicly_accessible.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_not_publicly_accessible/cloudwatch_log_group_not_publicly_accessible.py @@ -25,9 +25,7 @@ def execute(self): if log_group.arn in resource or resource == "*": public_log_groups.append(log_group.arn) for log_group in logs_client.log_groups.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=log_group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=log_group) report.status = "PASS" report.status_extended = ( f"Log Group {log_group.name} is not publicly accessible." diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_retention_policy_specific_days_enabled/cloudwatch_log_group_retention_policy_specific_days_enabled.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_retention_policy_specific_days_enabled/cloudwatch_log_group_retention_policy_specific_days_enabled.py index 4fd0593be21..2eb6d5bffc8 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_retention_policy_specific_days_enabled/cloudwatch_log_group_retention_policy_specific_days_enabled.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_group_retention_policy_specific_days_enabled/cloudwatch_log_group_retention_policy_specific_days_enabled.py @@ -12,9 +12,7 @@ def execute(self): ) if logs_client.log_groups: for log_group in logs_client.log_groups.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=log_group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=log_group) if ( log_group.never_expire is False and log_group.retention_days < specific_retention_days diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py index 95d6f29ecf9..11bf08d99db 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py @@ -28,9 +28,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." report.region = logs_client.region diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py index a10e3bcce1b..eb272ecfb10 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py @@ -28,9 +28,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." report.region = logs_client.region diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py index cd20ac32766..c217cbbaf63 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py @@ -26,9 +26,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." report.region = logs_client.region diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py index 35b28733561..af7ec82119e 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py @@ -26,9 +26,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." report.region = logs_client.region diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py index 716a7fe30e7..4cfed985f7c 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py @@ -26,9 +26,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." report.region = logs_client.region diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py index f8cf5e79ce3..45d09b35284 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py @@ -26,9 +26,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." report.region = logs_client.region diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py index ca4d0770b9d..f5efd04dde6 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py @@ -26,9 +26,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." report.region = logs_client.region diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py index ab0d2d35dff..acdb49a9dc6 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py @@ -26,9 +26,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." report.region = logs_client.region diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py index 4750cc05429..a7972e420cf 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py @@ -26,9 +26,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." report.region = logs_client.region diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py index 4ff1616a6c4..8437600646d 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py @@ -26,9 +26,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." report.region = logs_client.region diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py index e4cd26b9e02..a328560ee33 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py @@ -26,9 +26,7 @@ def execute(self): if cloudtrail_client.trails is not None: if report is None: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "FAIL" report.status_extended = "No CloudWatch log groups found with metric filters or alarms associated." report.region = logs_client.region diff --git a/prowler/providers/aws/services/cloudwatch/lib/metric_filters.py b/prowler/providers/aws/services/cloudwatch/lib/metric_filters.py index f2e1d51a9d4..84d70b40838 100644 --- a/prowler/providers/aws/services/cloudwatch/lib/metric_filters.py +++ b/prowler/providers/aws/services/cloudwatch/lib/metric_filters.py @@ -23,7 +23,7 @@ def check_cloudwatch_log_metric_filter( metric_filter_pattern, metric_filter.pattern, flags=re.DOTALL ): report = Check_Report_AWS( - metadata=metadata, resource_metadata=metric_filter.log_group + metadata=metadata, resource=metric_filter.log_group ) report.status = "FAIL" report.status_extended = f"CloudWatch log group {metric_filter.log_group.name} found with metric filter {metric_filter.name} but no alarms associated." diff --git a/prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.py b/prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.py index f32db868f87..9f4692020ce 100644 --- a/prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.py +++ b/prowler/providers/aws/services/codeartifact/codeartifact_packages_external_public_publishing_disabled/codeartifact_packages_external_public_publishing_disabled.py @@ -13,9 +13,7 @@ def execute(self): findings = [] for repository in codeartifact_client.repositories.values(): for package in repository.packages: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=repository - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=repository) report.resource_id = f"{repository.domain_name}/{package.name}" report.resource_arn = f"{repository.arn}/{package.namespace + ':' if package.namespace else ''}{package.name}" diff --git a/prowler/providers/aws/services/codebuild/codebuild_project_logging_enabled/codebuild_project_logging_enabled.py b/prowler/providers/aws/services/codebuild/codebuild_project_logging_enabled/codebuild_project_logging_enabled.py index 4bd116f5ca4..2bd22e09ee8 100644 --- a/prowler/providers/aws/services/codebuild/codebuild_project_logging_enabled/codebuild_project_logging_enabled.py +++ b/prowler/providers/aws/services/codebuild/codebuild_project_logging_enabled/codebuild_project_logging_enabled.py @@ -6,9 +6,7 @@ class codebuild_project_logging_enabled(Check): def execute(self): findings = [] for project in codebuild_client.projects.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=project - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=project) report.status = "PASS" if project.cloudwatch_logs.enabled and project.s3_logs.enabled: diff --git a/prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.py b/prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.py index a854c9e53b7..d78e0d5f697 100644 --- a/prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.py +++ b/prowler/providers/aws/services/codebuild/codebuild_project_no_secrets_in_variables/codebuild_project_no_secrets_in_variables.py @@ -15,9 +15,7 @@ def execute(self): "secrets_ignore_patterns", [] ) for project in codebuild_client.projects.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=project - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=project) report.status = "PASS" report.status_extended = f"CodeBuild project {project.name} does not have sensitive environment plaintext credentials." secrets_found = [] diff --git a/prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.py b/prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.py index a9483111446..84c2a654e55 100644 --- a/prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.py +++ b/prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.py @@ -8,9 +8,7 @@ class codebuild_project_older_90_days(Check): def execute(self): findings = [] for project in codebuild_client.projects.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=project - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=project) report.status = "PASS" report.status_extended = f"CodeBuild project {project.name} has been invoked in the last 90 days." if project.last_invoked_time: diff --git a/prowler/providers/aws/services/codebuild/codebuild_project_s3_logs_encrypted/codebuild_project_s3_logs_encrypted.py b/prowler/providers/aws/services/codebuild/codebuild_project_s3_logs_encrypted/codebuild_project_s3_logs_encrypted.py index 4db12b475db..8fe97ebd9ad 100644 --- a/prowler/providers/aws/services/codebuild/codebuild_project_s3_logs_encrypted/codebuild_project_s3_logs_encrypted.py +++ b/prowler/providers/aws/services/codebuild/codebuild_project_s3_logs_encrypted/codebuild_project_s3_logs_encrypted.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for project in codebuild_client.projects.values(): if project.s3_logs.enabled: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=project - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=project) report.status = "PASS" report.status_extended = f"CodeBuild project {project.name} has encrypted S3 logs stored in {project.s3_logs.bucket_location}." if not project.s3_logs.encrypted: diff --git a/prowler/providers/aws/services/codebuild/codebuild_project_source_repo_url_no_sensitive_credentials/codebuild_project_source_repo_url_no_sensitive_credentials.py b/prowler/providers/aws/services/codebuild/codebuild_project_source_repo_url_no_sensitive_credentials/codebuild_project_source_repo_url_no_sensitive_credentials.py index 63288dc4682..44663d5bf90 100644 --- a/prowler/providers/aws/services/codebuild/codebuild_project_source_repo_url_no_sensitive_credentials/codebuild_project_source_repo_url_no_sensitive_credentials.py +++ b/prowler/providers/aws/services/codebuild/codebuild_project_source_repo_url_no_sensitive_credentials/codebuild_project_source_repo_url_no_sensitive_credentials.py @@ -10,9 +10,7 @@ def execute(self): token_pattern = re.compile(r"https://x-token-auth:[^@]+@bitbucket\.org/.+\.git") user_pass_pattern = re.compile(r"https://[^:]+:[^@]+@bitbucket\.org/.+\.git") for project in codebuild_client.projects.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=project - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=project) report.status = "PASS" report.status_extended = f"CodeBuild project {project.name} does not contain sensitive credentials in any source repository URLs." secrets_found = [] diff --git a/prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.py b/prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.py index 6a8eaf73db2..148b51ba759 100644 --- a/prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.py +++ b/prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.py @@ -8,9 +8,7 @@ class codebuild_project_user_controlled_buildspec(Check): def execute(self): findings = [] for project in codebuild_client.projects.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=project - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=project) report.status = "PASS" report.status_extended = f"CodeBuild project {project.name} does not use an user controlled buildspec." if project.buildspec: diff --git a/prowler/providers/aws/services/codebuild/codebuild_report_group_export_encrypted/codebuild_report_group_export_encrypted.py b/prowler/providers/aws/services/codebuild/codebuild_report_group_export_encrypted/codebuild_report_group_export_encrypted.py index 599c98e443a..5ce0efe8af0 100644 --- a/prowler/providers/aws/services/codebuild/codebuild_report_group_export_encrypted/codebuild_report_group_export_encrypted.py +++ b/prowler/providers/aws/services/codebuild/codebuild_report_group_export_encrypted/codebuild_report_group_export_encrypted.py @@ -8,7 +8,7 @@ def execute(self): for report_group in codebuild_client.report_groups.values(): if report_group.export_config and report_group.export_config.type == "S3": report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=report_group + metadata=self.metadata(), resource=report_group ) report.status = "PASS" report.status_extended = f"CodeBuild report group {report_group.name} exports are encrypted at {report_group.export_config.bucket_location} with KMS key {report_group.export_config.encryption_key}." diff --git a/prowler/providers/aws/services/cognito/cognito_identity_pool_guest_access_disabled/cognito_identity_pool_guest_access_disabled.py b/prowler/providers/aws/services/cognito/cognito_identity_pool_guest_access_disabled/cognito_identity_pool_guest_access_disabled.py index dbff1414aa0..9b07f13c07a 100644 --- a/prowler/providers/aws/services/cognito/cognito_identity_pool_guest_access_disabled/cognito_identity_pool_guest_access_disabled.py +++ b/prowler/providers/aws/services/cognito/cognito_identity_pool_guest_access_disabled/cognito_identity_pool_guest_access_disabled.py @@ -8,9 +8,7 @@ class cognito_identity_pool_guest_access_disabled(Check): def execute(self): findings = [] for identity_pool in cognito_identity_client.identity_pools.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=identity_pool - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=identity_pool) report.status = "PASS" report.status_extended = ( f"Identity pool {identity_pool.id} has guest access disabled." diff --git a/prowler/providers/aws/services/cognito/cognito_user_pool_advanced_security_enabled/cognito_user_pool_advanced_security_enabled.py b/prowler/providers/aws/services/cognito/cognito_user_pool_advanced_security_enabled/cognito_user_pool_advanced_security_enabled.py index 82afbf871c2..49c81cc7858 100644 --- a/prowler/providers/aws/services/cognito/cognito_user_pool_advanced_security_enabled/cognito_user_pool_advanced_security_enabled.py +++ b/prowler/providers/aws/services/cognito/cognito_user_pool_advanced_security_enabled/cognito_user_pool_advanced_security_enabled.py @@ -6,7 +6,7 @@ class cognito_user_pool_advanced_security_enabled(Check): def execute(self): findings = [] for pool in cognito_idp_client.user_pools.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=pool) + report = Check_Report_AWS(metadata=self.metadata(), resource=pool) if pool.advanced_security_mode == "ENFORCED": report.status = "PASS" report.status_extended = f"User pool {pool.name} has advanced security enforced with full-function mode." diff --git a/prowler/providers/aws/services/cognito/cognito_user_pool_blocks_compromised_credentials_sign_in_attempts/cognito_user_pool_blocks_compromised_credentials_sign_in_attempts.py b/prowler/providers/aws/services/cognito/cognito_user_pool_blocks_compromised_credentials_sign_in_attempts/cognito_user_pool_blocks_compromised_credentials_sign_in_attempts.py index 3c12402c26a..0552c01c577 100644 --- a/prowler/providers/aws/services/cognito/cognito_user_pool_blocks_compromised_credentials_sign_in_attempts/cognito_user_pool_blocks_compromised_credentials_sign_in_attempts.py +++ b/prowler/providers/aws/services/cognito/cognito_user_pool_blocks_compromised_credentials_sign_in_attempts/cognito_user_pool_blocks_compromised_credentials_sign_in_attempts.py @@ -6,7 +6,7 @@ class cognito_user_pool_blocks_compromised_credentials_sign_in_attempts(Check): def execute(self): findings = [] for pool in cognito_idp_client.user_pools.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=pool) + report = Check_Report_AWS(metadata=self.metadata(), resource=pool) if ( pool.advanced_security_mode == "ENFORCED" and "SIGN_IN" diff --git a/prowler/providers/aws/services/cognito/cognito_user_pool_blocks_potential_malicious_sign_in_attempts/cognito_user_pool_blocks_potential_malicious_sign_in_attempts.py b/prowler/providers/aws/services/cognito/cognito_user_pool_blocks_potential_malicious_sign_in_attempts/cognito_user_pool_blocks_potential_malicious_sign_in_attempts.py index 10b001ee3e0..6d0baeded49 100644 --- a/prowler/providers/aws/services/cognito/cognito_user_pool_blocks_potential_malicious_sign_in_attempts/cognito_user_pool_blocks_potential_malicious_sign_in_attempts.py +++ b/prowler/providers/aws/services/cognito/cognito_user_pool_blocks_potential_malicious_sign_in_attempts/cognito_user_pool_blocks_potential_malicious_sign_in_attempts.py @@ -6,7 +6,7 @@ class cognito_user_pool_blocks_potential_malicious_sign_in_attempts(Check): def execute(self): findings = [] for pool in cognito_idp_client.user_pools.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=pool) + report = Check_Report_AWS(metadata=self.metadata(), resource=pool) if pool.advanced_security_mode == "ENFORCED" and all( [ pool.risk_configuration.account_takeover_risk_configuration.low_action diff --git a/prowler/providers/aws/services/cognito/cognito_user_pool_client_prevent_user_existence_errors/cognito_user_pool_client_prevent_user_existence_errors.py b/prowler/providers/aws/services/cognito/cognito_user_pool_client_prevent_user_existence_errors/cognito_user_pool_client_prevent_user_existence_errors.py index 1c81d5959f7..daca17f2e65 100644 --- a/prowler/providers/aws/services/cognito/cognito_user_pool_client_prevent_user_existence_errors/cognito_user_pool_client_prevent_user_existence_errors.py +++ b/prowler/providers/aws/services/cognito/cognito_user_pool_client_prevent_user_existence_errors/cognito_user_pool_client_prevent_user_existence_errors.py @@ -8,7 +8,7 @@ def execute(self): for pool in cognito_idp_client.user_pools.values(): for user_pool_client in pool.user_pool_clients.values(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user_pool_client + metadata=self.metadata(), resource=user_pool_client ) report.resource_tags = pool.tags if user_pool_client.prevent_user_existence_errors == "ENABLED": diff --git a/prowler/providers/aws/services/cognito/cognito_user_pool_client_token_revocation_enabled/cognito_user_pool_client_token_revocation_enabled.py b/prowler/providers/aws/services/cognito/cognito_user_pool_client_token_revocation_enabled/cognito_user_pool_client_token_revocation_enabled.py index e33dc2f5195..cfad0f351ff 100644 --- a/prowler/providers/aws/services/cognito/cognito_user_pool_client_token_revocation_enabled/cognito_user_pool_client_token_revocation_enabled.py +++ b/prowler/providers/aws/services/cognito/cognito_user_pool_client_token_revocation_enabled/cognito_user_pool_client_token_revocation_enabled.py @@ -8,7 +8,7 @@ def execute(self): for pool in cognito_idp_client.user_pools.values(): for pool_client in pool.user_pool_clients.values(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=pool_client + metadata=self.metadata(), resource=pool_client ) report.resource_tags = pool.tags if pool_client.enable_token_revocation: diff --git a/prowler/providers/aws/services/cognito/cognito_user_pool_deletion_protection_enabled/cognito_user_pool_deletion_protection_enabled.py b/prowler/providers/aws/services/cognito/cognito_user_pool_deletion_protection_enabled/cognito_user_pool_deletion_protection_enabled.py index dfb1429d2d4..ced90fc91a8 100644 --- a/prowler/providers/aws/services/cognito/cognito_user_pool_deletion_protection_enabled/cognito_user_pool_deletion_protection_enabled.py +++ b/prowler/providers/aws/services/cognito/cognito_user_pool_deletion_protection_enabled/cognito_user_pool_deletion_protection_enabled.py @@ -6,7 +6,7 @@ class cognito_user_pool_deletion_protection_enabled(Check): def execute(self): findings = [] for pool in cognito_idp_client.user_pools.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=pool) + report = Check_Report_AWS(metadata=self.metadata(), resource=pool) if pool.deletion_protection == "ACTIVE": report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/cognito/cognito_user_pool_mfa_enabled/cognito_user_pool_mfa_enabled.py b/prowler/providers/aws/services/cognito/cognito_user_pool_mfa_enabled/cognito_user_pool_mfa_enabled.py index 53e593e5b82..32b537e0439 100644 --- a/prowler/providers/aws/services/cognito/cognito_user_pool_mfa_enabled/cognito_user_pool_mfa_enabled.py +++ b/prowler/providers/aws/services/cognito/cognito_user_pool_mfa_enabled/cognito_user_pool_mfa_enabled.py @@ -6,7 +6,7 @@ class cognito_user_pool_mfa_enabled(Check): def execute(self): findings = [] for pool in cognito_idp_client.user_pools.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=pool) + report = Check_Report_AWS(metadata=self.metadata(), resource=pool) if pool.mfa_config and pool.mfa_config.status == "ON": report.status = "PASS" report.status_extended = f"User pool {pool.name} has MFA enabled." diff --git a/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_lowercase/cognito_user_pool_password_policy_lowercase.py b/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_lowercase/cognito_user_pool_password_policy_lowercase.py index 34c838a0e64..1bd02bea8bb 100644 --- a/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_lowercase/cognito_user_pool_password_policy_lowercase.py +++ b/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_lowercase/cognito_user_pool_password_policy_lowercase.py @@ -6,7 +6,7 @@ class cognito_user_pool_password_policy_lowercase(Check): def execute(self): findings = [] for pool in cognito_idp_client.user_pools.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=pool) + report = Check_Report_AWS(metadata=self.metadata(), resource=pool) if pool.password_policy: if pool.password_policy.require_lowercase: report.status = "PASS" diff --git a/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_minimum_length_14/cognito_user_pool_password_policy_minimum_length_14.py b/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_minimum_length_14/cognito_user_pool_password_policy_minimum_length_14.py index ed373d51ef6..3af91e7a349 100644 --- a/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_minimum_length_14/cognito_user_pool_password_policy_minimum_length_14.py +++ b/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_minimum_length_14/cognito_user_pool_password_policy_minimum_length_14.py @@ -6,7 +6,7 @@ class cognito_user_pool_password_policy_minimum_length_14(Check): def execute(self): findings = [] for pool in cognito_idp_client.user_pools.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=pool) + report = Check_Report_AWS(metadata=self.metadata(), resource=pool) if pool.password_policy: if pool.password_policy.minimum_length >= 14: report.status = "PASS" diff --git a/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_number/cognito_user_pool_password_policy_number.py b/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_number/cognito_user_pool_password_policy_number.py index 66a448e6c2d..a18b164f610 100644 --- a/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_number/cognito_user_pool_password_policy_number.py +++ b/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_number/cognito_user_pool_password_policy_number.py @@ -6,7 +6,7 @@ class cognito_user_pool_password_policy_number(Check): def execute(self): findings = [] for pool in cognito_idp_client.user_pools.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=pool) + report = Check_Report_AWS(metadata=self.metadata(), resource=pool) if pool.password_policy: if pool.password_policy.require_numbers: report.status = "PASS" diff --git a/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_symbol/cognito_user_pool_password_policy_symbol.py b/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_symbol/cognito_user_pool_password_policy_symbol.py index aecc37ee8af..74f2e32931a 100644 --- a/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_symbol/cognito_user_pool_password_policy_symbol.py +++ b/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_symbol/cognito_user_pool_password_policy_symbol.py @@ -6,7 +6,7 @@ class cognito_user_pool_password_policy_symbol(Check): def execute(self): findings = [] for pool in cognito_idp_client.user_pools.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=pool) + report = Check_Report_AWS(metadata=self.metadata(), resource=pool) if pool.password_policy: if pool.password_policy.require_symbols: report.status = "PASS" diff --git a/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_uppercase/cognito_user_pool_password_policy_uppercase.py b/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_uppercase/cognito_user_pool_password_policy_uppercase.py index 7136f7c1df2..c95752683c0 100644 --- a/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_uppercase/cognito_user_pool_password_policy_uppercase.py +++ b/prowler/providers/aws/services/cognito/cognito_user_pool_password_policy_uppercase/cognito_user_pool_password_policy_uppercase.py @@ -6,7 +6,7 @@ class cognito_user_pool_password_policy_uppercase(Check): def execute(self): findings = [] for pool in cognito_idp_client.user_pools.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=pool) + report = Check_Report_AWS(metadata=self.metadata(), resource=pool) if pool.password_policy: if pool.password_policy.require_uppercase: report.status = "PASS" diff --git a/prowler/providers/aws/services/cognito/cognito_user_pool_self_registration_disabled/cognito_user_pool_self_registration_disabled.py b/prowler/providers/aws/services/cognito/cognito_user_pool_self_registration_disabled/cognito_user_pool_self_registration_disabled.py index 6991c017b63..6bdb810e293 100644 --- a/prowler/providers/aws/services/cognito/cognito_user_pool_self_registration_disabled/cognito_user_pool_self_registration_disabled.py +++ b/prowler/providers/aws/services/cognito/cognito_user_pool_self_registration_disabled/cognito_user_pool_self_registration_disabled.py @@ -9,9 +9,7 @@ class cognito_user_pool_self_registration_disabled(Check): def execute(self): findings = [] for user_pool in cognito_idp_client.user_pools.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user_pool - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=user_pool) report.status = "PASS" report.status_extended = ( f"User pool {user_pool.id} has self registration disabled." diff --git a/prowler/providers/aws/services/cognito/cognito_user_pool_temporary_password_expiration/cognito_user_pool_temporary_password_expiration.py b/prowler/providers/aws/services/cognito/cognito_user_pool_temporary_password_expiration/cognito_user_pool_temporary_password_expiration.py index e603dc1427a..d92711cd472 100644 --- a/prowler/providers/aws/services/cognito/cognito_user_pool_temporary_password_expiration/cognito_user_pool_temporary_password_expiration.py +++ b/prowler/providers/aws/services/cognito/cognito_user_pool_temporary_password_expiration/cognito_user_pool_temporary_password_expiration.py @@ -6,7 +6,7 @@ class cognito_user_pool_temporary_password_expiration(Check): def execute(self): findings = [] for pool in cognito_idp_client.user_pools.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=pool) + report = Check_Report_AWS(metadata=self.metadata(), resource=pool) if pool.password_policy: if pool.password_policy.temporary_password_validity_days <= 7: report.status = "PASS" diff --git a/prowler/providers/aws/services/cognito/cognito_user_pool_waf_acl_attached/cognito_user_pool_waf_acl_attached.py b/prowler/providers/aws/services/cognito/cognito_user_pool_waf_acl_attached/cognito_user_pool_waf_acl_attached.py index 233b21a8b6d..b7c73b95d6d 100644 --- a/prowler/providers/aws/services/cognito/cognito_user_pool_waf_acl_attached/cognito_user_pool_waf_acl_attached.py +++ b/prowler/providers/aws/services/cognito/cognito_user_pool_waf_acl_attached/cognito_user_pool_waf_acl_attached.py @@ -7,7 +7,7 @@ class cognito_user_pool_waf_acl_attached(Check): def execute(self): findings = [] for pool in cognito_idp_client.user_pools.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=pool) + report = Check_Report_AWS(metadata=self.metadata(), resource=pool) report.status = "FAIL" report.status_extended = ( f"Cognito User Pool {pool.name} is not associated with a WAF Web ACL." diff --git a/prowler/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled.py b/prowler/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled.py index 060150ff7c9..08c86e24916 100644 --- a/prowler/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled.py +++ b/prowler/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled.py @@ -6,9 +6,7 @@ class config_recorder_all_regions_enabled(Check): def execute(self): findings = [] for recorder in config_client.recorders.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=recorder - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=recorder) report.resource_arn = config_client._get_recorder_arn_template( recorder.region ) diff --git a/prowler/providers/aws/services/config/config_recorder_using_aws_service_role/config_recorder_using_aws_service_role.py b/prowler/providers/aws/services/config/config_recorder_using_aws_service_role/config_recorder_using_aws_service_role.py index 457f0ad6e20..5fbae9f5a53 100644 --- a/prowler/providers/aws/services/config/config_recorder_using_aws_service_role/config_recorder_using_aws_service_role.py +++ b/prowler/providers/aws/services/config/config_recorder_using_aws_service_role/config_recorder_using_aws_service_role.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for recorder in config_client.recorders.values(): if recorder.name and recorder.recording: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=recorder - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=recorder) report.resource_arn = config_client._get_recorder_arn_template( recorder.region ) diff --git a/prowler/providers/aws/services/datasync/datasync_task_logging_enabled/datasync_task_logging_enabled.py b/prowler/providers/aws/services/datasync/datasync_task_logging_enabled/datasync_task_logging_enabled.py index 65661b1c742..af21bf6ef9f 100644 --- a/prowler/providers/aws/services/datasync/datasync_task_logging_enabled/datasync_task_logging_enabled.py +++ b/prowler/providers/aws/services/datasync/datasync_task_logging_enabled/datasync_task_logging_enabled.py @@ -22,7 +22,7 @@ def execute(self) -> List[Check_Report_AWS]: """ findings = [] for task in datasync_client.tasks.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=task) + report = Check_Report_AWS(metadata=self.metadata(), resource=task) report.status = "PASS" report.status_extended = f"DataSync task {task.name} has logging enabled." diff --git a/prowler/providers/aws/services/directconnect/directconnect_connection_redundancy/directconnect_connection_redundancy.py b/prowler/providers/aws/services/directconnect/directconnect_connection_redundancy/directconnect_connection_redundancy.py index f25e12b19a5..0197d826d0f 100644 --- a/prowler/providers/aws/services/directconnect/directconnect_connection_redundancy/directconnect_connection_redundancy.py +++ b/prowler/providers/aws/services/directconnect/directconnect_connection_redundancy/directconnect_connection_redundancy.py @@ -19,7 +19,7 @@ def execute(self): for region, connections in regions.items(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=connections + metadata=self.metadata(), resource=connections ) report.region = region report.resource_arn = directconnect_client._get_connection_arn_template( diff --git a/prowler/providers/aws/services/directconnect/directconnect_virtual_interface_redundancy/directconnect_virtual_interface_redundancy.py b/prowler/providers/aws/services/directconnect/directconnect_virtual_interface_redundancy/directconnect_virtual_interface_redundancy.py index 622da37a118..cd576a4a279 100644 --- a/prowler/providers/aws/services/directconnect/directconnect_virtual_interface_redundancy/directconnect_virtual_interface_redundancy.py +++ b/prowler/providers/aws/services/directconnect/directconnect_virtual_interface_redundancy/directconnect_virtual_interface_redundancy.py @@ -8,7 +8,7 @@ class directconnect_virtual_interface_redundancy(Check): def execute(self): findings = [] for vgw in directconnect_client.vgws.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=vgw) + report = Check_Report_AWS(metadata=self.metadata(), resource=vgw) if len(vgw.vifs) < 2: report.status = "FAIL" report.status_extended = ( @@ -24,7 +24,7 @@ def execute(self): findings.append(report) for dxgw in directconnect_client.dxgws.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=dxgw) + report = Check_Report_AWS(metadata=self.metadata(), resource=dxgw) if len(dxgw.vifs) < 2: report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/directoryservice/directoryservice_directory_log_forwarding_enabled/directoryservice_directory_log_forwarding_enabled.py b/prowler/providers/aws/services/directoryservice/directoryservice_directory_log_forwarding_enabled/directoryservice_directory_log_forwarding_enabled.py index 8ed8051106f..de53b11c0e9 100644 --- a/prowler/providers/aws/services/directoryservice/directoryservice_directory_log_forwarding_enabled/directoryservice_directory_log_forwarding_enabled.py +++ b/prowler/providers/aws/services/directoryservice/directoryservice_directory_log_forwarding_enabled/directoryservice_directory_log_forwarding_enabled.py @@ -8,9 +8,7 @@ class directoryservice_directory_log_forwarding_enabled(Check): def execute(self): findings = [] for directory in directoryservice_client.directories.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=directory - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=directory) if directory.log_subscriptions: report.status = "PASS" report.status_extended = f"Directory Service {directory.id} have log forwarding to CloudWatch enabled." diff --git a/prowler/providers/aws/services/directoryservice/directoryservice_directory_monitor_notifications/directoryservice_directory_monitor_notifications.py b/prowler/providers/aws/services/directoryservice/directoryservice_directory_monitor_notifications/directoryservice_directory_monitor_notifications.py index 40df7034cf1..91ea0bd249f 100644 --- a/prowler/providers/aws/services/directoryservice/directoryservice_directory_monitor_notifications/directoryservice_directory_monitor_notifications.py +++ b/prowler/providers/aws/services/directoryservice/directoryservice_directory_monitor_notifications/directoryservice_directory_monitor_notifications.py @@ -8,9 +8,7 @@ class directoryservice_directory_monitor_notifications(Check): def execute(self): findings = [] for directory in directoryservice_client.directories.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=directory - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=directory) if directory.event_topics: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/directoryservice/directoryservice_directory_snapshots_limit/directoryservice_directory_snapshots_limit.py b/prowler/providers/aws/services/directoryservice/directoryservice_directory_snapshots_limit/directoryservice_directory_snapshots_limit.py index 0f18693545a..55d38d9706b 100644 --- a/prowler/providers/aws/services/directoryservice/directoryservice_directory_snapshots_limit/directoryservice_directory_snapshots_limit.py +++ b/prowler/providers/aws/services/directoryservice/directoryservice_directory_snapshots_limit/directoryservice_directory_snapshots_limit.py @@ -11,9 +11,7 @@ class directoryservice_directory_snapshots_limit(Check): def execute(self): findings = [] for directory in directoryservice_client.directories.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=directory - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=directory) if directory.snapshots_limits: if directory.snapshots_limits.manual_snapshots_limit_reached: report.status = "FAIL" diff --git a/prowler/providers/aws/services/directoryservice/directoryservice_ldap_certificate_expiration/directoryservice_ldap_certificate_expiration.py b/prowler/providers/aws/services/directoryservice/directoryservice_ldap_certificate_expiration/directoryservice_ldap_certificate_expiration.py index bae1e8d1b5c..402c4ea42f0 100644 --- a/prowler/providers/aws/services/directoryservice/directoryservice_ldap_certificate_expiration/directoryservice_ldap_certificate_expiration.py +++ b/prowler/providers/aws/services/directoryservice/directoryservice_ldap_certificate_expiration/directoryservice_ldap_certificate_expiration.py @@ -14,9 +14,7 @@ def execute(self): findings = [] for directory in directoryservice_client.directories.values(): for certificate in directory.certificates: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=directory - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=directory) report.resource_id = certificate.id remaining_days_to_expire = ( diff --git a/prowler/providers/aws/services/directoryservice/directoryservice_radius_server_security_protocol/directoryservice_radius_server_security_protocol.py b/prowler/providers/aws/services/directoryservice/directoryservice_radius_server_security_protocol/directoryservice_radius_server_security_protocol.py index 4d72ff0fb73..c1f4c24424e 100644 --- a/prowler/providers/aws/services/directoryservice/directoryservice_radius_server_security_protocol/directoryservice_radius_server_security_protocol.py +++ b/prowler/providers/aws/services/directoryservice/directoryservice_radius_server_security_protocol/directoryservice_radius_server_security_protocol.py @@ -12,9 +12,7 @@ def execute(self): findings = [] for directory in directoryservice_client.directories.values(): if directory.radius_settings: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=directory - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=directory) if ( directory.radius_settings.authentication_protocol == AuthenticationProtocol.MS_CHAPv2 diff --git a/prowler/providers/aws/services/directoryservice/directoryservice_supported_mfa_radius_enabled/directoryservice_supported_mfa_radius_enabled.py b/prowler/providers/aws/services/directoryservice/directoryservice_supported_mfa_radius_enabled/directoryservice_supported_mfa_radius_enabled.py index 028eb3e72ac..ed45183a11e 100644 --- a/prowler/providers/aws/services/directoryservice/directoryservice_supported_mfa_radius_enabled/directoryservice_supported_mfa_radius_enabled.py +++ b/prowler/providers/aws/services/directoryservice/directoryservice_supported_mfa_radius_enabled/directoryservice_supported_mfa_radius_enabled.py @@ -12,9 +12,7 @@ def execute(self): findings = [] for directory in directoryservice_client.directories.values(): if directory.radius_settings: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=directory - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=directory) if directory.radius_settings.status == RadiusStatus.Completed: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists.py b/prowler/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists.py index 506f6905072..3ee815fb232 100644 --- a/prowler/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists.py +++ b/prowler/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists.py @@ -13,7 +13,7 @@ def execute(self): ): report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=dlm_client.lifecycle_policies, + resource=dlm_client.lifecycle_policies, ) report.status = "FAIL" report.status_extended = "No EBS Snapshot lifecycle policies found." diff --git a/prowler/providers/aws/services/dms/dms_endpoint_mongodb_authentication_enabled/dms_endpoint_mongodb_authentication_enabled.py b/prowler/providers/aws/services/dms/dms_endpoint_mongodb_authentication_enabled/dms_endpoint_mongodb_authentication_enabled.py index 90528022853..69913f32d1e 100644 --- a/prowler/providers/aws/services/dms/dms_endpoint_mongodb_authentication_enabled/dms_endpoint_mongodb_authentication_enabled.py +++ b/prowler/providers/aws/services/dms/dms_endpoint_mongodb_authentication_enabled/dms_endpoint_mongodb_authentication_enabled.py @@ -26,9 +26,7 @@ def execute(self) -> List[Check_Report_AWS]: findings = [] for endpoint in dms_client.endpoints.values(): if endpoint.engine_name == "mongodb": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=endpoint - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=endpoint) report.status = "FAIL" report.status_extended = f"DMS Endpoint '{endpoint.id}' for MongoDB does not have an authentication mechanism enabled." if endpoint.mongodb_auth_type != "no": diff --git a/prowler/providers/aws/services/dms/dms_endpoint_neptune_iam_authorization_enabled/dms_endpoint_neptune_iam_authorization_enabled.py b/prowler/providers/aws/services/dms/dms_endpoint_neptune_iam_authorization_enabled/dms_endpoint_neptune_iam_authorization_enabled.py index 1eebf10c12a..47bb6c0d64c 100644 --- a/prowler/providers/aws/services/dms/dms_endpoint_neptune_iam_authorization_enabled/dms_endpoint_neptune_iam_authorization_enabled.py +++ b/prowler/providers/aws/services/dms/dms_endpoint_neptune_iam_authorization_enabled/dms_endpoint_neptune_iam_authorization_enabled.py @@ -25,9 +25,7 @@ def execute(self) -> List[Check_Report_AWS]: findings = [] for endpoint in dms_client.endpoints.values(): if endpoint.engine_name == "neptune": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=endpoint - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=endpoint) report.status = "FAIL" report.status_extended = f"DMS Endpoint {endpoint.id} for Neptune databases does not have IAM authorization enabled." if endpoint.neptune_iam_auth_enabled: diff --git a/prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.py b/prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.py index 6d5dba2bba6..068f6981b34 100644 --- a/prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.py +++ b/prowler/providers/aws/services/dms/dms_endpoint_redis_in_transit_encryption_enabled/dms_endpoint_redis_in_transit_encryption_enabled.py @@ -26,9 +26,7 @@ def execute(self) -> List[Check_Report_AWS]: findings = [] for endpoint in dms_client.endpoints.values(): if endpoint.engine_name == "redis": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=endpoint - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=endpoint) report.status = "FAIL" report.status_extended = f"DMS Endpoint {endpoint.id} for Redis OSS is not encrypted in transit." if endpoint.redis_ssl_protocol == "ssl-encryption": diff --git a/prowler/providers/aws/services/dms/dms_endpoint_ssl_enabled/dms_endpoint_ssl_enabled.py b/prowler/providers/aws/services/dms/dms_endpoint_ssl_enabled/dms_endpoint_ssl_enabled.py index b30e584f6f4..75d5d33f30b 100644 --- a/prowler/providers/aws/services/dms/dms_endpoint_ssl_enabled/dms_endpoint_ssl_enabled.py +++ b/prowler/providers/aws/services/dms/dms_endpoint_ssl_enabled/dms_endpoint_ssl_enabled.py @@ -6,9 +6,7 @@ class dms_endpoint_ssl_enabled(Check): def execute(self): findings = [] for endpoint in dms_client.endpoints.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=endpoint - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=endpoint) if endpoint.ssl_mode == "none": report.status = "FAIL" diff --git a/prowler/providers/aws/services/dms/dms_instance_minor_version_upgrade_enabled/dms_instance_minor_version_upgrade_enabled.py b/prowler/providers/aws/services/dms/dms_instance_minor_version_upgrade_enabled/dms_instance_minor_version_upgrade_enabled.py index 43ab957f659..3b9d47f94fa 100644 --- a/prowler/providers/aws/services/dms/dms_instance_minor_version_upgrade_enabled/dms_instance_minor_version_upgrade_enabled.py +++ b/prowler/providers/aws/services/dms/dms_instance_minor_version_upgrade_enabled/dms_instance_minor_version_upgrade_enabled.py @@ -6,9 +6,7 @@ class dms_instance_minor_version_upgrade_enabled(Check): def execute(self): findings = [] for instance in dms_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = f"DMS Replication Instance {instance.id} does not have auto minor version upgrade enabled." if instance.auto_minor_version_upgrade: diff --git a/prowler/providers/aws/services/dms/dms_instance_multi_az_enabled/dms_instance_multi_az_enabled.py b/prowler/providers/aws/services/dms/dms_instance_multi_az_enabled/dms_instance_multi_az_enabled.py index 17030e45202..e6d1849791f 100644 --- a/prowler/providers/aws/services/dms/dms_instance_multi_az_enabled/dms_instance_multi_az_enabled.py +++ b/prowler/providers/aws/services/dms/dms_instance_multi_az_enabled/dms_instance_multi_az_enabled.py @@ -6,9 +6,7 @@ class dms_instance_multi_az_enabled(Check): def execute(self): findings = [] for instance in dms_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = f"DMS Replication Instance {instance.id} does not have multi az enabled." if instance.multi_az: diff --git a/prowler/providers/aws/services/dms/dms_instance_no_public_access/dms_instance_no_public_access.py b/prowler/providers/aws/services/dms/dms_instance_no_public_access/dms_instance_no_public_access.py index 9c61bf143f6..833d5d1fb5f 100644 --- a/prowler/providers/aws/services/dms/dms_instance_no_public_access/dms_instance_no_public_access.py +++ b/prowler/providers/aws/services/dms/dms_instance_no_public_access/dms_instance_no_public_access.py @@ -8,9 +8,7 @@ class dms_instance_no_public_access(Check): def execute(self): findings = [] for instance in dms_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = ( f"DMS Replication Instance {instance.id} is not publicly accessible." diff --git a/prowler/providers/aws/services/dms/dms_replication_task_source_logging_enabled/dms_replication_task_source_logging_enabled.py b/prowler/providers/aws/services/dms/dms_replication_task_source_logging_enabled/dms_replication_task_source_logging_enabled.py index 43ecd30406f..da281c78f7d 100644 --- a/prowler/providers/aws/services/dms/dms_replication_task_source_logging_enabled/dms_replication_task_source_logging_enabled.py +++ b/prowler/providers/aws/services/dms/dms_replication_task_source_logging_enabled/dms_replication_task_source_logging_enabled.py @@ -37,7 +37,7 @@ def execute(self) -> List[Check_Report_AWS]: replication_task, ) in dms_client.replication_tasks.items(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=replication_task + metadata=self.metadata(), resource=replication_task ) report.resource_arn = replication_task_arn diff --git a/prowler/providers/aws/services/dms/dms_replication_task_target_logging_enabled/dms_replication_task_target_logging_enabled.py b/prowler/providers/aws/services/dms/dms_replication_task_target_logging_enabled/dms_replication_task_target_logging_enabled.py index 7b7bf418050..e9d91806923 100644 --- a/prowler/providers/aws/services/dms/dms_replication_task_target_logging_enabled/dms_replication_task_target_logging_enabled.py +++ b/prowler/providers/aws/services/dms/dms_replication_task_target_logging_enabled/dms_replication_task_target_logging_enabled.py @@ -37,7 +37,7 @@ def execute(self) -> List[Check_Report_AWS]: replication_task, ) in dms_client.replication_tasks.items(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=replication_task + metadata=self.metadata(), resource=replication_task ) report.resource_arn = replication_task_arn diff --git a/prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.py b/prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.py index 58c48d2cba3..fb812d055cd 100644 --- a/prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.py +++ b/prowler/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled.py @@ -8,9 +8,7 @@ class documentdb_cluster_backup_enabled(Check): def execute(self): findings = [] for cluster in documentdb_client.db_clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = ( f"DocumentDB Cluster {cluster.id} does not have backup enabled." diff --git a/prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.py b/prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.py index cb1fc7c79eb..ab040d84489 100644 --- a/prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.py +++ b/prowler/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export.py @@ -8,9 +8,7 @@ class documentdb_cluster_cloudwatch_log_export(Check): def execute(self): findings = [] for cluster in documentdb_client.db_clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = f"DocumentDB Cluster {cluster.id} does not have cloudwatch log export enabled." if cluster.cloudwatch_logs: diff --git a/prowler/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection.py b/prowler/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection.py index 5a253a34b95..c1965214a36 100644 --- a/prowler/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection.py +++ b/prowler/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection.py @@ -8,9 +8,7 @@ class documentdb_cluster_deletion_protection(Check): def execute(self): findings = [] for cluster in documentdb_client.db_clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = f"DocumentDB Cluster {cluster.id} does not have deletion protection enabled." if cluster.deletion_protection: diff --git a/prowler/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled.py b/prowler/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled.py index 8ad48aa3840..76a775974c6 100644 --- a/prowler/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled.py +++ b/prowler/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled.py @@ -8,9 +8,7 @@ class documentdb_cluster_multi_az_enabled(Check): def execute(self): findings = [] for db_cluster in documentdb_client.db_clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_cluster) report.status = "FAIL" report.status_extended = ( f"DocumentDB Cluster {db_cluster.id} does not have Multi-AZ enabled." diff --git a/prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot.py b/prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot.py index 30e5d60208a..2d31bd1630a 100644 --- a/prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot.py +++ b/prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot.py @@ -8,9 +8,7 @@ class documentdb_cluster_public_snapshot(Check): def execute(self): findings = [] for db_snap in documentdb_client.db_cluster_snapshots: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_snap - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_snap) if db_snap.public: report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted.py b/prowler/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted.py index 8ecc81799cf..d5c4bd1e77b 100644 --- a/prowler/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted.py +++ b/prowler/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted.py @@ -8,9 +8,7 @@ class documentdb_cluster_storage_encrypted(Check): def execute(self): findings = [] for db_cluster in documentdb_client.db_clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_cluster) if db_cluster.encrypted: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.py b/prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.py index 5409040de05..2af5f264261 100644 --- a/prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.py +++ b/prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.py @@ -6,7 +6,7 @@ class drs_job_exist(Check): def execute(self): findings = [] for drs in drs_client.drs_services: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=drs) + report = Check_Report_AWS(metadata=self.metadata(), resource=drs) report.resource_arn = drs_client._get_recovery_job_arn_template(drs.region) report.resource_id = drs_client.audited_account report.status = "FAIL" diff --git a/prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled.py b/prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled.py index 2ba8df978b1..3bd998ca496 100644 --- a/prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled.py +++ b/prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_encryption_enabled/dynamodb_accelerator_cluster_encryption_enabled.py @@ -6,9 +6,7 @@ class dynamodb_accelerator_cluster_encryption_enabled(Check): def execute(self): findings = [] for cluster in dax_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = ( f"DAX cluster {cluster.name} does not have encryption at rest enabled." diff --git a/prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_in_transit_encryption_enabled/dynamodb_accelerator_cluster_in_transit_encryption_enabled.py b/prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_in_transit_encryption_enabled/dynamodb_accelerator_cluster_in_transit_encryption_enabled.py index 76c76044705..265859556f9 100644 --- a/prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_in_transit_encryption_enabled/dynamodb_accelerator_cluster_in_transit_encryption_enabled.py +++ b/prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_in_transit_encryption_enabled/dynamodb_accelerator_cluster_in_transit_encryption_enabled.py @@ -6,9 +6,7 @@ class dynamodb_accelerator_cluster_in_transit_encryption_enabled(Check): def execute(self): findings = [] for cluster in dax_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = f"DAX cluster {cluster.name} does not have encryption in transit enabled." if cluster.tls_encryption: diff --git a/prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_multi_az/dynamodb_accelerator_cluster_multi_az.py b/prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_multi_az/dynamodb_accelerator_cluster_multi_az.py index 6cb3018f2b3..ea931fdf5f5 100644 --- a/prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_multi_az/dynamodb_accelerator_cluster_multi_az.py +++ b/prowler/providers/aws/services/dynamodb/dynamodb_accelerator_cluster_multi_az/dynamodb_accelerator_cluster_multi_az.py @@ -6,9 +6,7 @@ class dynamodb_accelerator_cluster_multi_az(Check): def execute(self): findings = [] for cluster in dax_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = f"DAX cluster {cluster.name} does not have nodes in multiple availability zones." if len(cluster.node_azs) > 1: diff --git a/prowler/providers/aws/services/dynamodb/dynamodb_table_autoscaling_enabled/dynamodb_table_autoscaling_enabled.py b/prowler/providers/aws/services/dynamodb/dynamodb_table_autoscaling_enabled/dynamodb_table_autoscaling_enabled.py index 60722e66695..cbf0cf7e00b 100644 --- a/prowler/providers/aws/services/dynamodb/dynamodb_table_autoscaling_enabled/dynamodb_table_autoscaling_enabled.py +++ b/prowler/providers/aws/services/dynamodb/dynamodb_table_autoscaling_enabled/dynamodb_table_autoscaling_enabled.py @@ -23,7 +23,7 @@ def execute(self): autoscaling_mapping[table_name][target.scalable_dimension] = target for table in dynamodb_client.tables.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=table) + report = Check_Report_AWS(metadata=self.metadata(), resource=table) report.status = "PASS" report.status_extended = ( f"DynamoDB table {table.name} automatically scales capacity on demand." diff --git a/prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.py b/prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.py index b1f6e26020d..da161a1c0bb 100644 --- a/prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.py +++ b/prowler/providers/aws/services/dynamodb/dynamodb_table_cross_account_access/dynamodb_table_cross_account_access.py @@ -7,7 +7,7 @@ class dynamodb_table_cross_account_access(Check): def execute(self): findings = [] for table in dynamodb_client.tables.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=table) + report = Check_Report_AWS(metadata=self.metadata(), resource=table) report.status = "PASS" report.status_extended = ( f"DynamoDB table {table.name} does not have a resource-based policy." diff --git a/prowler/providers/aws/services/dynamodb/dynamodb_table_deletion_protection_enabled/dynamodb_table_deletion_protection_enabled.py b/prowler/providers/aws/services/dynamodb/dynamodb_table_deletion_protection_enabled/dynamodb_table_deletion_protection_enabled.py index 2d288eec2d2..fc27d81a1fb 100644 --- a/prowler/providers/aws/services/dynamodb/dynamodb_table_deletion_protection_enabled/dynamodb_table_deletion_protection_enabled.py +++ b/prowler/providers/aws/services/dynamodb/dynamodb_table_deletion_protection_enabled/dynamodb_table_deletion_protection_enabled.py @@ -6,7 +6,7 @@ class dynamodb_table_deletion_protection_enabled(Check): def execute(self): findings = [] for table in dynamodb_client.tables.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=table) + report = Check_Report_AWS(metadata=self.metadata(), resource=table) report.status = "FAIL" report.status_extended = f"DynamoDB table {table.name} does not have deletion protection enabled." diff --git a/prowler/providers/aws/services/dynamodb/dynamodb_table_protected_by_backup_plan/dynamodb_table_protected_by_backup_plan.py b/prowler/providers/aws/services/dynamodb/dynamodb_table_protected_by_backup_plan/dynamodb_table_protected_by_backup_plan.py index c1fe7d96396..e7a0268eebd 100644 --- a/prowler/providers/aws/services/dynamodb/dynamodb_table_protected_by_backup_plan/dynamodb_table_protected_by_backup_plan.py +++ b/prowler/providers/aws/services/dynamodb/dynamodb_table_protected_by_backup_plan/dynamodb_table_protected_by_backup_plan.py @@ -7,7 +7,7 @@ class dynamodb_table_protected_by_backup_plan(Check): def execute(self): findings = [] for table in dynamodb_client.tables.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=table) + report = Check_Report_AWS(metadata=self.metadata(), resource=table) report.status = "FAIL" report.status_extended = ( f"DynamoDB table {table.name} is not protected by a backup plan." diff --git a/prowler/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled.py b/prowler/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled.py index 0acbbfe8175..25d3c915de9 100644 --- a/prowler/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled.py +++ b/prowler/providers/aws/services/dynamodb/dynamodb_tables_kms_cmk_encryption_enabled/dynamodb_tables_kms_cmk_encryption_enabled.py @@ -6,7 +6,7 @@ class dynamodb_tables_kms_cmk_encryption_enabled(Check): def execute(self): findings = [] for table in dynamodb_client.tables.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=table) + report = Check_Report_AWS(metadata=self.metadata(), resource=table) report.status = "FAIL" report.status_extended = ( f"DynamoDB table {table.name} is using DEFAULT encryption." diff --git a/prowler/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled.py b/prowler/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled.py index a787c3c4590..9506bf21de9 100644 --- a/prowler/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled.py +++ b/prowler/providers/aws/services/dynamodb/dynamodb_tables_pitr_enabled/dynamodb_tables_pitr_enabled.py @@ -6,7 +6,7 @@ class dynamodb_tables_pitr_enabled(Check): def execute(self): findings = [] for table in dynamodb_client.tables.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=table) + report = Check_Report_AWS(metadata=self.metadata(), resource=table) report.status = "FAIL" report.status_extended = f"DynamoDB table {table.name} does not have point-in-time recovery enabled." if table.pitr: diff --git a/prowler/providers/aws/services/ec2/ec2_ami_public/ec2_ami_public.py b/prowler/providers/aws/services/ec2/ec2_ami_public/ec2_ami_public.py index 3649cffe73d..47684517ca6 100644 --- a/prowler/providers/aws/services/ec2/ec2_ami_public/ec2_ami_public.py +++ b/prowler/providers/aws/services/ec2/ec2_ami_public/ec2_ami_public.py @@ -6,7 +6,7 @@ class ec2_ami_public(Check): def execute(self): findings = [] for image in ec2_client.images: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=image) + report = Check_Report_AWS(metadata=self.metadata(), resource=image) report.status = "PASS" report.status_extended = ( f"EC2 AMI {image.name if image.name else image.id} is not public." diff --git a/prowler/providers/aws/services/ec2/ec2_client_vpn_endpoint_connection_logging_enabled/ec2_client_vpn_endpoint_connection_logging_enabled.py b/prowler/providers/aws/services/ec2/ec2_client_vpn_endpoint_connection_logging_enabled/ec2_client_vpn_endpoint_connection_logging_enabled.py index aabe6ee8b98..4e838528b79 100644 --- a/prowler/providers/aws/services/ec2/ec2_client_vpn_endpoint_connection_logging_enabled/ec2_client_vpn_endpoint_connection_logging_enabled.py +++ b/prowler/providers/aws/services/ec2/ec2_client_vpn_endpoint_connection_logging_enabled/ec2_client_vpn_endpoint_connection_logging_enabled.py @@ -6,9 +6,7 @@ class ec2_client_vpn_endpoint_connection_logging_enabled(Check): def execute(self): findings = [] for vpn_arn, vpn_endpoint in ec2_client.vpn_endpoints.items(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=vpn_endpoint - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=vpn_endpoint) if vpn_endpoint.connection_logging: report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.py b/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.py index a68d54ceda3..f2e9950ae27 100644 --- a/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.py +++ b/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.py @@ -8,7 +8,7 @@ def execute(self): for ebs_encryption in ec2_client.ebs_encryption_by_default: if ebs_encryption.volumes or ec2_client.provider.scan_unused_services: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=ebs_encryption + metadata=self.metadata(), resource=ebs_encryption ) report.resource_arn = ec2_client._get_volume_arn_template( ebs_encryption.region diff --git a/prowler/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot.py b/prowler/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot.py index 2e1ab6c9a4b..995c65995c9 100644 --- a/prowler/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot.py +++ b/prowler/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot.py @@ -6,9 +6,7 @@ class ec2_ebs_public_snapshot(Check): def execute(self): findings = [] for snapshot in ec2_client.snapshots: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=snapshot - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=snapshot) report.status = "PASS" report.status_extended = f"EBS Snapshot {snapshot.id} is not Public." if snapshot.public: diff --git a/prowler/providers/aws/services/ec2/ec2_ebs_snapshot_account_block_public_access/ec2_ebs_snapshot_account_block_public_access.py b/prowler/providers/aws/services/ec2/ec2_ebs_snapshot_account_block_public_access/ec2_ebs_snapshot_account_block_public_access.py index 1cf6db69065..89f0c9c55dd 100644 --- a/prowler/providers/aws/services/ec2/ec2_ebs_snapshot_account_block_public_access/ec2_ebs_snapshot_account_block_public_access.py +++ b/prowler/providers/aws/services/ec2/ec2_ebs_snapshot_account_block_public_access/ec2_ebs_snapshot_account_block_public_access.py @@ -14,7 +14,7 @@ def execute(self): ): report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=ebs_snapshot_block_status, + resource=ebs_snapshot_block_status, ) report.resource_arn = ec2_client.account_arn_template report.resource_id = ec2_client.audited_account diff --git a/prowler/providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted.py b/prowler/providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted.py index fcf00150559..c2fcf07765f 100644 --- a/prowler/providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted.py +++ b/prowler/providers/aws/services/ec2/ec2_ebs_snapshots_encrypted/ec2_ebs_snapshots_encrypted.py @@ -6,9 +6,7 @@ class ec2_ebs_snapshots_encrypted(Check): def execute(self): findings = [] for snapshot in ec2_client.snapshots: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=snapshot - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=snapshot) report.status = "PASS" report.status_extended = f"EBS Snapshot {snapshot.id} is encrypted." if not snapshot.encrypted: diff --git a/prowler/providers/aws/services/ec2/ec2_ebs_volume_encryption/ec2_ebs_volume_encryption.py b/prowler/providers/aws/services/ec2/ec2_ebs_volume_encryption/ec2_ebs_volume_encryption.py index a31e5a181a5..cf4ff9ee973 100644 --- a/prowler/providers/aws/services/ec2/ec2_ebs_volume_encryption/ec2_ebs_volume_encryption.py +++ b/prowler/providers/aws/services/ec2/ec2_ebs_volume_encryption/ec2_ebs_volume_encryption.py @@ -6,9 +6,7 @@ class ec2_ebs_volume_encryption(Check): def execute(self): findings = [] for volume in ec2_client.volumes: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=volume - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=volume) report.status = "PASS" report.status_extended = f"EBS Snapshot {volume.id} is encrypted." if not volume.encrypted: diff --git a/prowler/providers/aws/services/ec2/ec2_ebs_volume_protected_by_backup_plan/ec2_ebs_volume_protected_by_backup_plan.py b/prowler/providers/aws/services/ec2/ec2_ebs_volume_protected_by_backup_plan/ec2_ebs_volume_protected_by_backup_plan.py index 9fb73dc0282..c1da09c4f60 100644 --- a/prowler/providers/aws/services/ec2/ec2_ebs_volume_protected_by_backup_plan/ec2_ebs_volume_protected_by_backup_plan.py +++ b/prowler/providers/aws/services/ec2/ec2_ebs_volume_protected_by_backup_plan/ec2_ebs_volume_protected_by_backup_plan.py @@ -7,9 +7,7 @@ class ec2_ebs_volume_protected_by_backup_plan(Check): def execute(self): findings = [] for volume in ec2_client.volumes: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=volume - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=volume) report.status = "FAIL" report.status_extended = ( f"EBS Volume {volume.id} is not protected by a backup plan." diff --git a/prowler/providers/aws/services/ec2/ec2_ebs_volume_snapshots_exists/ec2_ebs_volume_snapshots_exists.py b/prowler/providers/aws/services/ec2/ec2_ebs_volume_snapshots_exists/ec2_ebs_volume_snapshots_exists.py index 66f11770181..78578b134a1 100644 --- a/prowler/providers/aws/services/ec2/ec2_ebs_volume_snapshots_exists/ec2_ebs_volume_snapshots_exists.py +++ b/prowler/providers/aws/services/ec2/ec2_ebs_volume_snapshots_exists/ec2_ebs_volume_snapshots_exists.py @@ -6,9 +6,7 @@ class ec2_ebs_volume_snapshots_exists(Check): def execute(self): findings = [] for volume in ec2_client.volumes: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=volume - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=volume) report.status = "FAIL" report.status_extended = ( f"Snapshots not found for the EBS volume {volume.id}." diff --git a/prowler/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan.py b/prowler/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan.py index 309a45ab5bb..ad2f0a05977 100644 --- a/prowler/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan.py +++ b/prowler/providers/aws/services/ec2/ec2_elastic_ip_shodan/ec2_elastic_ip_shodan.py @@ -12,9 +12,7 @@ def execute(self): if shodan_api_key: api = shodan.Shodan(shodan_api_key) for eip in ec2_client.elastic_ips: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=eip - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=eip) if eip.public_ip: try: shodan_info = api.host(eip.public_ip) diff --git a/prowler/providers/aws/services/ec2/ec2_elastic_ip_unassigned/ec2_elastic_ip_unassigned.py b/prowler/providers/aws/services/ec2/ec2_elastic_ip_unassigned/ec2_elastic_ip_unassigned.py index 10ac60becd0..c2951c990fc 100644 --- a/prowler/providers/aws/services/ec2/ec2_elastic_ip_unassigned/ec2_elastic_ip_unassigned.py +++ b/prowler/providers/aws/services/ec2/ec2_elastic_ip_unassigned/ec2_elastic_ip_unassigned.py @@ -6,7 +6,7 @@ class ec2_elastic_ip_unassigned(Check): def execute(self): findings = [] for eip in ec2_client.elastic_ips: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=eip) + report = Check_Report_AWS(metadata=self.metadata(), resource=eip) if eip.public_ip: report.resource_id = eip.public_ip report.status = "FAIL" diff --git a/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.py b/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.py index 69e166ef5d0..9abd6239ccc 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.py @@ -12,7 +12,7 @@ def execute(self): ): report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=instance_metadata_default, + resource=instance_metadata_default, ) report.resource_arn = ec2_client.account_arn_template report.resource_id = ec2_client.audited_account diff --git a/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.py b/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.py index de38aa0d193..8161e6f5119 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_detailed_monitoring_enabled/ec2_instance_detailed_monitoring_enabled.py @@ -6,9 +6,7 @@ class ec2_instance_detailed_monitoring_enabled(Check): def execute(self): findings = [] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.resource_id = instance.id report.resource_arn = instance.arn report.resource_tags = instance.tags diff --git a/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.py b/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.py index 67b6c405ae2..ff0c96d6f0b 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for instance in ec2_client.instances: if instance.state != "terminated": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = ( f"EC2 Instance {instance.id} has IMDSv2 disabled or not required." diff --git a/prowler/providers/aws/services/ec2/ec2_instance_internet_facing_with_instance_profile/ec2_instance_internet_facing_with_instance_profile.py b/prowler/providers/aws/services/ec2/ec2_instance_internet_facing_with_instance_profile/ec2_instance_internet_facing_with_instance_profile.py index 5178fbd18e9..594435e5bac 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_internet_facing_with_instance_profile/ec2_instance_internet_facing_with_instance_profile.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_internet_facing_with_instance_profile/ec2_instance_internet_facing_with_instance_profile.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for instance in ec2_client.instances: if instance.state != "terminated": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"EC2 Instance {instance.id} is not internet facing with an instance profile." if instance.public_ip and instance.instance_profile: diff --git a/prowler/providers/aws/services/ec2/ec2_instance_managed_by_ssm/ec2_instance_managed_by_ssm.py b/prowler/providers/aws/services/ec2/ec2_instance_managed_by_ssm/ec2_instance_managed_by_ssm.py index d37af7ab7bc..c4b97979cb6 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_managed_by_ssm/ec2_instance_managed_by_ssm.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_managed_by_ssm/ec2_instance_managed_by_ssm.py @@ -7,9 +7,7 @@ class ec2_instance_managed_by_ssm(Check): def execute(self): findings = [] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.resource_arn = instance.arn report.resource_tags = instance.tags report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_instance_older_than_specific_days/ec2_instance_older_than_specific_days.py b/prowler/providers/aws/services/ec2/ec2_instance_older_than_specific_days/ec2_instance_older_than_specific_days.py index adda7059185..f25c18d3ef3 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_older_than_specific_days/ec2_instance_older_than_specific_days.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_older_than_specific_days/ec2_instance_older_than_specific_days.py @@ -13,9 +13,7 @@ def execute(self): "max_ec2_instance_age_in_days", 180 ) for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.resource_id = instance.id report.resource_arn = instance.arn report.resource_tags = instance.tags diff --git a/prowler/providers/aws/services/ec2/ec2_instance_paravirtual_type/ec2_instance_paravirtual_type.py b/prowler/providers/aws/services/ec2/ec2_instance_paravirtual_type/ec2_instance_paravirtual_type.py index 71780cab171..1cb6e952b4c 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_paravirtual_type/ec2_instance_paravirtual_type.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_paravirtual_type/ec2_instance_paravirtual_type.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for instance in ec2_client.instances: if instance.state != "terminated": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = ( f"EC2 Instance {instance.id} virtualization type is set to HVM." diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_cassandra_exposed_to_internet/ec2_instance_port_cassandra_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_cassandra_exposed_to_internet/ec2_instance_port_cassandra_exposed_to_internet.py index eec808322f9..a451f2df3e7 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_cassandra_exposed_to_internet/ec2_instance_port_cassandra_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_cassandra_exposed_to_internet/ec2_instance_port_cassandra_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [7000, 7001, 7199, 9042, 9160] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Instance {instance.id} does not have Cassandra ports open to the Internet." is_open_port = False diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_cifs_exposed_to_internet/ec2_instance_port_cifs_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_cifs_exposed_to_internet/ec2_instance_port_cifs_exposed_to_internet.py index 947a6695758..1ab740af38c 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_cifs_exposed_to_internet/ec2_instance_port_cifs_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_cifs_exposed_to_internet/ec2_instance_port_cifs_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [139, 445] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = ( f"Instance {instance.id} does not have CIFS ports open to the Internet." diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_elasticsearch_kibana_exposed_to_internet/ec2_instance_port_elasticsearch_kibana_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_elasticsearch_kibana_exposed_to_internet/ec2_instance_port_elasticsearch_kibana_exposed_to_internet.py index 6de98f45a76..ebca6fbfaed 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_elasticsearch_kibana_exposed_to_internet/ec2_instance_port_elasticsearch_kibana_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_elasticsearch_kibana_exposed_to_internet/ec2_instance_port_elasticsearch_kibana_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [9200, 9300, 5601] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Instance {instance.id} does not have Elasticsearch/Kibana ports open to the Internet." is_open_port = False diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_ftp_exposed_to_internet/ec2_instance_port_ftp_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_ftp_exposed_to_internet/ec2_instance_port_ftp_exposed_to_internet.py index ea35738eaf5..b7cc5c6648c 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_ftp_exposed_to_internet/ec2_instance_port_ftp_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_ftp_exposed_to_internet/ec2_instance_port_ftp_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [20, 21] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = ( f"Instance {instance.id} does not have FTP ports open to the Internet." diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_kafka_exposed_to_internet/ec2_instance_port_kafka_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_kafka_exposed_to_internet/ec2_instance_port_kafka_exposed_to_internet.py index ee4414c845b..81c0c60f333 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_kafka_exposed_to_internet/ec2_instance_port_kafka_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_kafka_exposed_to_internet/ec2_instance_port_kafka_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [9092] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Instance {instance.id} does not have Kafka port 9092 open to the Internet." is_open_port = False diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_kerberos_exposed_to_internet/ec2_instance_port_kerberos_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_kerberos_exposed_to_internet/ec2_instance_port_kerberos_exposed_to_internet.py index 05844a3b49b..6377d47f3c4 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_kerberos_exposed_to_internet/ec2_instance_port_kerberos_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_kerberos_exposed_to_internet/ec2_instance_port_kerberos_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [88, 464, 749, 750] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Instance {instance.id} does not have Kerberos ports open to the Internet." is_open_port = False diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_ldap_exposed_to_internet/ec2_instance_port_ldap_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_ldap_exposed_to_internet/ec2_instance_port_ldap_exposed_to_internet.py index 31b60916417..50a24c31c7b 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_ldap_exposed_to_internet/ec2_instance_port_ldap_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_ldap_exposed_to_internet/ec2_instance_port_ldap_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [389, 636] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = ( f"Instance {instance.id} does not have LDAP ports open to the Internet." diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_memcached_exposed_to_internet/ec2_instance_port_memcached_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_memcached_exposed_to_internet/ec2_instance_port_memcached_exposed_to_internet.py index 33648cb3db1..9b9b8022b8b 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_memcached_exposed_to_internet/ec2_instance_port_memcached_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_memcached_exposed_to_internet/ec2_instance_port_memcached_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [11211] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Instance {instance.id} does not have Memcached port 11211 open to the Internet." is_open_port = False diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_mongodb_exposed_to_internet/ec2_instance_port_mongodb_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_mongodb_exposed_to_internet/ec2_instance_port_mongodb_exposed_to_internet.py index 96182ae77a8..2275151ef6d 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_mongodb_exposed_to_internet/ec2_instance_port_mongodb_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_mongodb_exposed_to_internet/ec2_instance_port_mongodb_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [27017, 27018] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Instance {instance.id} does not have MongoDB ports open to the Internet." is_open_port = False diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_mysql_exposed_to_internet/ec2_instance_port_mysql_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_mysql_exposed_to_internet/ec2_instance_port_mysql_exposed_to_internet.py index 3ab88f8d739..24fdcbe964a 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_mysql_exposed_to_internet/ec2_instance_port_mysql_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_mysql_exposed_to_internet/ec2_instance_port_mysql_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [3306] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Instance {instance.id} does not have MySQL port 3306 open to the Internet." is_open_port = False diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_oracle_exposed_to_internet/ec2_instance_port_oracle_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_oracle_exposed_to_internet/ec2_instance_port_oracle_exposed_to_internet.py index 002a3cfeaa2..909bbc68b64 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_oracle_exposed_to_internet/ec2_instance_port_oracle_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_oracle_exposed_to_internet/ec2_instance_port_oracle_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [1521, 2483, 2484] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Instance {instance.id} does not have Oracle ports open to the Internet." is_open_port = False diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_postgresql_exposed_to_internet/ec2_instance_port_postgresql_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_postgresql_exposed_to_internet/ec2_instance_port_postgresql_exposed_to_internet.py index 056810f73fd..4a57fcaa37b 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_postgresql_exposed_to_internet/ec2_instance_port_postgresql_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_postgresql_exposed_to_internet/ec2_instance_port_postgresql_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [5432] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Instance {instance.id} does not have PostgreSQL port 5432 open to the Internet." is_open_port = False diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_rdp_exposed_to_internet/ec2_instance_port_rdp_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_rdp_exposed_to_internet/ec2_instance_port_rdp_exposed_to_internet.py index a64172ef04d..8c927f17734 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_rdp_exposed_to_internet/ec2_instance_port_rdp_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_rdp_exposed_to_internet/ec2_instance_port_rdp_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [3389] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Instance {instance.id} does not have RDP port 3389 open to the Internet." is_open_port = False diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_redis_exposed_to_internet/ec2_instance_port_redis_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_redis_exposed_to_internet/ec2_instance_port_redis_exposed_to_internet.py index b7bbdbdcbe4..eced83ef9b7 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_redis_exposed_to_internet/ec2_instance_port_redis_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_redis_exposed_to_internet/ec2_instance_port_redis_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [6379] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Instance {instance.id} does not have Redis port 6379 open to the Internet." is_open_port = False diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_sqlserver_exposed_to_internet/ec2_instance_port_sqlserver_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_sqlserver_exposed_to_internet/ec2_instance_port_sqlserver_exposed_to_internet.py index 7acb26035ae..f313e1f02d9 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_sqlserver_exposed_to_internet/ec2_instance_port_sqlserver_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_sqlserver_exposed_to_internet/ec2_instance_port_sqlserver_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [1433, 1434] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Instance {instance.id} does not have SQL Server ports open to the Internet." is_open_port = False diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_ssh_exposed_to_internet/ec2_instance_port_ssh_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_ssh_exposed_to_internet/ec2_instance_port_ssh_exposed_to_internet.py index ccda3c828bf..a0d6237750f 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_ssh_exposed_to_internet/ec2_instance_port_ssh_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_ssh_exposed_to_internet/ec2_instance_port_ssh_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [22] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Instance {instance.id} does not have SSH port 22 open to the Internet." is_open_port = False diff --git a/prowler/providers/aws/services/ec2/ec2_instance_port_telnet_exposed_to_internet/ec2_instance_port_telnet_exposed_to_internet.py b/prowler/providers/aws/services/ec2/ec2_instance_port_telnet_exposed_to_internet/ec2_instance_port_telnet_exposed_to_internet.py index 80281df8749..e176df9f619 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_port_telnet_exposed_to_internet/ec2_instance_port_telnet_exposed_to_internet.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_port_telnet_exposed_to_internet/ec2_instance_port_telnet_exposed_to_internet.py @@ -11,9 +11,7 @@ def execute(self): findings = [] check_ports = [23] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Instance {instance.id} does not have Telnet port 23 open to the Internet." is_open_port = False diff --git a/prowler/providers/aws/services/ec2/ec2_instance_profile_attached/ec2_instance_profile_attached.py b/prowler/providers/aws/services/ec2/ec2_instance_profile_attached/ec2_instance_profile_attached.py index 7dadd307c1a..ea47d4ed1ef 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_profile_attached/ec2_instance_profile_attached.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_profile_attached/ec2_instance_profile_attached.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for instance in ec2_client.instances: if instance.state != "terminated": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = f"EC2 Instance {instance.id} not associated with an Instance Profile Role." if instance.instance_profile: diff --git a/prowler/providers/aws/services/ec2/ec2_instance_public_ip/ec2_instance_public_ip.py b/prowler/providers/aws/services/ec2/ec2_instance_public_ip/ec2_instance_public_ip.py index 2043a59f0cf..fa30d01c61d 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_public_ip/ec2_instance_public_ip.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_public_ip/ec2_instance_public_ip.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for instance in ec2_client.instances: if instance.state != "terminated": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = ( f"EC2 Instance {instance.id} does not have a Public IP." diff --git a/prowler/providers/aws/services/ec2/ec2_instance_secrets_user_data/ec2_instance_secrets_user_data.py b/prowler/providers/aws/services/ec2/ec2_instance_secrets_user_data/ec2_instance_secrets_user_data.py index dc6e376f382..3bb4cd39477 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_secrets_user_data/ec2_instance_secrets_user_data.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_secrets_user_data/ec2_instance_secrets_user_data.py @@ -16,9 +16,7 @@ def execute(self): ) for instance in ec2_client.instances: if instance.state != "terminated": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) if instance.user_data: user_data = b64decode(instance.user_data) try: diff --git a/prowler/providers/aws/services/ec2/ec2_instance_uses_single_eni/ec2_instance_uses_single_eni.py b/prowler/providers/aws/services/ec2/ec2_instance_uses_single_eni/ec2_instance_uses_single_eni.py index 5354257f918..5c043f06557 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_uses_single_eni/ec2_instance_uses_single_eni.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_uses_single_eni/ec2_instance_uses_single_eni.py @@ -6,9 +6,7 @@ class ec2_instance_uses_single_eni(Check): def execute(self): findings = [] for instance in ec2_client.instances: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) eni_types = {"efa": [], "interface": [], "trunk": []} if not instance.network_interfaces: report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_launch_template_imdsv2_required/ec2_launch_template_imdsv2_required.py b/prowler/providers/aws/services/ec2/ec2_launch_template_imdsv2_required/ec2_launch_template_imdsv2_required.py index 91617fc322a..a974128061c 100644 --- a/prowler/providers/aws/services/ec2/ec2_launch_template_imdsv2_required/ec2_launch_template_imdsv2_required.py +++ b/prowler/providers/aws/services/ec2/ec2_launch_template_imdsv2_required/ec2_launch_template_imdsv2_required.py @@ -6,9 +6,7 @@ class ec2_launch_template_imdsv2_required(Check): def execute(self): findings = [] for template in ec2_client.launch_templates: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=template - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=template) versions_with_imdsv2_required = [] versions_with_metadata_disabled = [] diff --git a/prowler/providers/aws/services/ec2/ec2_launch_template_no_public_ip/ec2_launch_template_no_public_ip.py b/prowler/providers/aws/services/ec2/ec2_launch_template_no_public_ip/ec2_launch_template_no_public_ip.py index 47bc5915674..a870f96daf3 100644 --- a/prowler/providers/aws/services/ec2/ec2_launch_template_no_public_ip/ec2_launch_template_no_public_ip.py +++ b/prowler/providers/aws/services/ec2/ec2_launch_template_no_public_ip/ec2_launch_template_no_public_ip.py @@ -6,9 +6,7 @@ class ec2_launch_template_no_public_ip(Check): def execute(self): findings = [] for template in ec2_client.launch_templates: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=template - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=template) versions_with_autoassign_public_ip = [] versions_with_network_interfaces_public_ip = [] diff --git a/prowler/providers/aws/services/ec2/ec2_launch_template_no_secrets/ec2_launch_template_no_secrets.py b/prowler/providers/aws/services/ec2/ec2_launch_template_no_secrets/ec2_launch_template_no_secrets.py index 3184023f6ca..fbe3359fc2e 100644 --- a/prowler/providers/aws/services/ec2/ec2_launch_template_no_secrets/ec2_launch_template_no_secrets.py +++ b/prowler/providers/aws/services/ec2/ec2_launch_template_no_secrets/ec2_launch_template_no_secrets.py @@ -15,9 +15,7 @@ def execute(self): "secrets_ignore_patterns", [] ) for template in ec2_client.launch_templates: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=template - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=template) versions_with_secrets = [] diff --git a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py index 08adf13e53c..561ea05e207 100644 --- a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py +++ b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py @@ -14,7 +14,7 @@ def execute(self): or network_acl.region in ec2_client.regions_with_sgs ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=network_acl + metadata=self.metadata(), resource=network_acl ) # If some entry allows it, that ACL is not securely configured if check_network_acl(network_acl.entries, tcp_protocol, check_port): diff --git a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py index f5cd60bf7a3..104a9a9148d 100644 --- a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py +++ b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py @@ -14,7 +14,7 @@ def execute(self): or network_acl.region in ec2_client.regions_with_sgs ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=network_acl + metadata=self.metadata(), resource=network_acl ) # If some entry allows it, that ACL is not securely configured if check_network_acl(network_acl.entries, tcp_protocol, check_port): diff --git a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py index 5c538d5d951..916aeee8386 100644 --- a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py +++ b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py @@ -14,7 +14,7 @@ def execute(self): or network_acl.region in ec2_client.regions_with_sgs ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=network_acl + metadata=self.metadata(), resource=network_acl ) # If some entry allows it, that ACL is not securely configured if check_network_acl(network_acl.entries, tcp_protocol, check_port): diff --git a/prowler/providers/aws/services/ec2/ec2_networkacl_unused/ec2_networkacl_unused.py b/prowler/providers/aws/services/ec2/ec2_networkacl_unused/ec2_networkacl_unused.py index c15cebb782e..5635b22ab91 100644 --- a/prowler/providers/aws/services/ec2/ec2_networkacl_unused/ec2_networkacl_unused.py +++ b/prowler/providers/aws/services/ec2/ec2_networkacl_unused/ec2_networkacl_unused.py @@ -8,7 +8,7 @@ def execute(self): for arn, network_acl in ec2_client.network_acls.items(): if not network_acl.default: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=network_acl + metadata=self.metadata(), resource=network_acl ) if not network_acl.in_use: diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_all_ports/ec2_securitygroup_allow_ingress_from_internet_to_all_ports.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_all_ports/ec2_securitygroup_allow_ingress_from_internet_to_all_ports.py index 7bbb90f1211..943cc9b9d01 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_all_ports/ec2_securitygroup_allow_ingress_from_internet_to_all_ports.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_all_ports/ec2_securitygroup_allow_ingress_from_internet_to_all_ports.py @@ -15,7 +15,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py index 669aa2378f2..c4d39781995 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py @@ -24,7 +24,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports/ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports/ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports.py index a43ae14407e..00db5315b21 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports/ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports/ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports.py @@ -18,7 +18,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018.py index c1cb8ccdced..0474dacc3a5 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018.py @@ -19,7 +19,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py index ba4a2b0ac99..b9caa00298d 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py @@ -19,7 +19,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22.py index ef1b8e3de1c..9453e77e1c3 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22.py @@ -19,7 +19,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389.py index 169c56319d8..f042c1d8f83 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389.py @@ -19,7 +19,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888.py index 024a83ad2eb..30eb31ee4da 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888.py @@ -21,7 +21,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601.py index ee57f80efd1..b6d20cc6c6f 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601.py @@ -21,7 +21,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092.py index 0fca4d9dd8c..9d93d293e1b 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092.py @@ -19,7 +19,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211.py index 28671a813e6..97fb4f1623a 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211.py @@ -19,7 +19,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306.py index 133927727db..dbbcac488f4 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306.py @@ -19,7 +19,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483.py index 95bc56742b8..77ee354abf9 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483.py @@ -19,7 +19,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432.py index 76ff6f51bc1..18af6faae39 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432.py @@ -19,7 +19,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.py index db942730f82..d86f380a770 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379.py @@ -19,7 +19,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434.py index 9fc0ad25605..ef497d2779e 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434.py @@ -21,7 +21,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23.py index 3b12b61114b..a8d4f1237c0 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23.py @@ -19,7 +19,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4.py index db0a01715a2..2286d9021db 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_allow_wide_open_public_ipv4/ec2_securitygroup_allow_wide_open_public_ipv4.py @@ -17,7 +17,7 @@ def execute(self): and len(security_group.network_interfaces) > 0 ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_default_restrict_traffic/ec2_securitygroup_default_restrict_traffic.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_default_restrict_traffic/ec2_securitygroup_default_restrict_traffic.py index 87bf5b6c0d8..a91a74bfe0a 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_default_restrict_traffic/ec2_securitygroup_default_restrict_traffic.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_default_restrict_traffic/ec2_securitygroup_default_restrict_traffic.py @@ -17,7 +17,7 @@ def execute(self): ) ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "FAIL" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_from_launch_wizard/ec2_securitygroup_from_launch_wizard.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_from_launch_wizard/ec2_securitygroup_from_launch_wizard.py index 2294608984c..a1145a53805 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_from_launch_wizard/ec2_securitygroup_from_launch_wizard.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_from_launch_wizard/ec2_securitygroup_from_launch_wizard.py @@ -6,9 +6,7 @@ class ec2_securitygroup_from_launch_wizard(Check): def execute(self): findings = [] for security_group in ec2_client.security_groups.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=security_group) report.resource_details = security_group.name report.status = "PASS" report.status_extended = f"Security group {security_group.name} ({security_group.id}) was not created using the EC2 Launch Wizard." diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used.py index c90709209d8..aa621abdfb1 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used.py @@ -10,7 +10,7 @@ def execute(self): # Default security groups can not be deleted, so ignore them if security_group.name != "default": report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.resource_details = security_group.name report.status = "PASS" diff --git a/prowler/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules.py b/prowler/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules.py index b3c7d62b985..28f42d5243f 100644 --- a/prowler/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules.py +++ b/prowler/providers/aws/services/ec2/ec2_securitygroup_with_many_ingress_egress_rules/ec2_securitygroup_with_many_ingress_egress_rules.py @@ -11,9 +11,7 @@ def execute(self): "max_security_group_rules", 50 ) for security_group_arn, security_group in ec2_client.security_groups.items(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=security_group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=security_group) report.resource_details = security_group.name report.status = "PASS" report.status_extended = f"Security group {security_group.name} ({security_group.id}) has {len(security_group.ingress_rules)} inbound rules and {len(security_group.egress_rules)} outbound rules." diff --git a/prowler/providers/aws/services/ec2/ec2_transitgateway_auto_accept_vpc_attachments/ec2_transitgateway_auto_accept_vpc_attachments.py b/prowler/providers/aws/services/ec2/ec2_transitgateway_auto_accept_vpc_attachments/ec2_transitgateway_auto_accept_vpc_attachments.py index 94266c3a6ac..6321fc06526 100644 --- a/prowler/providers/aws/services/ec2/ec2_transitgateway_auto_accept_vpc_attachments/ec2_transitgateway_auto_accept_vpc_attachments.py +++ b/prowler/providers/aws/services/ec2/ec2_transitgateway_auto_accept_vpc_attachments/ec2_transitgateway_auto_accept_vpc_attachments.py @@ -6,7 +6,7 @@ class ec2_transitgateway_auto_accept_vpc_attachments(Check): def execute(self): findings = [] for tgw in ec2_client.transit_gateways.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=tgw) + report = Check_Report_AWS(metadata=self.metadata(), resource=tgw) if tgw.auto_accept_shared_attachments: report.status = "FAIL" diff --git a/prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.py b/prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.py index 3c77250d9b6..eee087359d9 100644 --- a/prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.py +++ b/prowler/providers/aws/services/ecr/ecr_registry_scan_images_on_push_enabled/ecr_registry_scan_images_on_push_enabled.py @@ -8,9 +8,7 @@ def execute(self): for registry in ecr_client.registries.values(): # We want to check the registry if it is in use, hence there are repositories if len(registry.repositories) != 0: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=registry - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=registry) report.status = "FAIL" report.status_extended = f"ECR registry {registry.id} has {registry.scan_type} scanning without scan on push enabled." if registry.rules: diff --git a/prowler/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.py b/prowler/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.py index b8b183e4557..1e840d22ae5 100644 --- a/prowler/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.py +++ b/prowler/providers/aws/services/ecr/ecr_repositories_lifecycle_policy_enabled/ecr_repositories_lifecycle_policy_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for registry in ecr_client.registries.values(): for repository in registry.repositories: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=repository - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=repository) report.status = "FAIL" report.status_extended = f"Repository {repository.name} does not have a lifecycle policy configured." if repository.lifecycle_policy: diff --git a/prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.py b/prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.py index 7f88bc28b3a..aa332926a5f 100644 --- a/prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.py +++ b/prowler/providers/aws/services/ecr/ecr_repositories_not_publicly_accessible/ecr_repositories_not_publicly_accessible.py @@ -8,9 +8,7 @@ def execute(self): findings = [] for registry in ecr_client.registries.values(): for repository in registry.repositories: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=repository - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=repository) report.status = "PASS" report.status_extended = ( f"Repository {repository.name} is not publicly accessible." diff --git a/prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.py b/prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.py index 7d757ff7eba..70923218817 100644 --- a/prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.py +++ b/prowler/providers/aws/services/ecr/ecr_repositories_scan_images_on_push_enabled/ecr_repositories_scan_images_on_push_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for registry in ecr_client.registries.values(): for repository in registry.repositories: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=repository - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=repository) report.status = "PASS" report.status_extended = ( f"ECR repository {repository.name} has scan on push enabled." diff --git a/prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.py b/prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.py index 2e6d53df358..c9f770dcd21 100644 --- a/prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.py +++ b/prowler/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image.py @@ -18,7 +18,7 @@ def execute(self): # We only want to check the latest image pushed that is scannable image = repository.images_details[-1] report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=repository + metadata=self.metadata(), resource=repository ) report.status = "PASS" status_extended_prefix = f"ECR repository '{repository.name}' has scanned the {image.type} container image with digest '{image.latest_digest}' and tag '{image.latest_tag}' " diff --git a/prowler/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability.py b/prowler/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability.py index d8feb9ee975..43bc115cc9e 100644 --- a/prowler/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability.py +++ b/prowler/providers/aws/services/ecr/ecr_repositories_tag_immutability/ecr_repositories_tag_immutability.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for registry in ecr_client.registries.values(): for repository in registry.repositories: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=repository - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=repository) report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/ecs/ecs_cluster_container_insights_enabled/ecs_cluster_container_insights_enabled.py b/prowler/providers/aws/services/ecs/ecs_cluster_container_insights_enabled/ecs_cluster_container_insights_enabled.py index 31f51e0979d..59a18ff7791 100644 --- a/prowler/providers/aws/services/ecs/ecs_cluster_container_insights_enabled/ecs_cluster_container_insights_enabled.py +++ b/prowler/providers/aws/services/ecs/ecs_cluster_container_insights_enabled/ecs_cluster_container_insights_enabled.py @@ -6,9 +6,7 @@ class ecs_cluster_container_insights_enabled(Check): def execute(self): findings = [] for cluster in ecs_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = ( f"ECS cluster {cluster.name} does not have container insights enabled." diff --git a/prowler/providers/aws/services/ecs/ecs_service_fargate_latest_platform_version/ecs_service_fargate_latest_platform_version.py b/prowler/providers/aws/services/ecs/ecs_service_fargate_latest_platform_version/ecs_service_fargate_latest_platform_version.py index a38dc42d428..2880fa93721 100644 --- a/prowler/providers/aws/services/ecs/ecs_service_fargate_latest_platform_version/ecs_service_fargate_latest_platform_version.py +++ b/prowler/providers/aws/services/ecs/ecs_service_fargate_latest_platform_version/ecs_service_fargate_latest_platform_version.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for service in ecs_client.services.values(): if service.launch_type == "FARGATE": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=service - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=service) fargate_latest_linux_version = ecs_client.audit_config.get( "fargate_linux_latest_version", "1.4.0" ) diff --git a/prowler/providers/aws/services/ecs/ecs_service_no_assign_public_ip/ecs_service_no_assign_public_ip.py b/prowler/providers/aws/services/ecs/ecs_service_no_assign_public_ip/ecs_service_no_assign_public_ip.py index 5e51b9d55c6..34f99157021 100644 --- a/prowler/providers/aws/services/ecs/ecs_service_no_assign_public_ip/ecs_service_no_assign_public_ip.py +++ b/prowler/providers/aws/services/ecs/ecs_service_no_assign_public_ip/ecs_service_no_assign_public_ip.py @@ -6,9 +6,7 @@ class ecs_service_no_assign_public_ip(Check): def execute(self): findings = [] for service in ecs_client.services.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=service - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=service) report.status = "PASS" report.status_extended = f"ECS Service {service.name} does not have automatic public IP assignment." diff --git a/prowler/providers/aws/services/ecs/ecs_task_definitions_containers_readonly_access/ecs_task_definitions_containers_readonly_access.py b/prowler/providers/aws/services/ecs/ecs_task_definitions_containers_readonly_access/ecs_task_definitions_containers_readonly_access.py index 6aae60bcc40..3d9b33ddf70 100644 --- a/prowler/providers/aws/services/ecs/ecs_task_definitions_containers_readonly_access/ecs_task_definitions_containers_readonly_access.py +++ b/prowler/providers/aws/services/ecs/ecs_task_definitions_containers_readonly_access/ecs_task_definitions_containers_readonly_access.py @@ -7,7 +7,7 @@ def execute(self): findings = [] for task_definition in ecs_client.task_definitions.values(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=task_definition + metadata=self.metadata(), resource=task_definition ) report.resource_id = f"{task_definition.name}:{task_definition.revision}" report.status = "PASS" diff --git a/prowler/providers/aws/services/ecs/ecs_task_definitions_host_namespace_not_shared/ecs_task_definitions_host_namespace_not_shared.py b/prowler/providers/aws/services/ecs/ecs_task_definitions_host_namespace_not_shared/ecs_task_definitions_host_namespace_not_shared.py index 9ca7354c425..ee57dd4ea86 100644 --- a/prowler/providers/aws/services/ecs/ecs_task_definitions_host_namespace_not_shared/ecs_task_definitions_host_namespace_not_shared.py +++ b/prowler/providers/aws/services/ecs/ecs_task_definitions_host_namespace_not_shared/ecs_task_definitions_host_namespace_not_shared.py @@ -7,7 +7,7 @@ def execute(self): findings = [] for task_definition in ecs_client.task_definitions.values(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=task_definition + metadata=self.metadata(), resource=task_definition ) report.resource_id = f"{task_definition.name}:{task_definition.revision}" report.status = "PASS" diff --git a/prowler/providers/aws/services/ecs/ecs_task_definitions_host_networking_mode_users/ecs_task_definitions_host_networking_mode_users.py b/prowler/providers/aws/services/ecs/ecs_task_definitions_host_networking_mode_users/ecs_task_definitions_host_networking_mode_users.py index e47d24c5d22..b8354ed5105 100644 --- a/prowler/providers/aws/services/ecs/ecs_task_definitions_host_networking_mode_users/ecs_task_definitions_host_networking_mode_users.py +++ b/prowler/providers/aws/services/ecs/ecs_task_definitions_host_networking_mode_users/ecs_task_definitions_host_networking_mode_users.py @@ -7,7 +7,7 @@ def execute(self): findings = [] for task_definition in ecs_client.task_definitions.values(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=task_definition + metadata=self.metadata(), resource=task_definition ) report.resource_id = f"{task_definition.name}:{task_definition.revision}" report.status = "PASS" diff --git a/prowler/providers/aws/services/ecs/ecs_task_definitions_logging_block_mode/ecs_task_definitions_logging_block_mode.py b/prowler/providers/aws/services/ecs/ecs_task_definitions_logging_block_mode/ecs_task_definitions_logging_block_mode.py index 99ef33337d3..5e3eff00a97 100644 --- a/prowler/providers/aws/services/ecs/ecs_task_definitions_logging_block_mode/ecs_task_definitions_logging_block_mode.py +++ b/prowler/providers/aws/services/ecs/ecs_task_definitions_logging_block_mode/ecs_task_definitions_logging_block_mode.py @@ -7,7 +7,7 @@ def execute(self): findings = [] for task_definition in ecs_client.task_definitions.values(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=task_definition + metadata=self.metadata(), resource=task_definition ) report.resource_id = f"{task_definition.name}:{task_definition.revision}" containers = 0 diff --git a/prowler/providers/aws/services/ecs/ecs_task_definitions_logging_enabled/ecs_task_definitions_logging_enabled.py b/prowler/providers/aws/services/ecs/ecs_task_definitions_logging_enabled/ecs_task_definitions_logging_enabled.py index 8b90587f0a7..caf57177cac 100644 --- a/prowler/providers/aws/services/ecs/ecs_task_definitions_logging_enabled/ecs_task_definitions_logging_enabled.py +++ b/prowler/providers/aws/services/ecs/ecs_task_definitions_logging_enabled/ecs_task_definitions_logging_enabled.py @@ -7,7 +7,7 @@ def execute(self): findings = [] for task_definition in ecs_client.task_definitions.values(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=task_definition + metadata=self.metadata(), resource=task_definition ) report.resource_id = f"{task_definition.name}:{task_definition.revision}" report.status = "PASS" diff --git a/prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.py b/prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.py index 7e9b11e3c36..c1b0a053969 100644 --- a/prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.py +++ b/prowler/providers/aws/services/ecs/ecs_task_definitions_no_environment_secrets/ecs_task_definitions_no_environment_secrets.py @@ -14,7 +14,7 @@ def execute(self): ) for task_definition in ecs_client.task_definitions.values(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=task_definition + metadata=self.metadata(), resource=task_definition ) report.resource_id = f"{task_definition.name}:{task_definition.revision}" report.status = "PASS" diff --git a/prowler/providers/aws/services/ecs/ecs_task_definitions_no_privileged_containers/ecs_task_definitions_no_privileged_containers.py b/prowler/providers/aws/services/ecs/ecs_task_definitions_no_privileged_containers/ecs_task_definitions_no_privileged_containers.py index 846472fdf30..3cd56de532a 100644 --- a/prowler/providers/aws/services/ecs/ecs_task_definitions_no_privileged_containers/ecs_task_definitions_no_privileged_containers.py +++ b/prowler/providers/aws/services/ecs/ecs_task_definitions_no_privileged_containers/ecs_task_definitions_no_privileged_containers.py @@ -7,7 +7,7 @@ def execute(self): findings = [] for task_definition in ecs_client.task_definitions.values(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=task_definition + metadata=self.metadata(), resource=task_definition ) report.resource_id = f"{task_definition.name}:{task_definition.revision}" report.status = "PASS" diff --git a/prowler/providers/aws/services/ecs/ecs_task_set_no_assign_public_ip/ecs_task_set_no_assign_public_ip.py b/prowler/providers/aws/services/ecs/ecs_task_set_no_assign_public_ip/ecs_task_set_no_assign_public_ip.py index 93b921918ce..5833c367a35 100644 --- a/prowler/providers/aws/services/ecs/ecs_task_set_no_assign_public_ip/ecs_task_set_no_assign_public_ip.py +++ b/prowler/providers/aws/services/ecs/ecs_task_set_no_assign_public_ip/ecs_task_set_no_assign_public_ip.py @@ -6,9 +6,7 @@ class ecs_task_set_no_assign_public_ip(Check): def execute(self): findings = [] for task_set in ecs_client.task_sets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=task_set - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=task_set) report.status = "PASS" report.status_extended = f"ECS Task Set {task_set.id} does not have automatic public IP assignment." diff --git a/prowler/providers/aws/services/efs/efs_access_point_enforce_root_directory/efs_access_point_enforce_root_directory.py b/prowler/providers/aws/services/efs/efs_access_point_enforce_root_directory/efs_access_point_enforce_root_directory.py index 4e62efc70b1..ec854918771 100644 --- a/prowler/providers/aws/services/efs/efs_access_point_enforce_root_directory/efs_access_point_enforce_root_directory.py +++ b/prowler/providers/aws/services/efs/efs_access_point_enforce_root_directory/efs_access_point_enforce_root_directory.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for fs in efs_client.filesystems.values(): if fs.access_points: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=fs - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=fs) report.status = "PASS" report.status_extended = f"EFS {fs.id} does not have any access point allowing access to the root directory." access_points = [] diff --git a/prowler/providers/aws/services/efs/efs_access_point_enforce_user_identity/efs_access_point_enforce_user_identity.py b/prowler/providers/aws/services/efs/efs_access_point_enforce_user_identity/efs_access_point_enforce_user_identity.py index 00de1fb6482..3b27dbd7b2a 100644 --- a/prowler/providers/aws/services/efs/efs_access_point_enforce_user_identity/efs_access_point_enforce_user_identity.py +++ b/prowler/providers/aws/services/efs/efs_access_point_enforce_user_identity/efs_access_point_enforce_user_identity.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for fs in efs_client.filesystems.values(): if fs.access_points: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=fs - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=fs) report.status = "PASS" report.status_extended = ( f"EFS {fs.id} has all access points with defined POSIX user." diff --git a/prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.py b/prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.py index 52edd7848f8..5023a5aeada 100644 --- a/prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.py +++ b/prowler/providers/aws/services/efs/efs_encryption_at_rest_enabled/efs_encryption_at_rest_enabled.py @@ -6,7 +6,7 @@ class efs_encryption_at_rest_enabled(Check): def execute(self): findings = [] for fs in efs_client.filesystems.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=fs) + report = Check_Report_AWS(metadata=self.metadata(), resource=fs) report.status = "FAIL" report.status_extended = ( f"EFS {fs.id} does not have encryption at rest enabled." diff --git a/prowler/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled.py b/prowler/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled.py index 26884d60e72..4e015447f03 100644 --- a/prowler/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled.py +++ b/prowler/providers/aws/services/efs/efs_have_backup_enabled/efs_have_backup_enabled.py @@ -6,7 +6,7 @@ class efs_have_backup_enabled(Check): def execute(self): findings = [] for fs in efs_client.filesystems.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=fs) + report = Check_Report_AWS(metadata=self.metadata(), resource=fs) report.status = "PASS" report.status_extended = f"EFS {fs.id} has backup enabled." if fs.backup_policy == "DISABLED" or fs.backup_policy == "DISABLING": diff --git a/prowler/providers/aws/services/efs/efs_mount_target_not_publicly_accessible/efs_mount_target_not_publicly_accessible.py b/prowler/providers/aws/services/efs/efs_mount_target_not_publicly_accessible/efs_mount_target_not_publicly_accessible.py index bcec7fa8129..b5482ff1da3 100644 --- a/prowler/providers/aws/services/efs/efs_mount_target_not_publicly_accessible/efs_mount_target_not_publicly_accessible.py +++ b/prowler/providers/aws/services/efs/efs_mount_target_not_publicly_accessible/efs_mount_target_not_publicly_accessible.py @@ -7,7 +7,7 @@ class efs_mount_target_not_publicly_accessible(Check): def execute(self): findings = [] for fs in efs_client.filesystems.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=fs) + report = Check_Report_AWS(metadata=self.metadata(), resource=fs) report.status = "PASS" report.status_extended = ( f"EFS {fs.id} does not have any public mount targets." diff --git a/prowler/providers/aws/services/efs/efs_multi_az_enabled/efs_multi_az_enabled.py b/prowler/providers/aws/services/efs/efs_multi_az_enabled/efs_multi_az_enabled.py index 8c52558e12e..1fc22399bcc 100644 --- a/prowler/providers/aws/services/efs/efs_multi_az_enabled/efs_multi_az_enabled.py +++ b/prowler/providers/aws/services/efs/efs_multi_az_enabled/efs_multi_az_enabled.py @@ -6,7 +6,7 @@ class efs_multi_az_enabled(Check): def execute(self): findings = [] for fs in efs_client.filesystems.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=fs) + report = Check_Report_AWS(metadata=self.metadata(), resource=fs) if fs.availability_zone_id: report.status = "FAIL" report.status_extended = f"EFS {fs.id} is a Single-AZ file system." diff --git a/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py b/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py index f7ce674f021..2db08c396dc 100644 --- a/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py +++ b/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py @@ -7,7 +7,7 @@ class efs_not_publicly_accessible(Check): def execute(self): findings = [] for fs in efs_client.filesystems.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=fs) + report = Check_Report_AWS(metadata=self.metadata(), resource=fs) report.status = "PASS" report.status_extended = f"EFS {fs.id} has a policy which does not allow access to any client within the VPC." if not fs.policy: diff --git a/prowler/providers/aws/services/eks/eks_cluster_kms_cmk_encryption_in_secrets_enabled/eks_cluster_kms_cmk_encryption_in_secrets_enabled.py b/prowler/providers/aws/services/eks/eks_cluster_kms_cmk_encryption_in_secrets_enabled/eks_cluster_kms_cmk_encryption_in_secrets_enabled.py index 818f09c8074..87add1e4ef1 100644 --- a/prowler/providers/aws/services/eks/eks_cluster_kms_cmk_encryption_in_secrets_enabled/eks_cluster_kms_cmk_encryption_in_secrets_enabled.py +++ b/prowler/providers/aws/services/eks/eks_cluster_kms_cmk_encryption_in_secrets_enabled/eks_cluster_kms_cmk_encryption_in_secrets_enabled.py @@ -6,9 +6,7 @@ class eks_cluster_kms_cmk_encryption_in_secrets_enabled(Check): def execute(self): findings = [] for cluster in eks_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = f"EKS cluster {cluster.name} does not have encryption for Kubernetes secrets." if cluster.encryptionConfig: diff --git a/prowler/providers/aws/services/eks/eks_cluster_network_policy_enabled/eks_cluster_network_policy_enabled.py b/prowler/providers/aws/services/eks/eks_cluster_network_policy_enabled/eks_cluster_network_policy_enabled.py index 8cbdfe613d2..79a58f5e40e 100644 --- a/prowler/providers/aws/services/eks/eks_cluster_network_policy_enabled/eks_cluster_network_policy_enabled.py +++ b/prowler/providers/aws/services/eks/eks_cluster_network_policy_enabled/eks_cluster_network_policy_enabled.py @@ -6,9 +6,7 @@ class eks_cluster_network_policy_enabled(Check): def execute(self): findings = [] for cluster in eks_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = f"EKS cluster {cluster.name} does not have a Network Policy. Cluster security group ID is not set." if cluster.security_group_id: diff --git a/prowler/providers/aws/services/eks/eks_cluster_not_publicly_accessible/eks_cluster_not_publicly_accessible.py b/prowler/providers/aws/services/eks/eks_cluster_not_publicly_accessible/eks_cluster_not_publicly_accessible.py index f30927e1758..bf1b412b2e5 100644 --- a/prowler/providers/aws/services/eks/eks_cluster_not_publicly_accessible/eks_cluster_not_publicly_accessible.py +++ b/prowler/providers/aws/services/eks/eks_cluster_not_publicly_accessible/eks_cluster_not_publicly_accessible.py @@ -6,9 +6,7 @@ class eks_cluster_not_publicly_accessible(Check): def execute(self): findings = [] for cluster in eks_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "PASS" report.status_extended = ( f"EKS cluster {cluster.name} is not publicly accessible." diff --git a/prowler/providers/aws/services/eks/eks_cluster_private_nodes_enabled/eks_cluster_private_nodes_enabled.py b/prowler/providers/aws/services/eks/eks_cluster_private_nodes_enabled/eks_cluster_private_nodes_enabled.py index 7e7a85f804e..fa36c4311c0 100644 --- a/prowler/providers/aws/services/eks/eks_cluster_private_nodes_enabled/eks_cluster_private_nodes_enabled.py +++ b/prowler/providers/aws/services/eks/eks_cluster_private_nodes_enabled/eks_cluster_private_nodes_enabled.py @@ -6,9 +6,7 @@ class eks_cluster_private_nodes_enabled(Check): def execute(self): findings = [] for cluster in eks_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "PASS" report.status_extended = ( f"EKS cluster {cluster.name} is created with private nodes." diff --git a/prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.py b/prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.py index 18c46184437..8d98f2950e3 100644 --- a/prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.py +++ b/prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.py @@ -14,9 +14,7 @@ def execute(self) -> Check_Report_AWS: ) for cluster in eks_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) cluster_version_major, cluster_version_minor = map( int, cluster.version.split(".") diff --git a/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py b/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py index 7a7ebc0ca80..6d6b4bba5c4 100644 --- a/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py +++ b/prowler/providers/aws/services/eks/eks_control_plane_logging_all_types_enabled/eks_control_plane_logging_all_types_enabled.py @@ -19,9 +19,7 @@ def execute(self): required_log_types_str = ", ".join(required_log_types) for cluster in eks_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = f"Control plane logging is not enabled for EKS cluster {cluster.name}. Required log types: {required_log_types_str}." if cluster.logging and cluster.logging.enabled: diff --git a/prowler/providers/aws/services/elasticache/elasticache_cluster_uses_public_subnet/elasticache_cluster_uses_public_subnet.py b/prowler/providers/aws/services/elasticache/elasticache_cluster_uses_public_subnet/elasticache_cluster_uses_public_subnet.py index 2b1d2d1affd..54e03beeb8b 100644 --- a/prowler/providers/aws/services/elasticache/elasticache_cluster_uses_public_subnet/elasticache_cluster_uses_public_subnet.py +++ b/prowler/providers/aws/services/elasticache/elasticache_cluster_uses_public_subnet/elasticache_cluster_uses_public_subnet.py @@ -9,9 +9,7 @@ class elasticache_cluster_uses_public_subnet(Check): def execute(self): findings = [] for cluster in elasticache_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "PASS" if cluster.engine == "redis": diff --git a/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_auto_minor_version_upgrades/elasticache_redis_cluster_auto_minor_version_upgrades.py b/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_auto_minor_version_upgrades/elasticache_redis_cluster_auto_minor_version_upgrades.py index 5188c194169..fbf1db79f33 100644 --- a/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_auto_minor_version_upgrades/elasticache_redis_cluster_auto_minor_version_upgrades.py +++ b/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_auto_minor_version_upgrades/elasticache_redis_cluster_auto_minor_version_upgrades.py @@ -8,9 +8,7 @@ class elasticache_redis_cluster_auto_minor_version_upgrades(Check): def execute(self): findings = [] for repl_group in elasticache_client.replication_groups.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=repl_group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=repl_group) report.status = "PASS" report.status_extended = f"Elasticache Redis cache cluster {repl_group.id} does have automated minor version upgrades enabled." diff --git a/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_automatic_failover_enabled/elasticache_redis_cluster_automatic_failover_enabled.py b/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_automatic_failover_enabled/elasticache_redis_cluster_automatic_failover_enabled.py index ae96231c9f1..c8dce32f5cb 100644 --- a/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_automatic_failover_enabled/elasticache_redis_cluster_automatic_failover_enabled.py +++ b/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_automatic_failover_enabled/elasticache_redis_cluster_automatic_failover_enabled.py @@ -8,9 +8,7 @@ class elasticache_redis_cluster_automatic_failover_enabled(Check): def execute(self): findings = [] for repl_group in elasticache_client.replication_groups.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=repl_group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=repl_group) report.status = "FAIL" report.status_extended = f"Elasticache Redis cache cluster {repl_group.id} does not have automatic failover enabled." diff --git a/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.py b/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.py index e3271129281..5639b322e8d 100644 --- a/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.py +++ b/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_backup_enabled/elasticache_redis_cluster_backup_enabled.py @@ -8,9 +8,7 @@ class elasticache_redis_cluster_backup_enabled(Check): def execute(self): findings = [] for repl_group in elasticache_client.replication_groups.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=repl_group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=repl_group) report.status = "FAIL" report.status_extended = f"Elasticache Redis cache cluster {repl_group.id} does not have automated snapshot backups enabled." if repl_group.snapshot_retention > elasticache_client.audit_config.get( diff --git a/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_in_transit_encryption_enabled/elasticache_redis_cluster_in_transit_encryption_enabled.py b/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_in_transit_encryption_enabled/elasticache_redis_cluster_in_transit_encryption_enabled.py index 146ce739843..e97d0ba6f6f 100644 --- a/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_in_transit_encryption_enabled/elasticache_redis_cluster_in_transit_encryption_enabled.py +++ b/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_in_transit_encryption_enabled/elasticache_redis_cluster_in_transit_encryption_enabled.py @@ -8,9 +8,7 @@ class elasticache_redis_cluster_in_transit_encryption_enabled(Check): def execute(self): findings = [] for repl_group in elasticache_client.replication_groups.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=repl_group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=repl_group) report.status = "FAIL" report.status_extended = f"Elasticache Redis cache cluster {repl_group.id} does not have in transit encryption enabled." if repl_group.transit_encryption: diff --git a/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_multi_az_enabled/elasticache_redis_cluster_multi_az_enabled.py b/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_multi_az_enabled/elasticache_redis_cluster_multi_az_enabled.py index 40782472ade..f07f25506c8 100644 --- a/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_multi_az_enabled/elasticache_redis_cluster_multi_az_enabled.py +++ b/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_multi_az_enabled/elasticache_redis_cluster_multi_az_enabled.py @@ -8,9 +8,7 @@ class elasticache_redis_cluster_multi_az_enabled(Check): def execute(self): findings = [] for repl_group in elasticache_client.replication_groups.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=repl_group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=repl_group) report.status = "FAIL" report.status_extended = f"Elasticache Redis cache cluster {repl_group.id} does not have Multi-AZ enabled." if repl_group.multi_az == "enabled": diff --git a/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_rest_encryption_enabled/elasticache_redis_cluster_rest_encryption_enabled.py b/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_rest_encryption_enabled/elasticache_redis_cluster_rest_encryption_enabled.py index 647a232a776..99d87d9bde9 100644 --- a/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_rest_encryption_enabled/elasticache_redis_cluster_rest_encryption_enabled.py +++ b/prowler/providers/aws/services/elasticache/elasticache_redis_cluster_rest_encryption_enabled/elasticache_redis_cluster_rest_encryption_enabled.py @@ -8,9 +8,7 @@ class elasticache_redis_cluster_rest_encryption_enabled(Check): def execute(self): findings = [] for repl_group in elasticache_client.replication_groups.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=repl_group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=repl_group) report.status = "FAIL" report.status_extended = f"Elasticache Redis cache cluster {repl_group.id} does not have at rest encryption enabled." if repl_group.encrypted: diff --git a/prowler/providers/aws/services/elasticache/elasticache_redis_replication_group_auth_enabled/elasticache_redis_replication_group_auth_enabled.py b/prowler/providers/aws/services/elasticache/elasticache_redis_replication_group_auth_enabled/elasticache_redis_replication_group_auth_enabled.py index 612492868cd..358eacd582a 100644 --- a/prowler/providers/aws/services/elasticache/elasticache_redis_replication_group_auth_enabled/elasticache_redis_replication_group_auth_enabled.py +++ b/prowler/providers/aws/services/elasticache/elasticache_redis_replication_group_auth_enabled/elasticache_redis_replication_group_auth_enabled.py @@ -10,9 +10,7 @@ class elasticache_redis_replication_group_auth_enabled(Check): def execute(self): findings = [] for repl_group in elasticache_client.replication_groups.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=repl_group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=repl_group) if version.parse(repl_group.engine_version) < version.parse("6.0"): if not repl_group.auth_token_enabled: diff --git a/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_cloudwatch_logging_enabled/elasticbeanstalk_environment_cloudwatch_logging_enabled.py b/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_cloudwatch_logging_enabled/elasticbeanstalk_environment_cloudwatch_logging_enabled.py index 070d2af1ff7..041f8281b24 100644 --- a/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_cloudwatch_logging_enabled/elasticbeanstalk_environment_cloudwatch_logging_enabled.py +++ b/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_cloudwatch_logging_enabled/elasticbeanstalk_environment_cloudwatch_logging_enabled.py @@ -8,9 +8,7 @@ class elasticbeanstalk_environment_cloudwatch_logging_enabled(Check): def execute(self): findings = [] for environment in elasticbeanstalk_client.environments.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=environment - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=environment) report.status = "PASS" report.status_extended = f"Elastic Beanstalk environment {environment.name} is sending logs to CloudWatch Logs." diff --git a/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.py b/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.py index 0fefce64ff6..0ff3d099ef8 100644 --- a/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.py +++ b/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_enhanced_health_reporting/elasticbeanstalk_environment_enhanced_health_reporting.py @@ -8,9 +8,7 @@ class elasticbeanstalk_environment_enhanced_health_reporting(Check): def execute(self): findings = [] for environment in elasticbeanstalk_client.environments.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=environment - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=environment) report.status = "PASS" report.status_extended = f"Elastic Beanstalk environment {environment.name} has enhanced health reporting enabled." diff --git a/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_managed_updates_enabled/elasticbeanstalk_environment_managed_updates_enabled.py b/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_managed_updates_enabled/elasticbeanstalk_environment_managed_updates_enabled.py index 0e07d30d0b4..254fd7da8b6 100644 --- a/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_managed_updates_enabled/elasticbeanstalk_environment_managed_updates_enabled.py +++ b/prowler/providers/aws/services/elasticbeanstalk/elasticbeanstalk_environment_managed_updates_enabled/elasticbeanstalk_environment_managed_updates_enabled.py @@ -8,9 +8,7 @@ class elasticbeanstalk_environment_managed_updates_enabled(Check): def execute(self): findings = [] for environment in elasticbeanstalk_client.environments.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=environment - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=environment) report.status = "PASS" report.status_extended = f"Elastic Beanstalk environment {environment.name} has managed platform updates enabled." diff --git a/prowler/providers/aws/services/elb/elb_connection_draining_enabled/elb_connection_draining_enabled.py b/prowler/providers/aws/services/elb/elb_connection_draining_enabled/elb_connection_draining_enabled.py index cb1ccbc55b2..8ce4c8431f7 100644 --- a/prowler/providers/aws/services/elb/elb_connection_draining_enabled/elb_connection_draining_enabled.py +++ b/prowler/providers/aws/services/elb/elb_connection_draining_enabled/elb_connection_draining_enabled.py @@ -6,7 +6,7 @@ class elb_connection_draining_enabled(Check): def execute(self) -> list[Check_Report_AWS]: findings = [] for lb in elb_client.loadbalancers.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=lb) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "PASS" report.status_extended = f"ELB {lb.name} has connection draining enabled." diff --git a/prowler/providers/aws/services/elb/elb_cross_zone_load_balancing_enabled/elb_cross_zone_load_balancing_enabled.py b/prowler/providers/aws/services/elb/elb_cross_zone_load_balancing_enabled/elb_cross_zone_load_balancing_enabled.py index 4bf7090d264..85664771c2b 100644 --- a/prowler/providers/aws/services/elb/elb_cross_zone_load_balancing_enabled/elb_cross_zone_load_balancing_enabled.py +++ b/prowler/providers/aws/services/elb/elb_cross_zone_load_balancing_enabled/elb_cross_zone_load_balancing_enabled.py @@ -8,7 +8,7 @@ class elb_cross_zone_load_balancing_enabled(Check): def execute(self) -> List[Check_Report_AWS]: findings = [] for lb in elb_client.loadbalancers.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=lb) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "FAIL" report.status_extended = ( f"ELB {lb.name} does not have cross-zone load balancing enabled." diff --git a/prowler/providers/aws/services/elb/elb_desync_mitigation_mode/elb_desync_mitigation_mode.py b/prowler/providers/aws/services/elb/elb_desync_mitigation_mode/elb_desync_mitigation_mode.py index cc03593c92c..5b74e30b346 100644 --- a/prowler/providers/aws/services/elb/elb_desync_mitigation_mode/elb_desync_mitigation_mode.py +++ b/prowler/providers/aws/services/elb/elb_desync_mitigation_mode/elb_desync_mitigation_mode.py @@ -6,7 +6,7 @@ class elb_desync_mitigation_mode(Check): def execute(self): findings = [] for lb in elb_client.loadbalancers.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=lb) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) if ( lb.desync_mitigation_mode == "defensive" or lb.desync_mitigation_mode == "strictest" diff --git a/prowler/providers/aws/services/elb/elb_insecure_ssl_ciphers/elb_insecure_ssl_ciphers.py b/prowler/providers/aws/services/elb/elb_insecure_ssl_ciphers/elb_insecure_ssl_ciphers.py index d31429e5049..21c0c3863d2 100644 --- a/prowler/providers/aws/services/elb/elb_insecure_ssl_ciphers/elb_insecure_ssl_ciphers.py +++ b/prowler/providers/aws/services/elb/elb_insecure_ssl_ciphers/elb_insecure_ssl_ciphers.py @@ -9,7 +9,7 @@ def execute(self): "ELBSecurityPolicy-TLS-1-2-2017-01", ] for lb in elb_client.loadbalancers.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=lb) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "PASS" report.status_extended = ( f"ELB {lb.name} does not have insecure SSL protocols or ciphers." diff --git a/prowler/providers/aws/services/elb/elb_internet_facing/elb_internet_facing.py b/prowler/providers/aws/services/elb/elb_internet_facing/elb_internet_facing.py index 46995308770..b2b4c22071d 100644 --- a/prowler/providers/aws/services/elb/elb_internet_facing/elb_internet_facing.py +++ b/prowler/providers/aws/services/elb/elb_internet_facing/elb_internet_facing.py @@ -6,7 +6,7 @@ class elb_internet_facing(Check): def execute(self): findings = [] for lb in elb_client.loadbalancers.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=lb) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "PASS" report.status_extended = f"ELB {lb.name} is not internet facing." if lb.scheme == "internet-facing": diff --git a/prowler/providers/aws/services/elb/elb_is_in_multiple_az/elb_is_in_multiple_az.py b/prowler/providers/aws/services/elb/elb_is_in_multiple_az/elb_is_in_multiple_az.py index 22e6bf67a94..43a0a52179b 100644 --- a/prowler/providers/aws/services/elb/elb_is_in_multiple_az/elb_is_in_multiple_az.py +++ b/prowler/providers/aws/services/elb/elb_is_in_multiple_az/elb_is_in_multiple_az.py @@ -9,7 +9,7 @@ def execute(self) -> List[Check_Report_AWS]: findings = [] ELB_MIN_AZS = elb_client.audit_config.get("elb_min_azs", 2) for lb in elb_client.loadbalancers.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=lb) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "FAIL" report.status_extended = f"Classic Load Balancer {lb.name} is not in at least {ELB_MIN_AZS} availability zones, it is only in {', '.join(lb.availability_zones)}." diff --git a/prowler/providers/aws/services/elb/elb_logging_enabled/elb_logging_enabled.py b/prowler/providers/aws/services/elb/elb_logging_enabled/elb_logging_enabled.py index b2fd56f079b..9ac8877bc56 100644 --- a/prowler/providers/aws/services/elb/elb_logging_enabled/elb_logging_enabled.py +++ b/prowler/providers/aws/services/elb/elb_logging_enabled/elb_logging_enabled.py @@ -6,7 +6,7 @@ class elb_logging_enabled(Check): def execute(self): findings = [] for lb in elb_client.loadbalancers.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=lb) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "FAIL" report.status_extended = ( f"ELB {lb.name} does not have access logs configured." diff --git a/prowler/providers/aws/services/elb/elb_ssl_listeners/elb_ssl_listeners.py b/prowler/providers/aws/services/elb/elb_ssl_listeners/elb_ssl_listeners.py index cacfa4124ba..2ea67047187 100644 --- a/prowler/providers/aws/services/elb/elb_ssl_listeners/elb_ssl_listeners.py +++ b/prowler/providers/aws/services/elb/elb_ssl_listeners/elb_ssl_listeners.py @@ -7,7 +7,7 @@ def execute(self): findings = [] secure_protocols = ["SSL", "HTTPS"] for lb in elb_client.loadbalancers.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=lb) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "PASS" report.status_extended = f"ELB {lb.name} has HTTPS listeners only." for listener in lb.listeners: diff --git a/prowler/providers/aws/services/elb/elb_ssl_listeners_use_acm_certificate/elb_ssl_listeners_use_acm_certificate.py b/prowler/providers/aws/services/elb/elb_ssl_listeners_use_acm_certificate/elb_ssl_listeners_use_acm_certificate.py index bf83b870a47..fef41a94edf 100644 --- a/prowler/providers/aws/services/elb/elb_ssl_listeners_use_acm_certificate/elb_ssl_listeners_use_acm_certificate.py +++ b/prowler/providers/aws/services/elb/elb_ssl_listeners_use_acm_certificate/elb_ssl_listeners_use_acm_certificate.py @@ -8,7 +8,7 @@ def execute(self): findings = [] secure_protocols = ["SSL", "HTTPS"] for lb in elb_client.loadbalancers.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=lb) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "PASS" report.status_extended = f"ELB {lb.name} HTTPS/SSL listeners are using certificates managed by ACM." for listener in lb.listeners: diff --git a/prowler/providers/aws/services/elbv2/elbv2_cross_zone_load_balancing_enabled/elbv2_cross_zone_load_balancing_enabled.py b/prowler/providers/aws/services/elbv2/elbv2_cross_zone_load_balancing_enabled/elbv2_cross_zone_load_balancing_enabled.py index 1e1a323c64a..ccf3ebc49e0 100644 --- a/prowler/providers/aws/services/elbv2/elbv2_cross_zone_load_balancing_enabled/elbv2_cross_zone_load_balancing_enabled.py +++ b/prowler/providers/aws/services/elbv2/elbv2_cross_zone_load_balancing_enabled/elbv2_cross_zone_load_balancing_enabled.py @@ -9,9 +9,7 @@ def execute(self) -> List[Check_Report_AWS]: findings = [] for lb in elbv2_client.loadbalancersv2.values(): if lb.type != "application": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=lb - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "FAIL" report.status_extended = ( f"ELBv2 {lb.name} does not have cross-zone load balancing enabled." diff --git a/prowler/providers/aws/services/elbv2/elbv2_deletion_protection/elbv2_deletion_protection.py b/prowler/providers/aws/services/elbv2/elbv2_deletion_protection/elbv2_deletion_protection.py index 9e0fd02fe0d..c2c55149bca 100644 --- a/prowler/providers/aws/services/elbv2/elbv2_deletion_protection/elbv2_deletion_protection.py +++ b/prowler/providers/aws/services/elbv2/elbv2_deletion_protection/elbv2_deletion_protection.py @@ -6,7 +6,7 @@ class elbv2_deletion_protection(Check): def execute(self): findings = [] for lb in elbv2_client.loadbalancersv2.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=lb) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "FAIL" report.status_extended = ( f"ELBv2 {lb.name} does not have deletion protection enabled." diff --git a/prowler/providers/aws/services/elbv2/elbv2_desync_mitigation_mode/elbv2_desync_mitigation_mode.py b/prowler/providers/aws/services/elbv2/elbv2_desync_mitigation_mode/elbv2_desync_mitigation_mode.py index 626ee17ec2a..e0212c133ea 100644 --- a/prowler/providers/aws/services/elbv2/elbv2_desync_mitigation_mode/elbv2_desync_mitigation_mode.py +++ b/prowler/providers/aws/services/elbv2/elbv2_desync_mitigation_mode/elbv2_desync_mitigation_mode.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for lb in elbv2_client.loadbalancersv2.values(): if lb.type == "application": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=lb - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "PASS" report.status_extended = f"ELBv2 ALB {lb.name} is configured with correct desync mitigation mode." if ( diff --git a/prowler/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers.py b/prowler/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers.py index 848990a4445..ba43d463e38 100644 --- a/prowler/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers.py +++ b/prowler/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers.py @@ -18,7 +18,7 @@ def execute(self): "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06", ] for lb in elbv2_client.loadbalancersv2.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=lb) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "PASS" report.status_extended = ( f"ELBv2 {lb.name} does not have insecure SSL protocols or ciphers." diff --git a/prowler/providers/aws/services/elbv2/elbv2_internet_facing/elbv2_internet_facing.py b/prowler/providers/aws/services/elbv2/elbv2_internet_facing/elbv2_internet_facing.py index 3464fc2090d..bff889f556e 100644 --- a/prowler/providers/aws/services/elbv2/elbv2_internet_facing/elbv2_internet_facing.py +++ b/prowler/providers/aws/services/elbv2/elbv2_internet_facing/elbv2_internet_facing.py @@ -8,7 +8,7 @@ class elbv2_internet_facing(Check): def execute(self): findings = [] for lb in elbv2_client.loadbalancersv2.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=lb) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "PASS" report.status_extended = f"ELBv2 ALB {lb.name} is not internet facing." if lb.scheme == "internet-facing": diff --git a/prowler/providers/aws/services/elbv2/elbv2_is_in_multiple_az/elbv2_is_in_multiple_az.py b/prowler/providers/aws/services/elbv2/elbv2_is_in_multiple_az/elbv2_is_in_multiple_az.py index a8166dfe7db..ea4a311ef9a 100644 --- a/prowler/providers/aws/services/elbv2/elbv2_is_in_multiple_az/elbv2_is_in_multiple_az.py +++ b/prowler/providers/aws/services/elbv2/elbv2_is_in_multiple_az/elbv2_is_in_multiple_az.py @@ -9,7 +9,7 @@ def execute(self) -> List[Check_Report_AWS]: findings = [] elbv2_min_azs = elbv2_client.audit_config.get("elbv2_min_azs", 2) for lb in elbv2_client.loadbalancersv2.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=lb) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "FAIL" report.status_extended = f"ELBv2 {lb.name} is not in at least {elbv2_min_azs} AZs. Is only in {', '.join(lb.availability_zones.keys())}." diff --git a/prowler/providers/aws/services/elbv2/elbv2_listeners_underneath/elbv2_listeners_underneath.py b/prowler/providers/aws/services/elbv2/elbv2_listeners_underneath/elbv2_listeners_underneath.py index 2904831f7b4..0af8d2282ed 100644 --- a/prowler/providers/aws/services/elbv2/elbv2_listeners_underneath/elbv2_listeners_underneath.py +++ b/prowler/providers/aws/services/elbv2/elbv2_listeners_underneath/elbv2_listeners_underneath.py @@ -6,7 +6,7 @@ class elbv2_listeners_underneath(Check): def execute(self): findings = [] for lb in elbv2_client.loadbalancersv2.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=lb) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "PASS" report.status_extended = f"ELBv2 {lb.name} has listeners underneath." if len(lb.listeners) == 0: diff --git a/prowler/providers/aws/services/elbv2/elbv2_logging_enabled/elbv2_logging_enabled.py b/prowler/providers/aws/services/elbv2/elbv2_logging_enabled/elbv2_logging_enabled.py index d554f33a69f..a22d645b142 100644 --- a/prowler/providers/aws/services/elbv2/elbv2_logging_enabled/elbv2_logging_enabled.py +++ b/prowler/providers/aws/services/elbv2/elbv2_logging_enabled/elbv2_logging_enabled.py @@ -6,7 +6,7 @@ class elbv2_logging_enabled(Check): def execute(self): findings = [] for lb in elbv2_client.loadbalancersv2.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=lb) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "FAIL" report.status_extended = ( f"ELBv2 ALB {lb.name} does not have access logs configured." diff --git a/prowler/providers/aws/services/elbv2/elbv2_nlb_tls_termination_enabled/elbv2_nlb_tls_termination_enabled.py b/prowler/providers/aws/services/elbv2/elbv2_nlb_tls_termination_enabled/elbv2_nlb_tls_termination_enabled.py index 3d522de6807..856eb7492bd 100644 --- a/prowler/providers/aws/services/elbv2/elbv2_nlb_tls_termination_enabled/elbv2_nlb_tls_termination_enabled.py +++ b/prowler/providers/aws/services/elbv2/elbv2_nlb_tls_termination_enabled/elbv2_nlb_tls_termination_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for lb in elbv2_client.loadbalancersv2.values(): if lb.type == "network": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=lb - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "FAIL" report.status_extended = f"ELBv2 NLB {lb.name} is not configured to terminate TLS connections." for listener in lb.listeners.values(): diff --git a/prowler/providers/aws/services/elbv2/elbv2_ssl_listeners/elbv2_ssl_listeners.py b/prowler/providers/aws/services/elbv2/elbv2_ssl_listeners/elbv2_ssl_listeners.py index 09b34ee3c86..510238669d1 100644 --- a/prowler/providers/aws/services/elbv2/elbv2_ssl_listeners/elbv2_ssl_listeners.py +++ b/prowler/providers/aws/services/elbv2/elbv2_ssl_listeners/elbv2_ssl_listeners.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for lb in elbv2_client.loadbalancersv2.values(): if lb.type == "application": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=lb - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "PASS" report.status_extended = ( f"ELBv2 ALB {lb.name} has HTTPS listeners only." diff --git a/prowler/providers/aws/services/elbv2/elbv2_waf_acl_attached/elbv2_waf_acl_attached.py b/prowler/providers/aws/services/elbv2/elbv2_waf_acl_attached/elbv2_waf_acl_attached.py index 4b72865d449..a89c88bb6c9 100644 --- a/prowler/providers/aws/services/elbv2/elbv2_waf_acl_attached/elbv2_waf_acl_attached.py +++ b/prowler/providers/aws/services/elbv2/elbv2_waf_acl_attached/elbv2_waf_acl_attached.py @@ -9,9 +9,7 @@ def execute(self): findings = [] for lb in elbv2_client.loadbalancersv2.values(): if lb.type == "application": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=lb - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.status = "FAIL" report.status_extended = ( f"ELBv2 ALB {lb.name} is not protected by WAF Web ACL." diff --git a/prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.py b/prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.py index 263b170baa3..c3029e81e37 100644 --- a/prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.py +++ b/prowler/providers/aws/services/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.py @@ -8,7 +8,7 @@ def execute(self): for region in emr_client.block_public_access_configuration: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=emr_client.block_public_access_configuration, + resource=emr_client.block_public_access_configuration, ) report.region = region report.resource_id = emr_client.audited_account diff --git a/prowler/providers/aws/services/emr/emr_cluster_master_nodes_no_public_ip/emr_cluster_master_nodes_no_public_ip.py b/prowler/providers/aws/services/emr/emr_cluster_master_nodes_no_public_ip/emr_cluster_master_nodes_no_public_ip.py index fc2009efa0f..4a76c0e6a0c 100644 --- a/prowler/providers/aws/services/emr/emr_cluster_master_nodes_no_public_ip/emr_cluster_master_nodes_no_public_ip.py +++ b/prowler/providers/aws/services/emr/emr_cluster_master_nodes_no_public_ip/emr_cluster_master_nodes_no_public_ip.py @@ -11,9 +11,7 @@ def execute(self): ClusterStatus.TERMINATED, ClusterStatus.TERMINATED_WITH_ERRORS, ): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) if cluster.public: report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.py b/prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.py index 443e8c99d72..8c720a87b59 100644 --- a/prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.py +++ b/prowler/providers/aws/services/emr/emr_cluster_publicly_accesible/emr_cluster_publicly_accesible.py @@ -15,9 +15,7 @@ def execute(self): ClusterStatus.TERMINATED, ClusterStatus.TERMINATED_WITH_ERRORS, ): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "PASS" report.status_extended = ( f"EMR Cluster {cluster.id} is not publicly accessible." diff --git a/prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.py b/prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.py index 5a566ce9f19..d78b46fc526 100644 --- a/prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.py +++ b/prowler/providers/aws/services/eventbridge/eventbridge_bus_cross_account_access/eventbridge_bus_cross_account_access.py @@ -9,7 +9,7 @@ class eventbridge_bus_cross_account_access(Check): def execute(self): findings = [] for bus in eventbridge_client.buses.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=bus) + report = Check_Report_AWS(metadata=self.metadata(), resource=bus) report.status = "PASS" report.status_extended = ( f"EventBridge event bus {bus.name} does not allow cross-account access." diff --git a/prowler/providers/aws/services/eventbridge/eventbridge_bus_exposed/eventbridge_bus_exposed.py b/prowler/providers/aws/services/eventbridge/eventbridge_bus_exposed/eventbridge_bus_exposed.py index c2861a02c46..d0803c18052 100644 --- a/prowler/providers/aws/services/eventbridge/eventbridge_bus_exposed/eventbridge_bus_exposed.py +++ b/prowler/providers/aws/services/eventbridge/eventbridge_bus_exposed/eventbridge_bus_exposed.py @@ -9,7 +9,7 @@ class eventbridge_bus_exposed(Check): def execute(self): findings = [] for bus in eventbridge_client.buses.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=bus) + report = Check_Report_AWS(metadata=self.metadata(), resource=bus) report.status = "PASS" report.status_extended = ( f"EventBridge event bus {bus.name} is not exposed to everyone." diff --git a/prowler/providers/aws/services/eventbridge/eventbridge_global_endpoint_event_replication_enabled/eventbridge_global_endpoint_event_replication_enabled.py b/prowler/providers/aws/services/eventbridge/eventbridge_global_endpoint_event_replication_enabled/eventbridge_global_endpoint_event_replication_enabled.py index ba3848736a0..ed5716c92a6 100644 --- a/prowler/providers/aws/services/eventbridge/eventbridge_global_endpoint_event_replication_enabled/eventbridge_global_endpoint_event_replication_enabled.py +++ b/prowler/providers/aws/services/eventbridge/eventbridge_global_endpoint_event_replication_enabled/eventbridge_global_endpoint_event_replication_enabled.py @@ -8,9 +8,7 @@ class eventbridge_global_endpoint_event_replication_enabled(Check): def execute(self): findings = [] for endpoint in eventbridge_client.endpoints.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=endpoint - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=endpoint) report.status = "PASS" report.status_extended = f"EventBridge global endpoint {endpoint.name} has event replication enabled." if endpoint.replication_state == "DISABLED": diff --git a/prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.py b/prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.py index 2475b4858d8..910cc5580c5 100644 --- a/prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.py +++ b/prowler/providers/aws/services/eventbridge/eventbridge_schema_registry_cross_account_access/eventbridge_schema_registry_cross_account_access.py @@ -7,9 +7,7 @@ class eventbridge_schema_registry_cross_account_access(Check): def execute(self): findings = [] for registry in schema_client.registries.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=registry - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=registry) report.status = "PASS" report.status_extended = f"EventBridge schema registry {registry.name} does not allow cross-account access." if is_policy_public( diff --git a/prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.py b/prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.py index 4fb4306d5e8..8154a84b66f 100644 --- a/prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.py +++ b/prowler/providers/aws/services/firehose/firehose_stream_encrypted_at_rest/firehose_stream_encrypted_at_rest.py @@ -21,9 +21,7 @@ def execute(self) -> List[Check_Report_AWS]: """ findings = [] for stream in firehose_client.delivery_streams.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=stream - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=stream) report.status = "PASS" report.status_extended = ( f"Firehose Stream {stream.name} does have at rest encryption enabled." diff --git a/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py b/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py index 9bc8959b928..a36cd9f8e09 100644 --- a/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py +++ b/prowler/providers/aws/services/fms/fms_policy_compliant/fms_policy_compliant.py @@ -7,7 +7,7 @@ def execute(self): findings = [] if fms_client.fms_admin_account: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=fms_client.fms_policies + metadata=self.metadata(), resource=fms_client.fms_policies ) report.region = fms_client.region report.resource_arn = fms_client.policy_arn_template @@ -23,7 +23,7 @@ def execute(self): or not policy_to_account.status ): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=policy + metadata=self.metadata(), resource=policy ) report.status = "FAIL" report.status_extended = f"FMS with non-compliant policy {policy.name} for account {policy_to_account.account_id}." diff --git a/prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.py b/prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.py index a80d91ac4ed..837a3962f4f 100644 --- a/prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.py +++ b/prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.py @@ -8,7 +8,7 @@ def execute(self): for file_system in fsx_client.file_systems.values(): if file_system.copy_tags_to_backups is not None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=file_system + metadata=self.metadata(), resource=file_system ) report.status = "PASS" report.status_extended = f"FSx file system {file_system.id} has copy tags to backups enabled." diff --git a/prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_volumes_enabled/fsx_file_system_copy_tags_to_volumes_enabled.py b/prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_volumes_enabled/fsx_file_system_copy_tags_to_volumes_enabled.py index dbb88c4839a..55075ed8cc4 100644 --- a/prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_volumes_enabled/fsx_file_system_copy_tags_to_volumes_enabled.py +++ b/prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_volumes_enabled/fsx_file_system_copy_tags_to_volumes_enabled.py @@ -8,7 +8,7 @@ def execute(self): for file_system in fsx_client.file_systems.values(): if file_system.copy_tags_to_volumes is not None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=file_system + metadata=self.metadata(), resource=file_system ) report.status = "PASS" report.status_extended = f"FSx file system {file_system.id} has copy tags to volumes enabled." diff --git a/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.py b/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.py index a1fb9ad1f1f..fa765c1dc1e 100644 --- a/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.py +++ b/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.py @@ -8,7 +8,7 @@ def execute(self): for file_system in fsx_client.file_systems.values(): if file_system.type == "WINDOWS": report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=file_system + metadata=self.metadata(), resource=file_system ) if len(file_system.subnet_ids) > 1: report.status = "PASS" diff --git a/prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.py b/prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.py index 66fccd1783c..4b5cd64e98b 100644 --- a/prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.py +++ b/prowler/providers/aws/services/glacier/glacier_vaults_policy_public_access/glacier_vaults_policy_public_access.py @@ -6,7 +6,7 @@ class glacier_vaults_policy_public_access(Check): def execute(self): findings = [] for vault in glacier_client.vaults.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=vault) + report = Check_Report_AWS(metadata=self.metadata(), resource=vault) report.status = "PASS" report.status_extended = f"Vault {vault.name} has policy which does not allow access to everyone." diff --git a/prowler/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.py index 46a1e57b499..9a62163025c 100644 --- a/prowler/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_data_catalogs_connection_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.py @@ -9,7 +9,7 @@ def execute(self): # Check only if there are Glue Tables if data_catalog.tables or glue_client.provider.scan_unused_services: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=data_catalog + metadata=self.metadata(), resource=data_catalog ) report.resource_id = glue_client.audited_account report.resource_arn = glue_client._get_data_catalog_arn_template( diff --git a/prowler/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.py index bbf1ec9e009..8ae07865fab 100644 --- a/prowler/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.py @@ -9,7 +9,7 @@ def execute(self): # Check only if there are Glue Tables if data_catalog.tables or glue_client.provider.scan_unused_services: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=data_catalog + metadata=self.metadata(), resource=data_catalog ) report.resource_id = glue_client.audited_account report.resource_arn = glue_client._get_data_catalog_arn_template( diff --git a/prowler/providers/aws/services/glue/glue_data_catalogs_not_publicly_accessible/glue_data_catalogs_not_publicly_accessible.py b/prowler/providers/aws/services/glue/glue_data_catalogs_not_publicly_accessible/glue_data_catalogs_not_publicly_accessible.py index b005d9a6426..6ad46453204 100644 --- a/prowler/providers/aws/services/glue/glue_data_catalogs_not_publicly_accessible/glue_data_catalogs_not_publicly_accessible.py +++ b/prowler/providers/aws/services/glue/glue_data_catalogs_not_publicly_accessible/glue_data_catalogs_not_publicly_accessible.py @@ -7,9 +7,7 @@ class glue_data_catalogs_not_publicly_accessible(Check): def execute(self): findings = [] for data_catalog in glue_client.data_catalogs.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=data_catalog - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=data_catalog) report.resource_id = glue_client.audited_account report.resource_arn = glue_client._get_data_catalog_arn_template( data_catalog.region diff --git a/prowler/providers/aws/services/glue/glue_database_connections_ssl_enabled/glue_database_connections_ssl_enabled.py b/prowler/providers/aws/services/glue/glue_database_connections_ssl_enabled/glue_database_connections_ssl_enabled.py index b5395d0b8e4..bd888174d19 100644 --- a/prowler/providers/aws/services/glue/glue_database_connections_ssl_enabled/glue_database_connections_ssl_enabled.py +++ b/prowler/providers/aws/services/glue/glue_database_connections_ssl_enabled/glue_database_connections_ssl_enabled.py @@ -6,7 +6,7 @@ class glue_database_connections_ssl_enabled(Check): def execute(self): findings = [] for conn in glue_client.connections: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=conn) + report = Check_Report_AWS(metadata=self.metadata(), resource=conn) report.status = "FAIL" report.status_extended = ( f"Glue connection {conn.name} has SSL connection disabled." diff --git a/prowler/providers/aws/services/glue/glue_development_endpoints_cloudwatch_logs_encryption_enabled/glue_development_endpoints_cloudwatch_logs_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_development_endpoints_cloudwatch_logs_encryption_enabled/glue_development_endpoints_cloudwatch_logs_encryption_enabled.py index 767ead60167..80820c91e1d 100644 --- a/prowler/providers/aws/services/glue/glue_development_endpoints_cloudwatch_logs_encryption_enabled/glue_development_endpoints_cloudwatch_logs_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_development_endpoints_cloudwatch_logs_encryption_enabled/glue_development_endpoints_cloudwatch_logs_encryption_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for endpoint in glue_client.dev_endpoints: no_sec_configs = True - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=endpoint - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=endpoint) for sec_config in glue_client.security_configs: if sec_config.name == endpoint.security: no_sec_configs = False diff --git a/prowler/providers/aws/services/glue/glue_development_endpoints_job_bookmark_encryption_enabled/glue_development_endpoints_job_bookmark_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_development_endpoints_job_bookmark_encryption_enabled/glue_development_endpoints_job_bookmark_encryption_enabled.py index 91e751c8746..84d01a5333a 100644 --- a/prowler/providers/aws/services/glue/glue_development_endpoints_job_bookmark_encryption_enabled/glue_development_endpoints_job_bookmark_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_development_endpoints_job_bookmark_encryption_enabled/glue_development_endpoints_job_bookmark_encryption_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for endpoint in glue_client.dev_endpoints: no_sec_configs = True - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=endpoint - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=endpoint) for sec_config in glue_client.security_configs: if sec_config.name == endpoint.security: no_sec_configs = False diff --git a/prowler/providers/aws/services/glue/glue_development_endpoints_s3_encryption_enabled/glue_development_endpoints_s3_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_development_endpoints_s3_encryption_enabled/glue_development_endpoints_s3_encryption_enabled.py index fb4ba04ffa9..084bb8316fa 100644 --- a/prowler/providers/aws/services/glue/glue_development_endpoints_s3_encryption_enabled/glue_development_endpoints_s3_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_development_endpoints_s3_encryption_enabled/glue_development_endpoints_s3_encryption_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for endpoint in glue_client.dev_endpoints: no_sec_configs = True - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=endpoint - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=endpoint) for sec_config in glue_client.security_configs: if sec_config.name == endpoint.security: no_sec_configs = False diff --git a/prowler/providers/aws/services/glue/glue_etl_jobs_amazon_s3_encryption_enabled/glue_etl_jobs_amazon_s3_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_etl_jobs_amazon_s3_encryption_enabled/glue_etl_jobs_amazon_s3_encryption_enabled.py index 9199a2def91..37171cbdf9e 100644 --- a/prowler/providers/aws/services/glue/glue_etl_jobs_amazon_s3_encryption_enabled/glue_etl_jobs_amazon_s3_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_etl_jobs_amazon_s3_encryption_enabled/glue_etl_jobs_amazon_s3_encryption_enabled.py @@ -7,7 +7,7 @@ def execute(self): findings = [] for job in glue_client.jobs: no_sec_configs = True - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=job) + report = Check_Report_AWS(metadata=self.metadata(), resource=job) for sec_config in glue_client.security_configs: if sec_config.name == job.security: no_sec_configs = False diff --git a/prowler/providers/aws/services/glue/glue_etl_jobs_cloudwatch_logs_encryption_enabled/glue_etl_jobs_cloudwatch_logs_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_etl_jobs_cloudwatch_logs_encryption_enabled/glue_etl_jobs_cloudwatch_logs_encryption_enabled.py index ab40558a50b..3fe7cb26921 100644 --- a/prowler/providers/aws/services/glue/glue_etl_jobs_cloudwatch_logs_encryption_enabled/glue_etl_jobs_cloudwatch_logs_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_etl_jobs_cloudwatch_logs_encryption_enabled/glue_etl_jobs_cloudwatch_logs_encryption_enabled.py @@ -7,7 +7,7 @@ def execute(self): findings = [] for job in glue_client.jobs: no_sec_configs = True - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=job) + report = Check_Report_AWS(metadata=self.metadata(), resource=job) for sec_config in glue_client.security_configs: if sec_config.name == job.security: no_sec_configs = False diff --git a/prowler/providers/aws/services/glue/glue_etl_jobs_job_bookmark_encryption_enabled/glue_etl_jobs_job_bookmark_encryption_enabled.py b/prowler/providers/aws/services/glue/glue_etl_jobs_job_bookmark_encryption_enabled/glue_etl_jobs_job_bookmark_encryption_enabled.py index cf29b7106ef..b84593eb0a4 100644 --- a/prowler/providers/aws/services/glue/glue_etl_jobs_job_bookmark_encryption_enabled/glue_etl_jobs_job_bookmark_encryption_enabled.py +++ b/prowler/providers/aws/services/glue/glue_etl_jobs_job_bookmark_encryption_enabled/glue_etl_jobs_job_bookmark_encryption_enabled.py @@ -7,7 +7,7 @@ def execute(self): findings = [] for job in glue_client.jobs: no_sec_configs = True - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=job) + report = Check_Report_AWS(metadata=self.metadata(), resource=job) for sec_config in glue_client.security_configs: if sec_config.name == job.security: no_sec_configs = False diff --git a/prowler/providers/aws/services/glue/glue_etl_jobs_logging_enabled/glue_etl_jobs_logging_enabled.py b/prowler/providers/aws/services/glue/glue_etl_jobs_logging_enabled/glue_etl_jobs_logging_enabled.py index 9a446a8c40b..a1a8c47d4e0 100644 --- a/prowler/providers/aws/services/glue/glue_etl_jobs_logging_enabled/glue_etl_jobs_logging_enabled.py +++ b/prowler/providers/aws/services/glue/glue_etl_jobs_logging_enabled/glue_etl_jobs_logging_enabled.py @@ -20,7 +20,7 @@ def execute(self) -> List[Check_Report_AWS]: """ findings = [] for job in glue_client.jobs: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=job) + report = Check_Report_AWS(metadata=self.metadata(), resource=job) report.status = "FAIL" report.status_extended = ( f"Glue job {job.name} does not have logging enabled." diff --git a/prowler/providers/aws/services/glue/glue_ml_transform_encrypted_at_rest/glue_ml_transform_encrypted_at_rest.py b/prowler/providers/aws/services/glue/glue_ml_transform_encrypted_at_rest/glue_ml_transform_encrypted_at_rest.py index 5ab1576e5c8..5a10aeba53f 100644 --- a/prowler/providers/aws/services/glue/glue_ml_transform_encrypted_at_rest/glue_ml_transform_encrypted_at_rest.py +++ b/prowler/providers/aws/services/glue/glue_ml_transform_encrypted_at_rest/glue_ml_transform_encrypted_at_rest.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for ml_transform in glue_client.ml_transforms.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=ml_transform - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=ml_transform) report.status = "PASS" report.status_extended = ( f"Glue ML Transform {ml_transform.name} is encrypted at rest." diff --git a/prowler/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed.py b/prowler/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed.py index 84b72f61648..5ac8cac27b0 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed.py +++ b/prowler/providers/aws/services/guardduty/guardduty_centrally_managed/guardduty_centrally_managed.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for detector in guardduty_client.detectors: if detector.id and detector.enabled_in_account: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=detector - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=detector) report.status = "FAIL" report.status_extended = ( f"GuardDuty detector {detector.id} is not centrally managed." diff --git a/prowler/providers/aws/services/guardduty/guardduty_ec2_malware_protection_enabled/guardduty_ec2_malware_protection_enabled.py b/prowler/providers/aws/services/guardduty/guardduty_ec2_malware_protection_enabled/guardduty_ec2_malware_protection_enabled.py index 82122bad1af..0016b8476dd 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_ec2_malware_protection_enabled/guardduty_ec2_malware_protection_enabled.py +++ b/prowler/providers/aws/services/guardduty/guardduty_ec2_malware_protection_enabled/guardduty_ec2_malware_protection_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for detector in guardduty_client.detectors: if detector.status: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=detector - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=detector) report.status = "FAIL" report.status_extended = f"GuardDuty detector {detector.id} does not have Malware Protection for EC2 enabled." if detector.ec2_malware_protection: diff --git a/prowler/providers/aws/services/guardduty/guardduty_eks_audit_log_enabled/guardduty_eks_audit_log_enabled.py b/prowler/providers/aws/services/guardduty/guardduty_eks_audit_log_enabled/guardduty_eks_audit_log_enabled.py index 6a513fc57ef..c89a3fc9ac6 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_eks_audit_log_enabled/guardduty_eks_audit_log_enabled.py +++ b/prowler/providers/aws/services/guardduty/guardduty_eks_audit_log_enabled/guardduty_eks_audit_log_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for detector in guardduty_client.detectors: if detector.status: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=detector - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=detector) report.status = "FAIL" report.status_extended = f"GuardDuty detector {detector.id} does not have EKS Audit Log Monitoring enabled." if detector.eks_audit_log_protection: diff --git a/prowler/providers/aws/services/guardduty/guardduty_eks_runtime_monitoring_enabled/guardduty_eks_runtime_monitoring_enabled.py b/prowler/providers/aws/services/guardduty/guardduty_eks_runtime_monitoring_enabled/guardduty_eks_runtime_monitoring_enabled.py index 0dde63c3dc9..04ca8c07795 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_eks_runtime_monitoring_enabled/guardduty_eks_runtime_monitoring_enabled.py +++ b/prowler/providers/aws/services/guardduty/guardduty_eks_runtime_monitoring_enabled/guardduty_eks_runtime_monitoring_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for detector in guardduty_client.detectors: if detector.status: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=detector - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=detector) report.status = "FAIL" report.status_extended = f"GuardDuty detector {detector.id} does not have EKS Runtime Monitoring enabled." if detector.eks_runtime_monitoring: diff --git a/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py b/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py index 733175da515..f69492b191c 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py +++ b/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled.py @@ -6,9 +6,7 @@ class guardduty_is_enabled(Check): def execute(self): findings = [] for detector in guardduty_client.detectors: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=detector - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=detector) report.status = "PASS" report.status_extended = f"GuardDuty detector {detector.id} enabled." diff --git a/prowler/providers/aws/services/guardduty/guardduty_lambda_protection_enabled/guardduty_lambda_protection_enabled.py b/prowler/providers/aws/services/guardduty/guardduty_lambda_protection_enabled/guardduty_lambda_protection_enabled.py index 1b4d08972e1..24bcad6501f 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_lambda_protection_enabled/guardduty_lambda_protection_enabled.py +++ b/prowler/providers/aws/services/guardduty/guardduty_lambda_protection_enabled/guardduty_lambda_protection_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for detector in guardduty_client.detectors: if detector.status: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=detector - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=detector) report.status = "FAIL" report.status_extended = f"GuardDuty detector {detector.id} does not have Lambda Protection enabled." if detector.lambda_protection: diff --git a/prowler/providers/aws/services/guardduty/guardduty_no_high_severity_findings/guardduty_no_high_severity_findings.py b/prowler/providers/aws/services/guardduty/guardduty_no_high_severity_findings/guardduty_no_high_severity_findings.py index 5406b3d54d7..8f07121b5c2 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_no_high_severity_findings/guardduty_no_high_severity_findings.py +++ b/prowler/providers/aws/services/guardduty/guardduty_no_high_severity_findings/guardduty_no_high_severity_findings.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for detector in guardduty_client.detectors: if detector.id and detector.enabled_in_account: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=detector - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=detector) report.status = "PASS" report.status_extended = f"GuardDuty detector {detector.id} does not have high severity findings." if len(detector.findings) > 0: diff --git a/prowler/providers/aws/services/guardduty/guardduty_rds_protection_enabled/guardduty_rds_protection_enabled.py b/prowler/providers/aws/services/guardduty/guardduty_rds_protection_enabled/guardduty_rds_protection_enabled.py index 7633f50ad0c..38f585f9fbd 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_rds_protection_enabled/guardduty_rds_protection_enabled.py +++ b/prowler/providers/aws/services/guardduty/guardduty_rds_protection_enabled/guardduty_rds_protection_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for detector in guardduty_client.detectors: if detector.status: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=detector - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=detector) report.status = "FAIL" report.status_extended = ( "GuardDuty detector does not have RDS Protection enabled." diff --git a/prowler/providers/aws/services/guardduty/guardduty_s3_protection_enabled/guardduty_s3_protection_enabled.py b/prowler/providers/aws/services/guardduty/guardduty_s3_protection_enabled/guardduty_s3_protection_enabled.py index 21b00e45d4b..ead12249dc7 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_s3_protection_enabled/guardduty_s3_protection_enabled.py +++ b/prowler/providers/aws/services/guardduty/guardduty_s3_protection_enabled/guardduty_s3_protection_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for detector in guardduty_client.detectors: if detector.status: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=detector - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=detector) report.status = "FAIL" report.status_extended = ( "GuardDuty detector does not have S3 Protection enabled." diff --git a/prowler/providers/aws/services/iam/iam_administrator_access_with_mfa/iam_administrator_access_with_mfa.py b/prowler/providers/aws/services/iam/iam_administrator_access_with_mfa/iam_administrator_access_with_mfa.py index fe876b51fe6..d99501b4476 100644 --- a/prowler/providers/aws/services/iam/iam_administrator_access_with_mfa/iam_administrator_access_with_mfa.py +++ b/prowler/providers/aws/services/iam/iam_administrator_access_with_mfa/iam_administrator_access_with_mfa.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_AWS: response = iam_client.groups for group in response: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=group) + report = Check_Report_AWS(metadata=self.metadata(), resource=group) report.region = iam_client.region report.status = "PASS" report.status_extended = f"Group {group.name} has no policies." diff --git a/prowler/providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage.py b/prowler/providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage.py index 7bf9ca42db6..a24a2d7c2a9 100644 --- a/prowler/providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage.py +++ b/prowler/providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage.py @@ -16,9 +16,7 @@ def execute(self) -> Check_Report_AWS: for user in response: if user["user"] == "": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=user) report.region = iam_client.region report.resource_id = user["user"] report.resource_arn = user["arn"] diff --git a/prowler/providers/aws/services/iam/iam_aws_attached_policy_no_administrative_privileges/iam_aws_attached_policy_no_administrative_privileges.py b/prowler/providers/aws/services/iam/iam_aws_attached_policy_no_administrative_privileges/iam_aws_attached_policy_no_administrative_privileges.py index 518daf4ab52..992ec909b8a 100644 --- a/prowler/providers/aws/services/iam/iam_aws_attached_policy_no_administrative_privileges/iam_aws_attached_policy_no_administrative_privileges.py +++ b/prowler/providers/aws/services/iam/iam_aws_attached_policy_no_administrative_privileges/iam_aws_attached_policy_no_administrative_privileges.py @@ -9,9 +9,7 @@ def execute(self) -> Check_Report_AWS: for policy in iam_client.policies: # Check only for attached AWS policies if policy.attached and policy.type == "AWS": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=policy - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=policy) report.region = iam_client.region report.status = "PASS" report.status_extended = f"{policy.type} policy {policy.name} is attached but does not allow '*:*' administrative privileges." diff --git a/prowler/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts.py b/prowler/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts.py index fbe1bd168f4..7d9cc26a900 100644 --- a/prowler/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts.py +++ b/prowler/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts.py @@ -7,7 +7,7 @@ def execute(self) -> Check_Report_AWS: findings = [] if not iam_client.saml_providers and iam_client.saml_providers is not None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=iam_client.saml_providers + metadata=self.metadata(), resource=iam_client.saml_providers ) report.resource_id = iam_client.audited_account report.resource_arn = iam_client.audited_account_arn @@ -17,9 +17,7 @@ def execute(self) -> Check_Report_AWS: findings.append(report) for provider in iam_client.saml_providers.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=provider - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=provider) report.region = iam_client.region report.status = "PASS" report.status_extended = f"SAML Provider {provider.name} has been found." diff --git a/prowler/providers/aws/services/iam/iam_customer_attached_policy_no_administrative_privileges/iam_customer_attached_policy_no_administrative_privileges.py b/prowler/providers/aws/services/iam/iam_customer_attached_policy_no_administrative_privileges/iam_customer_attached_policy_no_administrative_privileges.py index 7d5d6013df8..953b9dee042 100644 --- a/prowler/providers/aws/services/iam/iam_customer_attached_policy_no_administrative_privileges/iam_customer_attached_policy_no_administrative_privileges.py +++ b/prowler/providers/aws/services/iam/iam_customer_attached_policy_no_administrative_privileges/iam_customer_attached_policy_no_administrative_privileges.py @@ -9,9 +9,7 @@ def execute(self) -> Check_Report_AWS: for policy in iam_client.policies: # Check only for attached custom policies if policy.attached and policy.type == "Custom": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=policy - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=policy) report.region = iam_client.region report.status = "PASS" report.status_extended = f"{policy.type} policy {policy.name} is attached but does not allow '*:*' administrative privileges." diff --git a/prowler/providers/aws/services/iam/iam_customer_unattached_policy_no_administrative_privileges/iam_customer_unattached_policy_no_administrative_privileges.py b/prowler/providers/aws/services/iam/iam_customer_unattached_policy_no_administrative_privileges/iam_customer_unattached_policy_no_administrative_privileges.py index 39422f064c2..61f18ebaf94 100644 --- a/prowler/providers/aws/services/iam/iam_customer_unattached_policy_no_administrative_privileges/iam_customer_unattached_policy_no_administrative_privileges.py +++ b/prowler/providers/aws/services/iam/iam_customer_unattached_policy_no_administrative_privileges/iam_customer_unattached_policy_no_administrative_privileges.py @@ -9,9 +9,7 @@ def execute(self) -> Check_Report_AWS: for policy in iam_client.policies: # Check only for cutomer unattached policies if not policy.attached and policy.type == "Custom": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=policy - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=policy) report.region = iam_client.region report.status = "PASS" report.status_extended = f"{policy.type} policy {policy.name} is unattached and does not allow '*:*' administrative privileges." diff --git a/prowler/providers/aws/services/iam/iam_group_administrator_access_policy/iam_group_administrator_access_policy.py b/prowler/providers/aws/services/iam/iam_group_administrator_access_policy/iam_group_administrator_access_policy.py index c46db4e7908..0ffc9f3ea6a 100644 --- a/prowler/providers/aws/services/iam/iam_group_administrator_access_policy/iam_group_administrator_access_policy.py +++ b/prowler/providers/aws/services/iam/iam_group_administrator_access_policy/iam_group_administrator_access_policy.py @@ -8,7 +8,7 @@ class iam_group_administrator_access_policy(Check): def execute(self) -> List[Check_Report_AWS]: findings = [] for group in iam_client.groups: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=group) + report = Check_Report_AWS(metadata=self.metadata(), resource=group) report.region = iam_client.region report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/iam/iam_inline_policy_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.py b/prowler/providers/aws/services/iam/iam_inline_policy_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.py index c560b6c8298..826e9902c4b 100644 --- a/prowler/providers/aws/services/iam/iam_inline_policy_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.py +++ b/prowler/providers/aws/services/iam/iam_inline_policy_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_AWS: for policy in iam_client.policies: if policy.type == "Inline": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=policy - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=policy) report.resource_id = f"{policy.entity}/{policy.name}" report.region = iam_client.region report.status = "PASS" diff --git a/prowler/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges.py b/prowler/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges.py index c74ff202bb3..f78546b100d 100644 --- a/prowler/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges.py +++ b/prowler/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges.py @@ -8,9 +8,7 @@ def execute(self) -> Check_Report_AWS: findings = [] for policy in iam_client.policies: if policy.type == "Inline": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=policy - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=policy) report.region = iam_client.region report.resource_id = f"{policy.entity}/{policy.name}" report.status = "PASS" diff --git a/prowler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_cloudtrail/iam_inline_policy_no_full_access_to_cloudtrail.py b/prowler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_cloudtrail/iam_inline_policy_no_full_access_to_cloudtrail.py index 866ac2eb801..bf031036405 100644 --- a/prowler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_cloudtrail/iam_inline_policy_no_full_access_to_cloudtrail.py +++ b/prowler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_cloudtrail/iam_inline_policy_no_full_access_to_cloudtrail.py @@ -12,9 +12,7 @@ def execute(self) -> Check_Report_AWS: for policy in iam_client.policies: # Check only inline policies if policy.type == "Inline": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=policy - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=policy) report.region = iam_client.region report.resource_id = f"{policy.entity}/{policy.name}" report.status = "PASS" diff --git a/prowler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_kms/iam_inline_policy_no_full_access_to_kms.py b/prowler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_kms/iam_inline_policy_no_full_access_to_kms.py index fd1cacb61e3..33fc5fe6a53 100644 --- a/prowler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_kms/iam_inline_policy_no_full_access_to_kms.py +++ b/prowler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_kms/iam_inline_policy_no_full_access_to_kms.py @@ -11,9 +11,7 @@ def execute(self): for policy in iam_client.policies: if policy.type == "Inline": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=policy - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=policy) report.region = iam_client.region report.resource_id = f"{policy.entity}/{policy.name}" report.status = "PASS" diff --git a/prowler/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption.py b/prowler/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption.py index 0cfc7e9e6fc..881e362d226 100644 --- a/prowler/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption.py +++ b/prowler/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption.py @@ -8,9 +8,7 @@ def execute(self) -> Check_Report_AWS: for policy in iam_client.policies: # Check only custom policies if policy.type == "Custom": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=policy - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=policy) report.region = iam_client.region report.status = "PASS" report.status_extended = f"Custom Policy {policy.name} does not allow permissive STS Role assumption." diff --git a/prowler/providers/aws/services/iam/iam_no_expired_server_certificates_stored/iam_no_expired_server_certificates_stored.py b/prowler/providers/aws/services/iam/iam_no_expired_server_certificates_stored/iam_no_expired_server_certificates_stored.py index e7af7ac4bca..ecd4bcb4062 100644 --- a/prowler/providers/aws/services/iam/iam_no_expired_server_certificates_stored/iam_no_expired_server_certificates_stored.py +++ b/prowler/providers/aws/services/iam/iam_no_expired_server_certificates_stored/iam_no_expired_server_certificates_stored.py @@ -9,9 +9,7 @@ def execute(self) -> Check_Report_AWS: findings = [] for certificate in iam_client.server_certificates: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=certificate - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=certificate) report.region = iam_client.region expiration_days = (datetime.now(timezone.utc) - certificate.expiration).days if expiration_days >= 0: diff --git a/prowler/providers/aws/services/iam/iam_no_root_access_key/iam_no_root_access_key.py b/prowler/providers/aws/services/iam/iam_no_root_access_key/iam_no_root_access_key.py index 8d484179c2a..155f58d9d60 100644 --- a/prowler/providers/aws/services/iam/iam_no_root_access_key/iam_no_root_access_key.py +++ b/prowler/providers/aws/services/iam/iam_no_root_access_key/iam_no_root_access_key.py @@ -12,9 +12,7 @@ def execute(self) -> Check_Report_AWS: ): for user in iam_client.credential_report: if user["user"] == "": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=user) report.region = iam_client.region report.resource_id = user["user"] report.resource_arn = user["arn"] diff --git a/prowler/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less.py b/prowler/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less.py index 61a46d92994..ec002bac429 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less.py @@ -7,7 +7,7 @@ def execute(self) -> Check_Report_AWS: findings = [] if iam_client.password_policy: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=iam_client.password_policy + metadata=self.metadata(), resource=iam_client.password_policy ) report.region = iam_client.region report.resource_arn = iam_client.password_policy_arn_template diff --git a/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase.py b/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase.py index e215f0bc3a1..76dc46dc758 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase.py @@ -7,7 +7,7 @@ def execute(self) -> Check_Report_AWS: findings = [] if iam_client.password_policy: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=iam_client.password_policy + metadata=self.metadata(), resource=iam_client.password_policy ) report.region = iam_client.region report.resource_arn = iam_client.password_policy_arn_template diff --git a/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14.py b/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14.py index a5b06a73233..93ae14fbf4d 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14.py @@ -7,7 +7,7 @@ def execute(self) -> Check_Report_AWS: findings = [] if iam_client.password_policy: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=iam_client.password_policy + metadata=self.metadata(), resource=iam_client.password_policy ) report.region = iam_client.region report.resource_arn = iam_client.password_policy_arn_template diff --git a/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number.py b/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number.py index 9c1e5f5342e..fbbc4bc773b 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number.py @@ -7,7 +7,7 @@ def execute(self) -> Check_Report_AWS: findings = [] if iam_client.password_policy: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=iam_client.password_policy + metadata=self.metadata(), resource=iam_client.password_policy ) report.region = iam_client.region report.resource_arn = iam_client.password_policy_arn_template diff --git a/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24.py b/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24.py index 6ddeed6ed5e..fefe7a8918f 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24.py @@ -7,7 +7,7 @@ def execute(self) -> Check_Report_AWS: findings = [] if iam_client.password_policy: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=iam_client.password_policy + metadata=self.metadata(), resource=iam_client.password_policy ) report.region = iam_client.region report.resource_arn = iam_client.password_policy_arn_template diff --git a/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol.py b/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol.py index 68a0f85c82e..c6787e25ce3 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol.py @@ -7,7 +7,7 @@ def execute(self) -> Check_Report_AWS: findings = [] if iam_client.password_policy: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=iam_client.password_policy + metadata=self.metadata(), resource=iam_client.password_policy ) report.region = iam_client.region report.resource_arn = iam_client.password_policy_arn_template diff --git a/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase.py b/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase.py index 783fa035c2b..3465654ae06 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase.py @@ -7,7 +7,7 @@ def execute(self) -> Check_Report_AWS: findings = [] if iam_client.password_policy: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=iam_client.password_policy + metadata=self.metadata(), resource=iam_client.password_policy ) report.region = iam_client.region report.resource_arn = iam_client.password_policy_arn_template diff --git a/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.py b/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.py index d71f555c8bf..bb6292d00f4 100644 --- a/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.py +++ b/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_AWS: for policy in iam_client.policies: if policy.type == "Custom": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=policy - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=policy) report.region = iam_client.region report.status = "PASS" report.status_extended = f"Custom Policy {report.resource_arn} does not allow privilege escalation." diff --git a/prowler/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles.py b/prowler/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles.py index e04f8a5bc77..7ce14fad46b 100644 --- a/prowler/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles.py +++ b/prowler/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles.py @@ -11,7 +11,7 @@ def execute(self) -> Check_Report_AWS: if user.attached_policies: for policy in user.attached_policies: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user + metadata=self.metadata(), resource=user ) report.region = iam_client.region report.status = "FAIL" @@ -21,7 +21,7 @@ def execute(self) -> Check_Report_AWS: if user.inline_policies: for policy in user.inline_policies: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user + metadata=self.metadata(), resource=user ) report.region = iam_client.region report.status = "FAIL" @@ -30,9 +30,7 @@ def execute(self) -> Check_Report_AWS: findings.append(report) else: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=user) report.region = iam_client.region report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/iam/iam_policy_cloudshell_admin_not_attached/iam_policy_cloudshell_admin_not_attached.py b/prowler/providers/aws/services/iam/iam_policy_cloudshell_admin_not_attached/iam_policy_cloudshell_admin_not_attached.py index 019a325d027..ea8e2d4da59 100644 --- a/prowler/providers/aws/services/iam/iam_policy_cloudshell_admin_not_attached/iam_policy_cloudshell_admin_not_attached.py +++ b/prowler/providers/aws/services/iam/iam_policy_cloudshell_admin_not_attached/iam_policy_cloudshell_admin_not_attached.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_AWS: if iam_client.entities_attached_to_cloudshell_policy: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=iam_client.entities_attached_to_cloudshell_policy, + resource=iam_client.entities_attached_to_cloudshell_policy, ) report.region = iam_client.region report.resource_id = iam_client.audited_account diff --git a/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_cloudtrail/iam_policy_no_full_access_to_cloudtrail.py b/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_cloudtrail/iam_policy_no_full_access_to_cloudtrail.py index 48e0715b36f..2c0161f0d09 100644 --- a/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_cloudtrail/iam_policy_no_full_access_to_cloudtrail.py +++ b/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_cloudtrail/iam_policy_no_full_access_to_cloudtrail.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_AWS: for policy in iam_client.policies: # Check only custom policies if policy.type == "Custom": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=policy - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=policy) report.region = iam_client.region report.status = "PASS" report.status_extended = f"Custom Policy {policy.name} does not allow '{critical_service}:*' privileges." diff --git a/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_kms/iam_policy_no_full_access_to_kms.py b/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_kms/iam_policy_no_full_access_to_kms.py index 1c48f54794a..64facbfbc2b 100644 --- a/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_kms/iam_policy_no_full_access_to_kms.py +++ b/prowler/providers/aws/services/iam/iam_policy_no_full_access_to_kms/iam_policy_no_full_access_to_kms.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_AWS: for policy in iam_client.policies: # Check only custom policies if policy.type == "Custom": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=policy - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=policy) report.region = iam_client.region report.status = "PASS" report.status_extended = f"Custom Policy {policy.name} does not allow '{critical_service}:*' privileges." diff --git a/prowler/providers/aws/services/iam/iam_role_administratoraccess_policy/iam_role_administratoraccess_policy.py b/prowler/providers/aws/services/iam/iam_role_administratoraccess_policy/iam_role_administratoraccess_policy.py index 0cfcf52d0af..2a17b223ebe 100644 --- a/prowler/providers/aws/services/iam/iam_role_administratoraccess_policy/iam_role_administratoraccess_policy.py +++ b/prowler/providers/aws/services/iam/iam_role_administratoraccess_policy/iam_role_administratoraccess_policy.py @@ -10,9 +10,7 @@ def execute(self) -> Check_Report_AWS: if ( not role.is_service_role ): # Avoid service roles since they cannot be modified by the user - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=role - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=role) report.region = iam_client.region report.status = "PASS" report.status_extended = f"IAM Role {role.name} does not have AdministratorAccess policy." diff --git a/prowler/providers/aws/services/iam/iam_role_cross_account_readonlyaccess_policy/iam_role_cross_account_readonlyaccess_policy.py b/prowler/providers/aws/services/iam/iam_role_cross_account_readonlyaccess_policy/iam_role_cross_account_readonlyaccess_policy.py index 8eae0940b39..ee9796dc320 100644 --- a/prowler/providers/aws/services/iam/iam_role_cross_account_readonlyaccess_policy/iam_role_cross_account_readonlyaccess_policy.py +++ b/prowler/providers/aws/services/iam/iam_role_cross_account_readonlyaccess_policy/iam_role_cross_account_readonlyaccess_policy.py @@ -10,9 +10,7 @@ def execute(self) -> Check_Report_AWS: if ( not role.is_service_role ): # Avoid service roles since they cannot be modified by the user - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=role - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=role) report.region = iam_client.region report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention.py b/prowler/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention.py index 5141460a9db..9bde18b53a9 100644 --- a/prowler/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention.py +++ b/prowler/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention.py @@ -10,9 +10,7 @@ def execute(self) -> Check_Report_AWS: for role in iam_client.roles: # This check should only be performed against service roles (avoid Service Linked Roles since the trust relationship cannot be changed) if role.is_service_role and "aws-service-role" not in role.arn: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=role - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=role) report.region = iam_client.region report.status = "FAIL" report.status_extended = f"IAM Service Role {role.name} does not prevent against a cross-service confused deputy attack." diff --git a/prowler/providers/aws/services/iam/iam_root_credentials_management_enabled/iam_root_credentials_management_enabled.py b/prowler/providers/aws/services/iam/iam_root_credentials_management_enabled/iam_root_credentials_management_enabled.py index 16fbd6e6555..f1b1280c953 100644 --- a/prowler/providers/aws/services/iam/iam_root_credentials_management_enabled/iam_root_credentials_management_enabled.py +++ b/prowler/providers/aws/services/iam/iam_root_credentials_management_enabled/iam_root_credentials_management_enabled.py @@ -15,7 +15,7 @@ def execute(self) -> Check_Report_AWS: ): report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=iam_client.organization_features, + resource=iam_client.organization_features, ) report.region = iam_client.region report.resource_arn = iam_client.audited_account_arn diff --git a/prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py b/prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py index 7b11522b007..7b3ad5d8117 100644 --- a/prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py +++ b/prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py @@ -16,7 +16,7 @@ def execute(self) -> Check_Report_AWS: virtual_mfa = False report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=iam_client.account_summary, + resource=iam_client.account_summary, ) report.region = iam_client.region report.resource_id = "" diff --git a/prowler/providers/aws/services/iam/iam_root_mfa_enabled/iam_root_mfa_enabled.py b/prowler/providers/aws/services/iam/iam_root_mfa_enabled/iam_root_mfa_enabled.py index 52579c60427..8a035f2ede5 100644 --- a/prowler/providers/aws/services/iam/iam_root_mfa_enabled/iam_root_mfa_enabled.py +++ b/prowler/providers/aws/services/iam/iam_root_mfa_enabled/iam_root_mfa_enabled.py @@ -14,7 +14,7 @@ def execute(self) -> Check_Report_AWS: for user in iam_client.credential_report: if user["user"] == "": report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user + metadata=self.metadata(), resource=user ) report.region = iam_client.region report.resource_id = user["user"] diff --git a/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py b/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py index d42109e6bef..15c7be0c796 100644 --- a/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py +++ b/prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.py @@ -25,9 +25,7 @@ def execute(self) -> Check_Report_AWS: user["access_key_1_last_rotated"] == "N/A" and user["access_key_2_last_rotated"] == "N/A" ): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=user) report.region = iam_client.region report.resource_id = user["user"] report.resource_arn = user["arn"] @@ -50,7 +48,7 @@ def execute(self) -> Check_Report_AWS: if access_key_1_last_rotated.days > maximum_expiration_days: old_access_keys = True report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user + metadata=self.metadata(), resource=user ) report.region = iam_client.region report.resource_id = f"{user['user']}-access-key-1" @@ -69,7 +67,7 @@ def execute(self) -> Check_Report_AWS: if access_key_2_last_rotated.days > maximum_expiration_days: old_access_keys = True report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user + metadata=self.metadata(), resource=user ) report.region = iam_client.region report.resource_id = f"{user['user']}-access-key-2" @@ -80,9 +78,7 @@ def execute(self) -> Check_Report_AWS: findings.append(report) if not old_access_keys: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=user) report.region = iam_client.region report.resource_id = user["user"] report.resource_arn = user["arn"] diff --git a/prowler/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created.py b/prowler/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created.py index 00efd3379d4..123ee98cc84 100644 --- a/prowler/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created.py +++ b/prowler/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_AWS: if iam_client.entities_role_attached_to_securityaudit_policy is not None: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=iam_client.entities_role_attached_to_securityaudit_policy, + resource=iam_client.entities_role_attached_to_securityaudit_policy, ) report.region = iam_client.region report.resource_id = "SecurityAudit" diff --git a/prowler/providers/aws/services/iam/iam_support_role_created/iam_support_role_created.py b/prowler/providers/aws/services/iam/iam_support_role_created/iam_support_role_created.py index 782380e9e52..f4dd61c8a1a 100644 --- a/prowler/providers/aws/services/iam/iam_support_role_created/iam_support_role_created.py +++ b/prowler/providers/aws/services/iam/iam_support_role_created/iam_support_role_created.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_AWS: if iam_client.entities_role_attached_to_support_policy is not None: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=iam_client.entities_role_attached_to_support_policy, + resource=iam_client.entities_role_attached_to_support_policy, ) report.region = iam_client.region report.resource_id = iam_client.audited_account diff --git a/prowler/providers/aws/services/iam/iam_user_accesskey_unused/iam_user_accesskey_unused.py b/prowler/providers/aws/services/iam/iam_user_accesskey_unused/iam_user_accesskey_unused.py index dd270ae358c..f163b9bf5b3 100644 --- a/prowler/providers/aws/services/iam/iam_user_accesskey_unused/iam_user_accesskey_unused.py +++ b/prowler/providers/aws/services/iam/iam_user_accesskey_unused/iam_user_accesskey_unused.py @@ -25,9 +25,7 @@ def execute(self) -> Check_Report_AWS: user["access_key_1_active"] != "true" and user["access_key_2_active"] != "true" ): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=user) report.region = iam_client.region report.resource_id = user["user"] report.resource_arn = user["arn"] @@ -48,7 +46,7 @@ def execute(self) -> Check_Report_AWS: if access_key_1_last_used_date.days > maximum_expiration_days: old_access_keys = True report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user + metadata=self.metadata(), resource=user ) report.region = iam_client.region report.resource_id = user["user"] + "/AccessKey1" @@ -66,7 +64,7 @@ def execute(self) -> Check_Report_AWS: if access_key_2_last_used_date.days > maximum_expiration_days: old_access_keys = True report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user + metadata=self.metadata(), resource=user ) report.region = iam_client.region report.resource_id = user["user"] + "/AccessKey2" @@ -77,9 +75,7 @@ def execute(self) -> Check_Report_AWS: findings.append(report) if not old_access_keys: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=user) report.region = iam_client.region report.resource_id = user["user"] report.resource_arn = user["arn"] diff --git a/prowler/providers/aws/services/iam/iam_user_administrator_access_policy/iam_user_administrator_access_policy.py b/prowler/providers/aws/services/iam/iam_user_administrator_access_policy/iam_user_administrator_access_policy.py index 7d2ff0e8cfe..83536eb2715 100644 --- a/prowler/providers/aws/services/iam/iam_user_administrator_access_policy/iam_user_administrator_access_policy.py +++ b/prowler/providers/aws/services/iam/iam_user_administrator_access_policy/iam_user_administrator_access_policy.py @@ -8,7 +8,7 @@ class iam_user_administrator_access_policy(Check): def execute(self) -> List[Check_Report_AWS]: findings = [] for user in iam_client.users: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=user) + report = Check_Report_AWS(metadata=self.metadata(), resource=user) report.region = iam_client.region report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/iam/iam_user_console_access_unused/iam_user_console_access_unused.py b/prowler/providers/aws/services/iam/iam_user_console_access_unused/iam_user_console_access_unused.py index c05b0d3c0d9..03db542d249 100644 --- a/prowler/providers/aws/services/iam/iam_user_console_access_unused/iam_user_console_access_unused.py +++ b/prowler/providers/aws/services/iam/iam_user_console_access_unused/iam_user_console_access_unused.py @@ -11,7 +11,7 @@ def execute(self) -> Check_Report_AWS: ) findings = [] for user in iam_client.users: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=user) + report = Check_Report_AWS(metadata=self.metadata(), resource=user) report.region = iam_client.region if user.console_access and user.password_last_used: time_since_insertion = ( diff --git a/prowler/providers/aws/services/iam/iam_user_hardware_mfa_enabled/iam_user_hardware_mfa_enabled.py b/prowler/providers/aws/services/iam/iam_user_hardware_mfa_enabled/iam_user_hardware_mfa_enabled.py index 987194242aa..34b2f1010b5 100644 --- a/prowler/providers/aws/services/iam/iam_user_hardware_mfa_enabled/iam_user_hardware_mfa_enabled.py +++ b/prowler/providers/aws/services/iam/iam_user_hardware_mfa_enabled/iam_user_hardware_mfa_enabled.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_AWS: response = iam_client.users for user in response: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=user) + report = Check_Report_AWS(metadata=self.metadata(), resource=user) report.region = iam_client.region if user.mfa_devices: report.status = "PASS" diff --git a/prowler/providers/aws/services/iam/iam_user_mfa_enabled_console_access/iam_user_mfa_enabled_console_access.py b/prowler/providers/aws/services/iam/iam_user_mfa_enabled_console_access/iam_user_mfa_enabled_console_access.py index 3d1f399cf44..87c7286d135 100644 --- a/prowler/providers/aws/services/iam/iam_user_mfa_enabled_console_access/iam_user_mfa_enabled_console_access.py +++ b/prowler/providers/aws/services/iam/iam_user_mfa_enabled_console_access/iam_user_mfa_enabled_console_access.py @@ -9,9 +9,7 @@ def execute(self) -> Check_Report_AWS: for user in response: # all the users but root (which by default does not support console password) if user["user"] != "": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=user) report.resource_id = user["user"] report.resource_arn = user["arn"] report.region = iam_client.region diff --git a/prowler/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key.py b/prowler/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key.py index a91f5cae6d0..5c9e546b926 100644 --- a/prowler/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key.py +++ b/prowler/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key.py @@ -48,7 +48,7 @@ def execute(self) -> Check_Report_AWS: return findings def add_finding(self, user, status, status_extended, findings): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=user) + report = Check_Report_AWS(metadata=self.metadata(), resource=user) report.region = iam_client.region report.resource_id = user["user"] report.resource_arn = user["arn"] diff --git a/prowler/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key.py b/prowler/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key.py index 921e459c380..6788c853223 100644 --- a/prowler/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key.py +++ b/prowler/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key.py @@ -9,9 +9,7 @@ def execute(self) -> Check_Report_AWS: findings = [] response = iam_client.credential_report for user in response: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=user - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=user) report.resource_id = user["user"] report.resource_arn = user["arn"] report.region = iam_client.region diff --git a/prowler/providers/aws/services/iam/iam_user_with_temporary_credentials/iam_user_with_temporary_credentials.py b/prowler/providers/aws/services/iam/iam_user_with_temporary_credentials/iam_user_with_temporary_credentials.py index 23aa4339269..0734ddb0626 100644 --- a/prowler/providers/aws/services/iam/iam_user_with_temporary_credentials/iam_user_with_temporary_credentials.py +++ b/prowler/providers/aws/services/iam/iam_user_with_temporary_credentials/iam_user_with_temporary_credentials.py @@ -15,7 +15,7 @@ def execute(self) -> Check_Report_AWS: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=iam_client.user_temporary_credentials_usage, + resource=iam_client.user_temporary_credentials_usage, ) report.resource_id = user_name report.resource_arn = user_arn diff --git a/prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist.py b/prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist.py index f1c94dc3997..808fee8d78b 100644 --- a/prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist.py +++ b/prowler/providers/aws/services/inspector2/inspector2_active_findings_exist/inspector2_active_findings_exist.py @@ -9,9 +9,7 @@ def execute(self): findings = [] for inspector in inspector2_client.inspectors: if inspector.status == "ENABLED": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=inspector - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=inspector) report.status = "PASS" report.status_extended = ( "Inspector2 is enabled with no active findings." diff --git a/prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.py b/prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.py index 664e361db8d..a9f5efbedd4 100644 --- a/prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.py +++ b/prowler/providers/aws/services/inspector2/inspector2_is_enabled/inspector2_is_enabled.py @@ -11,9 +11,7 @@ class inspector2_is_enabled(Check): def execute(self): findings = [] for inspector in inspector2_client.inspectors: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=inspector - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=inspector) if inspector.status == "ENABLED": report.status = "PASS" report.status_extended = "Inspector2 is enabled for EC2 instances, ECR container images, Lambda functions and code." diff --git a/prowler/providers/aws/services/kafka/kafka_cluster_encryption_at_rest_uses_cmk/kafka_cluster_encryption_at_rest_uses_cmk.py b/prowler/providers/aws/services/kafka/kafka_cluster_encryption_at_rest_uses_cmk/kafka_cluster_encryption_at_rest_uses_cmk.py index ec37ba0c75c..2dce9437ada 100644 --- a/prowler/providers/aws/services/kafka/kafka_cluster_encryption_at_rest_uses_cmk/kafka_cluster_encryption_at_rest_uses_cmk.py +++ b/prowler/providers/aws/services/kafka/kafka_cluster_encryption_at_rest_uses_cmk/kafka_cluster_encryption_at_rest_uses_cmk.py @@ -8,9 +8,7 @@ def execute(self): findings = [] for cluster in kafka_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = f"Kafka cluster '{cluster.name}' does not have encryption at rest enabled with a CMK." diff --git a/prowler/providers/aws/services/kafka/kafka_cluster_enhanced_monitoring_enabled/kafka_cluster_enhanced_monitoring_enabled.py b/prowler/providers/aws/services/kafka/kafka_cluster_enhanced_monitoring_enabled/kafka_cluster_enhanced_monitoring_enabled.py index c5cb0aadb87..2bf0d383918 100644 --- a/prowler/providers/aws/services/kafka/kafka_cluster_enhanced_monitoring_enabled/kafka_cluster_enhanced_monitoring_enabled.py +++ b/prowler/providers/aws/services/kafka/kafka_cluster_enhanced_monitoring_enabled/kafka_cluster_enhanced_monitoring_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for cluster in kafka_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "PASS" report.status_extended = ( f"Kafka cluster '{cluster.name}' has enhanced monitoring enabled." diff --git a/prowler/providers/aws/services/kafka/kafka_cluster_in_transit_encryption_enabled/kafka_cluster_in_transit_encryption_enabled.py b/prowler/providers/aws/services/kafka/kafka_cluster_in_transit_encryption_enabled/kafka_cluster_in_transit_encryption_enabled.py index ba2fdb6ebdb..7b37fe5a177 100644 --- a/prowler/providers/aws/services/kafka/kafka_cluster_in_transit_encryption_enabled/kafka_cluster_in_transit_encryption_enabled.py +++ b/prowler/providers/aws/services/kafka/kafka_cluster_in_transit_encryption_enabled/kafka_cluster_in_transit_encryption_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for cluster in kafka_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = f"Kafka cluster '{cluster.name}' does not have encryption in transit enabled." diff --git a/prowler/providers/aws/services/kafka/kafka_cluster_is_public/kafka_cluster_is_public.py b/prowler/providers/aws/services/kafka/kafka_cluster_is_public/kafka_cluster_is_public.py index 58173ab9b60..597839978d0 100644 --- a/prowler/providers/aws/services/kafka/kafka_cluster_is_public/kafka_cluster_is_public.py +++ b/prowler/providers/aws/services/kafka/kafka_cluster_is_public/kafka_cluster_is_public.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for cluster in kafka_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = ( f"Kafka cluster '{cluster.name}' is publicly accessible." diff --git a/prowler/providers/aws/services/kafka/kafka_cluster_mutual_tls_authentication_enabled/kafka_cluster_mutual_tls_authentication_enabled.py b/prowler/providers/aws/services/kafka/kafka_cluster_mutual_tls_authentication_enabled/kafka_cluster_mutual_tls_authentication_enabled.py index dd7e6148847..0e07e341075 100644 --- a/prowler/providers/aws/services/kafka/kafka_cluster_mutual_tls_authentication_enabled/kafka_cluster_mutual_tls_authentication_enabled.py +++ b/prowler/providers/aws/services/kafka/kafka_cluster_mutual_tls_authentication_enabled/kafka_cluster_mutual_tls_authentication_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for cluster in kafka_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = f"Kafka cluster '{cluster.name}' does not have mutual TLS authentication enabled." diff --git a/prowler/providers/aws/services/kafka/kafka_cluster_unrestricted_access_disabled/kafka_cluster_unrestricted_access_disabled.py b/prowler/providers/aws/services/kafka/kafka_cluster_unrestricted_access_disabled/kafka_cluster_unrestricted_access_disabled.py index c7ba718984f..f96abbdb061 100644 --- a/prowler/providers/aws/services/kafka/kafka_cluster_unrestricted_access_disabled/kafka_cluster_unrestricted_access_disabled.py +++ b/prowler/providers/aws/services/kafka/kafka_cluster_unrestricted_access_disabled/kafka_cluster_unrestricted_access_disabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for cluster in kafka_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = ( f"Kafka cluster '{cluster.name}' has unrestricted access enabled." diff --git a/prowler/providers/aws/services/kafka/kafka_cluster_uses_latest_version/kafka_cluster_uses_latest_version.py b/prowler/providers/aws/services/kafka/kafka_cluster_uses_latest_version/kafka_cluster_uses_latest_version.py index 0a7adae1f86..32c17933840 100644 --- a/prowler/providers/aws/services/kafka/kafka_cluster_uses_latest_version/kafka_cluster_uses_latest_version.py +++ b/prowler/providers/aws/services/kafka/kafka_cluster_uses_latest_version/kafka_cluster_uses_latest_version.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for cluster in kafka_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "PASS" report.status_extended = ( f"Kafka cluster '{cluster.name}' is using the latest version." diff --git a/prowler/providers/aws/services/kafka/kafka_connector_in_transit_encryption_enabled/kafka_connector_in_transit_encryption_enabled.py b/prowler/providers/aws/services/kafka/kafka_connector_in_transit_encryption_enabled/kafka_connector_in_transit_encryption_enabled.py index 3b0a70bb4a1..478edb4ae40 100644 --- a/prowler/providers/aws/services/kafka/kafka_connector_in_transit_encryption_enabled/kafka_connector_in_transit_encryption_enabled.py +++ b/prowler/providers/aws/services/kafka/kafka_connector_in_transit_encryption_enabled/kafka_connector_in_transit_encryption_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for connector in kafkaconnect_client.connectors.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=connector - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=connector) report.status = "FAIL" report.status_extended = f"Kafka connector {connector.name} does not have encryption in transit enabled." diff --git a/prowler/providers/aws/services/kinesis/kinesis_stream_data_retention_period/kinesis_stream_data_retention_period.py b/prowler/providers/aws/services/kinesis/kinesis_stream_data_retention_period/kinesis_stream_data_retention_period.py index 61b18f6ac5a..213e5df26e9 100644 --- a/prowler/providers/aws/services/kinesis/kinesis_stream_data_retention_period/kinesis_stream_data_retention_period.py +++ b/prowler/providers/aws/services/kinesis/kinesis_stream_data_retention_period/kinesis_stream_data_retention_period.py @@ -18,9 +18,7 @@ def execute(self): """ findings = [] for stream in kinesis_client.streams.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=stream - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=stream) report.status = "FAIL" report.status_extended = f"Kinesis Stream {stream.name} does not have an adequate data retention period ({stream.retention_period}hrs)." diff --git a/prowler/providers/aws/services/kinesis/kinesis_stream_encrypted_at_rest/kinesis_stream_encrypted_at_rest.py b/prowler/providers/aws/services/kinesis/kinesis_stream_encrypted_at_rest/kinesis_stream_encrypted_at_rest.py index 0c88388f8c4..5887f2ad5be 100644 --- a/prowler/providers/aws/services/kinesis/kinesis_stream_encrypted_at_rest/kinesis_stream_encrypted_at_rest.py +++ b/prowler/providers/aws/services/kinesis/kinesis_stream_encrypted_at_rest/kinesis_stream_encrypted_at_rest.py @@ -7,9 +7,7 @@ class kinesis_stream_encrypted_at_rest(Check): def execute(self): findings = [] for stream in kinesis_client.streams.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=stream - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=stream) report.status = "FAIL" report.status_extended = ( f"Kinesis Stream {stream.name} is not encrypted at rest." diff --git a/prowler/providers/aws/services/kms/kms_cmk_are_used/kms_cmk_are_used.py b/prowler/providers/aws/services/kms/kms_cmk_are_used/kms_cmk_are_used.py index d4bb01a397b..5241ce13318 100644 --- a/prowler/providers/aws/services/kms/kms_cmk_are_used/kms_cmk_are_used.py +++ b/prowler/providers/aws/services/kms/kms_cmk_are_used/kms_cmk_are_used.py @@ -8,9 +8,7 @@ def execute(self): for key in kms_client.keys: # Only check CMKs keys if key.manager == "CUSTOMER": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=key - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=key) if key.state != "Enabled": if key.state == "PendingDeletion": report.status = "PASS" diff --git a/prowler/providers/aws/services/kms/kms_cmk_not_deleted_unintentionally/kms_cmk_not_deleted_unintentionally.py b/prowler/providers/aws/services/kms/kms_cmk_not_deleted_unintentionally/kms_cmk_not_deleted_unintentionally.py index d66a89421d9..4a4ac30a55c 100644 --- a/prowler/providers/aws/services/kms/kms_cmk_not_deleted_unintentionally/kms_cmk_not_deleted_unintentionally.py +++ b/prowler/providers/aws/services/kms/kms_cmk_not_deleted_unintentionally/kms_cmk_not_deleted_unintentionally.py @@ -8,9 +8,7 @@ def execute(self): for key in kms_client.keys: if key.manager == "CUSTOMER": if key.state != "Disabled" or kms_client.provider.scan_unused_services: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=key - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=key) report.status = "PASS" report.status_extended = ( f"KMS CMK {key.id} is not scheduled for deletion." diff --git a/prowler/providers/aws/services/kms/kms_cmk_rotation_enabled/kms_cmk_rotation_enabled.py b/prowler/providers/aws/services/kms/kms_cmk_rotation_enabled/kms_cmk_rotation_enabled.py index c3adc865d6a..2e5b05e60f2 100644 --- a/prowler/providers/aws/services/kms/kms_cmk_rotation_enabled/kms_cmk_rotation_enabled.py +++ b/prowler/providers/aws/services/kms/kms_cmk_rotation_enabled/kms_cmk_rotation_enabled.py @@ -6,7 +6,7 @@ class kms_cmk_rotation_enabled(Check): def execute(self): findings = [] for key in kms_client.keys: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=key) + report = Check_Report_AWS(metadata=self.metadata(), resource=key) # Only check enabled CMKs keys if ( key.manager == "CUSTOMER" diff --git a/prowler/providers/aws/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible.py b/prowler/providers/aws/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible.py index 5378786224f..843d22b3c98 100644 --- a/prowler/providers/aws/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible.py +++ b/prowler/providers/aws/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible.py @@ -10,9 +10,7 @@ def execute(self): if ( key.manager == "CUSTOMER" and key.state == "Enabled" ): # only customer KMS have policies - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=key - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=key) report.status = "PASS" report.status_extended = f"KMS key {key.id} is not exposed to Public." # If the "Principal" element value is set to { "AWS": "*" } and the policy statement is not using any Condition clauses to filter the access, the selected AWS KMS master key is publicly accessible. diff --git a/prowler/providers/aws/services/lightsail/lightsail_database_public/lightsail_database_public.py b/prowler/providers/aws/services/lightsail/lightsail_database_public/lightsail_database_public.py index 565a6e3f676..c6f716eaaef 100644 --- a/prowler/providers/aws/services/lightsail/lightsail_database_public/lightsail_database_public.py +++ b/prowler/providers/aws/services/lightsail/lightsail_database_public/lightsail_database_public.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for database in lightsail_client.databases.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=database - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=database) report.status = "FAIL" report.status_extended = f"Database '{database.name}' is public." diff --git a/prowler/providers/aws/services/lightsail/lightsail_instance_automated_snapshots/lightsail_instance_automated_snapshots.py b/prowler/providers/aws/services/lightsail/lightsail_instance_automated_snapshots/lightsail_instance_automated_snapshots.py index 712e92d93d6..0fc16d48ce0 100644 --- a/prowler/providers/aws/services/lightsail/lightsail_instance_automated_snapshots/lightsail_instance_automated_snapshots.py +++ b/prowler/providers/aws/services/lightsail/lightsail_instance_automated_snapshots/lightsail_instance_automated_snapshots.py @@ -6,9 +6,7 @@ class lightsail_instance_automated_snapshots(Check): def execute(self): findings = [] for instance in lightsail_client.instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = ( f"Instance '{instance.name}' does not have automated snapshots enabled." diff --git a/prowler/providers/aws/services/lightsail/lightsail_instance_public/lightsail_instance_public.py b/prowler/providers/aws/services/lightsail/lightsail_instance_public/lightsail_instance_public.py index 8ca62eb73e0..ba49fc337a5 100644 --- a/prowler/providers/aws/services/lightsail/lightsail_instance_public/lightsail_instance_public.py +++ b/prowler/providers/aws/services/lightsail/lightsail_instance_public/lightsail_instance_public.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_AWS: findings = [] for instance in lightsail_client.instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = ( f"Instance '{instance.name}' is not publicly exposed." diff --git a/prowler/providers/aws/services/lightsail/lightsail_static_ip_unused/lightsail_static_ip_unused.py b/prowler/providers/aws/services/lightsail/lightsail_static_ip_unused/lightsail_static_ip_unused.py index 94dc986acf4..52b43347632 100644 --- a/prowler/providers/aws/services/lightsail/lightsail_static_ip_unused/lightsail_static_ip_unused.py +++ b/prowler/providers/aws/services/lightsail/lightsail_static_ip_unused/lightsail_static_ip_unused.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_AWS: findings = [] for static_ip in lightsail_client.static_ips.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=static_ip - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=static_ip) report.status = "FAIL" report.status_extended = ( f"Static IP '{static_ip.name}' is not associated with any instance." diff --git a/prowler/providers/aws/services/macie/macie_automated_sensitive_data_discovery_enabled/macie_automated_sensitive_data_discovery_enabled.py b/prowler/providers/aws/services/macie/macie_automated_sensitive_data_discovery_enabled/macie_automated_sensitive_data_discovery_enabled.py index c8552d4e743..f760f5c256c 100644 --- a/prowler/providers/aws/services/macie/macie_automated_sensitive_data_discovery_enabled/macie_automated_sensitive_data_discovery_enabled.py +++ b/prowler/providers/aws/services/macie/macie_automated_sensitive_data_discovery_enabled/macie_automated_sensitive_data_discovery_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for session in macie_client.sessions: if session.status == "ENABLED": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=session - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=session) report.resource_arn = macie_client._get_session_arn_template( session.region ) diff --git a/prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.py b/prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.py index 567715de9c8..4264b8c67ae 100644 --- a/prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.py +++ b/prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.py @@ -7,9 +7,7 @@ class macie_is_enabled(Check): def execute(self): findings = [] for session in macie_client.sessions: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=session - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=session) report.resource_arn = macie_client._get_session_arn_template(session.region) report.resource_id = macie_client.audited_account if session.status == "ENABLED": diff --git a/prowler/providers/aws/services/memorydb/memorydb_cluster_auto_minor_version_upgrades/memorydb_cluster_auto_minor_version_upgrades.py b/prowler/providers/aws/services/memorydb/memorydb_cluster_auto_minor_version_upgrades/memorydb_cluster_auto_minor_version_upgrades.py index 9ed1fcf0ac2..f55e7764588 100644 --- a/prowler/providers/aws/services/memorydb/memorydb_cluster_auto_minor_version_upgrades/memorydb_cluster_auto_minor_version_upgrades.py +++ b/prowler/providers/aws/services/memorydb/memorydb_cluster_auto_minor_version_upgrades/memorydb_cluster_auto_minor_version_upgrades.py @@ -6,9 +6,7 @@ class memorydb_cluster_auto_minor_version_upgrades(Check): def execute(self): findings = [] for cluster in memorydb_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) if cluster.auto_minor_version_upgrade: report.status = "PASS" report.status_extended = f"Memory DB Cluster {cluster.name} has minor version upgrade enabled." diff --git a/prowler/providers/aws/services/mq/mq_broker_active_deployment_mode/mq_broker_active_deployment_mode.py b/prowler/providers/aws/services/mq/mq_broker_active_deployment_mode/mq_broker_active_deployment_mode.py index 5c36d14c7ec..3b0e88ca568 100644 --- a/prowler/providers/aws/services/mq/mq_broker_active_deployment_mode/mq_broker_active_deployment_mode.py +++ b/prowler/providers/aws/services/mq/mq_broker_active_deployment_mode/mq_broker_active_deployment_mode.py @@ -8,9 +8,7 @@ def execute(self): findings = [] for broker in mq_client.brokers.values(): if broker.engine_type == EngineType.ACTIVEMQ: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=broker - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=broker) report.status = "FAIL" report.status_extended = f"MQ Apache ActiveMQ Broker {broker.name} does not have an active/standby deployment mode." if broker.deployment_mode == DeploymentMode.ACTIVE_STANDBY_MULTI_AZ: diff --git a/prowler/providers/aws/services/mq/mq_broker_auto_minor_version_upgrades/mq_broker_auto_minor_version_upgrades.py b/prowler/providers/aws/services/mq/mq_broker_auto_minor_version_upgrades/mq_broker_auto_minor_version_upgrades.py index fa86105639d..986afecbcb2 100644 --- a/prowler/providers/aws/services/mq/mq_broker_auto_minor_version_upgrades/mq_broker_auto_minor_version_upgrades.py +++ b/prowler/providers/aws/services/mq/mq_broker_auto_minor_version_upgrades/mq_broker_auto_minor_version_upgrades.py @@ -6,9 +6,7 @@ class mq_broker_auto_minor_version_upgrades(Check): def execute(self): findings = [] for broker in mq_client.brokers.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=broker - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=broker) report.status = "PASS" report.status_extended = f"MQ Broker {broker.name} does have automated minor version upgrades enabled." diff --git a/prowler/providers/aws/services/mq/mq_broker_cluster_deployment_mode/mq_broker_cluster_deployment_mode.py b/prowler/providers/aws/services/mq/mq_broker_cluster_deployment_mode/mq_broker_cluster_deployment_mode.py index 13e7ea3bdeb..fe4207a8d9e 100644 --- a/prowler/providers/aws/services/mq/mq_broker_cluster_deployment_mode/mq_broker_cluster_deployment_mode.py +++ b/prowler/providers/aws/services/mq/mq_broker_cluster_deployment_mode/mq_broker_cluster_deployment_mode.py @@ -20,9 +20,7 @@ def execute(self) -> List[Check_Report_AWS]: findings = [] for broker in mq_client.brokers.values(): if broker.engine_type == EngineType.RABBITMQ: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=broker - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=broker) report.status = "FAIL" report.status_extended = f"MQ RabbitMQ Broker {broker.name} does not have a cluster deployment mode." if broker.deployment_mode == DeploymentMode.CLUSTER_MULTI_AZ: diff --git a/prowler/providers/aws/services/mq/mq_broker_logging_enabled/mq_broker_logging_enabled.py b/prowler/providers/aws/services/mq/mq_broker_logging_enabled/mq_broker_logging_enabled.py index 6904bb25613..8df7c70ad57 100644 --- a/prowler/providers/aws/services/mq/mq_broker_logging_enabled/mq_broker_logging_enabled.py +++ b/prowler/providers/aws/services/mq/mq_broker_logging_enabled/mq_broker_logging_enabled.py @@ -16,9 +16,7 @@ def execute(self): """ findings = [] for broker in mq_client.brokers.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=broker - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=broker) report.status = "FAIL" report.status_extended = ( f"MQ Broker {broker.name} does not have logging enabled." diff --git a/prowler/providers/aws/services/mq/mq_broker_not_publicly_accessible/mq_broker_not_publicly_accessible.py b/prowler/providers/aws/services/mq/mq_broker_not_publicly_accessible/mq_broker_not_publicly_accessible.py index a1de642582b..c6e125d0f98 100644 --- a/prowler/providers/aws/services/mq/mq_broker_not_publicly_accessible/mq_broker_not_publicly_accessible.py +++ b/prowler/providers/aws/services/mq/mq_broker_not_publicly_accessible/mq_broker_not_publicly_accessible.py @@ -6,9 +6,7 @@ class mq_broker_not_publicly_accessible(Check): def execute(self): findings = [] for broker in mq_client.brokers.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=broker - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=broker) report.status = "FAIL" report.status_extended = f"MQ Broker {broker.name} is publicly accessible." diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.py b/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.py index 1573147feb4..e5c15030cf5 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.py +++ b/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.py @@ -6,9 +6,7 @@ class neptune_cluster_backup_enabled(Check): def execute(self): findings = [] for cluster in neptune_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.resource_id = cluster.name report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_copy_tags_to_snapshots/neptune_cluster_copy_tags_to_snapshots.py b/prowler/providers/aws/services/neptune/neptune_cluster_copy_tags_to_snapshots/neptune_cluster_copy_tags_to_snapshots.py index c144ede995a..8f2767f3655 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_copy_tags_to_snapshots/neptune_cluster_copy_tags_to_snapshots.py +++ b/prowler/providers/aws/services/neptune/neptune_cluster_copy_tags_to_snapshots/neptune_cluster_copy_tags_to_snapshots.py @@ -6,9 +6,7 @@ class neptune_cluster_copy_tags_to_snapshots(Check): def execute(self): findings = [] for cluster in neptune_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = f"Neptune DB Cluster {cluster.id} is not configured to copy tags to snapshots." if cluster.copy_tags_to_snapshot: diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_deletion_protection/neptune_cluster_deletion_protection.py b/prowler/providers/aws/services/neptune/neptune_cluster_deletion_protection/neptune_cluster_deletion_protection.py index 887cd5756db..603ab15c7f0 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_deletion_protection/neptune_cluster_deletion_protection.py +++ b/prowler/providers/aws/services/neptune/neptune_cluster_deletion_protection/neptune_cluster_deletion_protection.py @@ -6,9 +6,7 @@ class neptune_cluster_deletion_protection(Check): def execute(self): findings = [] for cluster in neptune_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.resource_id = cluster.name report.status = "FAIL" report.status_extended = f"Neptune Cluster {cluster.name} does not have deletion protection enabled." diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_iam_authentication_enabled/neptune_cluster_iam_authentication_enabled.py b/prowler/providers/aws/services/neptune/neptune_cluster_iam_authentication_enabled/neptune_cluster_iam_authentication_enabled.py index d7a8d391ced..667fdbaf0d7 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_iam_authentication_enabled/neptune_cluster_iam_authentication_enabled.py +++ b/prowler/providers/aws/services/neptune/neptune_cluster_iam_authentication_enabled/neptune_cluster_iam_authentication_enabled.py @@ -6,9 +6,7 @@ class neptune_cluster_iam_authentication_enabled(Check): def execute(self): findings = [] for cluster in neptune_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.resource_id = cluster.name report.status = "FAIL" report.status_extended = f"Neptune Cluster {cluster.name} does not have IAM authentication enabled." diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_integration_cloudwatch_logs/neptune_cluster_integration_cloudwatch_logs.py b/prowler/providers/aws/services/neptune/neptune_cluster_integration_cloudwatch_logs/neptune_cluster_integration_cloudwatch_logs.py index 187577e3cf6..863eb8367ea 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_integration_cloudwatch_logs/neptune_cluster_integration_cloudwatch_logs.py +++ b/prowler/providers/aws/services/neptune/neptune_cluster_integration_cloudwatch_logs/neptune_cluster_integration_cloudwatch_logs.py @@ -6,9 +6,7 @@ class neptune_cluster_integration_cloudwatch_logs(Check): def execute(self): findings = [] for cluster in neptune_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.resource_id = cluster.name report.status = "FAIL" report.status_extended = f"Neptune Cluster {cluster.name} does not have cloudwatch audit logs enabled." diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_multi_az/neptune_cluster_multi_az.py b/prowler/providers/aws/services/neptune/neptune_cluster_multi_az/neptune_cluster_multi_az.py index aa5158741cd..dd62fabb0f4 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_multi_az/neptune_cluster_multi_az.py +++ b/prowler/providers/aws/services/neptune/neptune_cluster_multi_az/neptune_cluster_multi_az.py @@ -6,9 +6,7 @@ class neptune_cluster_multi_az(Check): def execute(self): findings = [] for cluster in neptune_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.resource_id = cluster.name report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot.py b/prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot.py index ae34d20fdbc..becf6d3f392 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot.py +++ b/prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot.py @@ -6,9 +6,7 @@ class neptune_cluster_public_snapshot(Check): def execute(self): findings = [] for db_snap in neptune_client.db_cluster_snapshots: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_snap - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_snap) if db_snap.public: report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_snapshot_encrypted/neptune_cluster_snapshot_encrypted.py b/prowler/providers/aws/services/neptune/neptune_cluster_snapshot_encrypted/neptune_cluster_snapshot_encrypted.py index e9d11b54aa9..f131d77965c 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_snapshot_encrypted/neptune_cluster_snapshot_encrypted.py +++ b/prowler/providers/aws/services/neptune/neptune_cluster_snapshot_encrypted/neptune_cluster_snapshot_encrypted.py @@ -6,9 +6,7 @@ class neptune_cluster_snapshot_encrypted(Check): def execute(self): findings = [] for snapshot in neptune_client.db_cluster_snapshots: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=snapshot - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=snapshot) report.status = "FAIL" report.status_extended = ( f"Neptune Cluster Snapshot {snapshot.id} is not encrypted at rest." diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_storage_encrypted/neptune_cluster_storage_encrypted.py b/prowler/providers/aws/services/neptune/neptune_cluster_storage_encrypted/neptune_cluster_storage_encrypted.py index 80333135a17..2007d9bcdae 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_storage_encrypted/neptune_cluster_storage_encrypted.py +++ b/prowler/providers/aws/services/neptune/neptune_cluster_storage_encrypted/neptune_cluster_storage_encrypted.py @@ -6,9 +6,7 @@ class neptune_cluster_storage_encrypted(Check): def execute(self): findings = [] for cluster in neptune_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.resource_id = cluster.name report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_uses_public_subnet/neptune_cluster_uses_public_subnet.py b/prowler/providers/aws/services/neptune/neptune_cluster_uses_public_subnet/neptune_cluster_uses_public_subnet.py index 1f5f8e8b7d4..c8df49f9feb 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_uses_public_subnet/neptune_cluster_uses_public_subnet.py +++ b/prowler/providers/aws/services/neptune/neptune_cluster_uses_public_subnet/neptune_cluster_uses_public_subnet.py @@ -7,9 +7,7 @@ class neptune_cluster_uses_public_subnet(Check): def execute(self): findings = [] for cluster in neptune_client.clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "PASS" report.status_extended = ( f"Cluster {cluster.id} is not using public subnets." diff --git a/prowler/providers/aws/services/networkfirewall/networkfirewall_deletion_protection/networkfirewall_deletion_protection.py b/prowler/providers/aws/services/networkfirewall/networkfirewall_deletion_protection/networkfirewall_deletion_protection.py index 89e7951b367..e548d40bb6b 100644 --- a/prowler/providers/aws/services/networkfirewall/networkfirewall_deletion_protection/networkfirewall_deletion_protection.py +++ b/prowler/providers/aws/services/networkfirewall/networkfirewall_deletion_protection/networkfirewall_deletion_protection.py @@ -8,9 +8,7 @@ class networkfirewall_deletion_protection(Check): def execute(self): findings = [] for firewall in networkfirewall_client.network_firewalls.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=firewall - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=firewall) report.status = "FAIL" report.status_extended = f"Network Firewall {firewall.name} does not have deletion protection enabled." if firewall.deletion_protection: diff --git a/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py b/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py index 97dc2a52f74..93f293c6a39 100644 --- a/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py +++ b/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py @@ -10,9 +10,7 @@ def execute(self): findings = [] for vpc in vpc_client.vpcs.values(): if vpc_client.provider.scan_unused_services or vpc.in_use: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=vpc - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=vpc) report.status = "FAIL" report.status_extended = f"VPC {vpc.name if vpc.name else vpc.id} does not have Network Firewall enabled." for firewall in networkfirewall_client.network_firewalls.values(): diff --git a/prowler/providers/aws/services/networkfirewall/networkfirewall_logging_enabled/networkfirewall_logging_enabled.py b/prowler/providers/aws/services/networkfirewall/networkfirewall_logging_enabled/networkfirewall_logging_enabled.py index 7219fac5c75..bdb9fb7cfa9 100644 --- a/prowler/providers/aws/services/networkfirewall/networkfirewall_logging_enabled/networkfirewall_logging_enabled.py +++ b/prowler/providers/aws/services/networkfirewall/networkfirewall_logging_enabled/networkfirewall_logging_enabled.py @@ -8,9 +8,7 @@ class networkfirewall_logging_enabled(Check): def execute(self): findings = [] for firewall in networkfirewall_client.network_firewalls.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=firewall - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=firewall) report.status = "FAIL" report.status_extended = ( f"Network Firewall {firewall.name} does not have logging enabled." diff --git a/prowler/providers/aws/services/networkfirewall/networkfirewall_multi_az/networkfirewall_multi_az.py b/prowler/providers/aws/services/networkfirewall/networkfirewall_multi_az/networkfirewall_multi_az.py index 4fd43160662..ad807162e68 100644 --- a/prowler/providers/aws/services/networkfirewall/networkfirewall_multi_az/networkfirewall_multi_az.py +++ b/prowler/providers/aws/services/networkfirewall/networkfirewall_multi_az/networkfirewall_multi_az.py @@ -8,9 +8,7 @@ class networkfirewall_multi_az(Check): def execute(self): findings = [] for firewall in networkfirewall_client.network_firewalls.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=firewall - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=firewall) report.status = "FAIL" report.status_extended = ( f"Network Firewall {firewall.name} is not deployed across multiple AZ." diff --git a/prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_fragmented_packets/networkfirewall_policy_default_action_fragmented_packets.py b/prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_fragmented_packets/networkfirewall_policy_default_action_fragmented_packets.py index 9ba80bc73ae..70cb54d580b 100644 --- a/prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_fragmented_packets/networkfirewall_policy_default_action_fragmented_packets.py +++ b/prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_fragmented_packets/networkfirewall_policy_default_action_fragmented_packets.py @@ -8,9 +8,7 @@ class networkfirewall_policy_default_action_fragmented_packets(Check): def execute(self): findings = [] for firewall in networkfirewall_client.network_firewalls.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=firewall - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=firewall) report.status = "FAIL" report.status_extended = f"Network Firewall {firewall.name} policy does not drop or forward fragmented packets by default." diff --git a/prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_full_packets/networkfirewall_policy_default_action_full_packets.py b/prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_full_packets/networkfirewall_policy_default_action_full_packets.py index afa4dc71d45..f0b34036fb1 100644 --- a/prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_full_packets/networkfirewall_policy_default_action_full_packets.py +++ b/prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_full_packets/networkfirewall_policy_default_action_full_packets.py @@ -8,9 +8,7 @@ class networkfirewall_policy_default_action_full_packets(Check): def execute(self): findings = [] for firewall in networkfirewall_client.network_firewalls.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=firewall - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=firewall) report.status = "FAIL" report.status_extended = f"Network Firewall {firewall.name} policy does not drop or forward full packets by default." diff --git a/prowler/providers/aws/services/networkfirewall/networkfirewall_policy_rule_group_associated/networkfirewall_policy_rule_group_associated.py b/prowler/providers/aws/services/networkfirewall/networkfirewall_policy_rule_group_associated/networkfirewall_policy_rule_group_associated.py index 09d20902169..8eddc56aea7 100644 --- a/prowler/providers/aws/services/networkfirewall/networkfirewall_policy_rule_group_associated/networkfirewall_policy_rule_group_associated.py +++ b/prowler/providers/aws/services/networkfirewall/networkfirewall_policy_rule_group_associated/networkfirewall_policy_rule_group_associated.py @@ -8,9 +8,7 @@ class networkfirewall_policy_rule_group_associated(Check): def execute(self): findings = [] for firewall in networkfirewall_client.network_firewalls.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=firewall - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=firewall) report.status = "PASS" report.status_extended = f"Network Firewall {firewall.name} policy has at least one rule group associated." diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_access_control_enabled/opensearch_service_domains_access_control_enabled.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_access_control_enabled/opensearch_service_domains_access_control_enabled.py index b33cb3e9fcf..0f221d9544e 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_access_control_enabled/opensearch_service_domains_access_control_enabled.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_access_control_enabled/opensearch_service_domains_access_control_enabled.py @@ -8,9 +8,7 @@ class opensearch_service_domains_access_control_enabled(Check): def execute(self): findings = [] for domain in opensearch_client.opensearch_domains.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=domain - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=domain) report.status = "FAIL" report.status_extended = f"Opensearch domain {domain.name} does not have fine grained access control enabled." if domain.advanced_settings_enabled: diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_audit_logging_enabled/opensearch_service_domains_audit_logging_enabled.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_audit_logging_enabled/opensearch_service_domains_audit_logging_enabled.py index b4c17c0f1c6..f58c7cb0d1f 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_audit_logging_enabled/opensearch_service_domains_audit_logging_enabled.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_audit_logging_enabled/opensearch_service_domains_audit_logging_enabled.py @@ -8,9 +8,7 @@ class opensearch_service_domains_audit_logging_enabled(Check): def execute(self): findings = [] for domain in opensearch_client.opensearch_domains.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=domain - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=domain) report.status = "FAIL" report.status_extended = ( f"Opensearch domain {domain.name} AUDIT_LOGS disabled." diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_cloudwatch_logging_enabled/opensearch_service_domains_cloudwatch_logging_enabled.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_cloudwatch_logging_enabled/opensearch_service_domains_cloudwatch_logging_enabled.py index 0cda99fc415..95847144a8a 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_cloudwatch_logging_enabled/opensearch_service_domains_cloudwatch_logging_enabled.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_cloudwatch_logging_enabled/opensearch_service_domains_cloudwatch_logging_enabled.py @@ -8,9 +8,7 @@ class opensearch_service_domains_cloudwatch_logging_enabled(Check): def execute(self): findings = [] for domain in opensearch_client.opensearch_domains.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=domain - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=domain) report.status = "FAIL" report.status_extended = f"Opensearch domain {domain.name} SEARCH_SLOW_LOGS and INDEX_SLOW_LOGS disabled." has_SEARCH_SLOW_LOGS = False diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_encryption_at_rest_enabled/opensearch_service_domains_encryption_at_rest_enabled.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_encryption_at_rest_enabled/opensearch_service_domains_encryption_at_rest_enabled.py index 981bf111db1..c27b4ddd322 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_encryption_at_rest_enabled/opensearch_service_domains_encryption_at_rest_enabled.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_encryption_at_rest_enabled/opensearch_service_domains_encryption_at_rest_enabled.py @@ -8,9 +8,7 @@ class opensearch_service_domains_encryption_at_rest_enabled(Check): def execute(self): findings = [] for domain in opensearch_client.opensearch_domains.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=domain - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=domain) report.status = "PASS" report.status_extended = ( f"Opensearch domain {domain.name} has encryption at-rest enabled." diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_fault_tolerant_data_nodes/opensearch_service_domains_fault_tolerant_data_nodes.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_fault_tolerant_data_nodes/opensearch_service_domains_fault_tolerant_data_nodes.py index 1db1154fe84..835cf6c14e4 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_fault_tolerant_data_nodes/opensearch_service_domains_fault_tolerant_data_nodes.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_fault_tolerant_data_nodes/opensearch_service_domains_fault_tolerant_data_nodes.py @@ -9,9 +9,7 @@ def execute(self): findings = [] for domain in opensearch_client.opensearch_domains.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=domain - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=domain) report.status = "FAIL" report.status_extended = f"Opensearch domain {domain.name} is not fault tolerant as it has less than 3 data nodes and cross-zone replication (Zone Awareness) is not enabled." diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_fault_tolerant_master_nodes/opensearch_service_domains_fault_tolerant_master_nodes.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_fault_tolerant_master_nodes/opensearch_service_domains_fault_tolerant_master_nodes.py index bbce07a90a6..90f5edbc21d 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_fault_tolerant_master_nodes/opensearch_service_domains_fault_tolerant_master_nodes.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_fault_tolerant_master_nodes/opensearch_service_domains_fault_tolerant_master_nodes.py @@ -8,9 +8,7 @@ class opensearch_service_domains_fault_tolerant_master_nodes(Check): def execute(self): findings = [] for domain in opensearch_client.opensearch_domains.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=domain - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=domain) report.status = "PASS" report.status_extended = f"Opensearch domain {domain.name} has {domain.dedicated_master_count} dedicated master nodes, which guarantees fault tolerance on the master nodes." diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_https_communications_enforced/opensearch_service_domains_https_communications_enforced.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_https_communications_enforced/opensearch_service_domains_https_communications_enforced.py index e7329c6a778..3a07698d5e8 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_https_communications_enforced/opensearch_service_domains_https_communications_enforced.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_https_communications_enforced/opensearch_service_domains_https_communications_enforced.py @@ -8,9 +8,7 @@ class opensearch_service_domains_https_communications_enforced(Check): def execute(self): findings = [] for domain in opensearch_client.opensearch_domains.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=domain - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=domain) report.status = "PASS" report.status_extended = ( f"Opensearch domain {domain.name} has enforce HTTPS enabled." diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_internal_user_database_enabled/opensearch_service_domains_internal_user_database_enabled.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_internal_user_database_enabled/opensearch_service_domains_internal_user_database_enabled.py index 0fa93d5f3f2..bf79644116e 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_internal_user_database_enabled/opensearch_service_domains_internal_user_database_enabled.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_internal_user_database_enabled/opensearch_service_domains_internal_user_database_enabled.py @@ -8,9 +8,7 @@ class opensearch_service_domains_internal_user_database_enabled(Check): def execute(self): findings = [] for domain in opensearch_client.opensearch_domains.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=domain - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=domain) report.status = "PASS" report.status_extended = f"Opensearch domain {domain.name} does not have internal user database enabled." if domain.internal_user_database: diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_node_to_node_encryption_enabled/opensearch_service_domains_node_to_node_encryption_enabled.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_node_to_node_encryption_enabled/opensearch_service_domains_node_to_node_encryption_enabled.py index 6b11b890547..a184f736eaf 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_node_to_node_encryption_enabled/opensearch_service_domains_node_to_node_encryption_enabled.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_node_to_node_encryption_enabled/opensearch_service_domains_node_to_node_encryption_enabled.py @@ -8,9 +8,7 @@ class opensearch_service_domains_node_to_node_encryption_enabled(Check): def execute(self): findings = [] for domain in opensearch_client.opensearch_domains.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=domain - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=domain) report.status = "PASS" report.status_extended = ( f"Opensearch domain {domain.name} has node-to-node encryption enabled." diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible.py index dcdcaad19aa..2ffd9c40fb1 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible.py @@ -9,9 +9,7 @@ class opensearch_service_domains_not_publicly_accessible(Check): def execute(self): findings = [] for domain in opensearch_client.opensearch_domains.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=domain - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=domain) report.status = "PASS" report.status_extended = ( f"Opensearch domain {domain.name} is not publicly accessible." diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_updated_to_the_latest_service_software_version/opensearch_service_domains_updated_to_the_latest_service_software_version.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_updated_to_the_latest_service_software_version/opensearch_service_domains_updated_to_the_latest_service_software_version.py index 8db628e50a4..b33500a58a9 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_updated_to_the_latest_service_software_version/opensearch_service_domains_updated_to_the_latest_service_software_version.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_updated_to_the_latest_service_software_version/opensearch_service_domains_updated_to_the_latest_service_software_version.py @@ -8,9 +8,7 @@ class opensearch_service_domains_updated_to_the_latest_service_software_version( def execute(self): findings = [] for domain in opensearch_client.opensearch_domains.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=domain - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=domain) report.status = "PASS" report.status_extended = f"Opensearch domain {domain.name} with version {domain.version} does not have internal updates available." if domain.update_available: diff --git a/prowler/providers/aws/services/opensearch/opensearch_service_domains_use_cognito_authentication_for_kibana/opensearch_service_domains_use_cognito_authentication_for_kibana.py b/prowler/providers/aws/services/opensearch/opensearch_service_domains_use_cognito_authentication_for_kibana/opensearch_service_domains_use_cognito_authentication_for_kibana.py index cd839533ba9..fd222936863 100644 --- a/prowler/providers/aws/services/opensearch/opensearch_service_domains_use_cognito_authentication_for_kibana/opensearch_service_domains_use_cognito_authentication_for_kibana.py +++ b/prowler/providers/aws/services/opensearch/opensearch_service_domains_use_cognito_authentication_for_kibana/opensearch_service_domains_use_cognito_authentication_for_kibana.py @@ -8,9 +8,7 @@ class opensearch_service_domains_use_cognito_authentication_for_kibana(Check): def execute(self): findings = [] for domain in opensearch_client.opensearch_domains.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=domain - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=domain) report.status = "PASS" report.status_extended = f"Opensearch domain {domain.name} has either Amazon Cognito or SAML authentication for Kibana enabled." if not domain.cognito_options and not domain.saml_enabled: diff --git a/prowler/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations.py b/prowler/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations.py index da090d2358b..74ac5a90c97 100644 --- a/prowler/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations.py +++ b/prowler/providers/aws/services/organizations/organizations_account_part_of_organizations/organizations_account_part_of_organizations.py @@ -10,7 +10,7 @@ def execute(self): if organizations_client.organization: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=organizations_client.organization, + resource=organizations_client.organization, ) if organizations_client.organization.status == "ACTIVE": report.status = "PASS" diff --git a/prowler/providers/aws/services/organizations/organizations_delegated_administrators/organizations_delegated_administrators.py b/prowler/providers/aws/services/organizations/organizations_delegated_administrators/organizations_delegated_administrators.py index 1aa00fa3462..794b527a8ac 100644 --- a/prowler/providers/aws/services/organizations/organizations_delegated_administrators/organizations_delegated_administrators.py +++ b/prowler/providers/aws/services/organizations/organizations_delegated_administrators/organizations_delegated_administrators.py @@ -20,7 +20,7 @@ def execute(self): ): report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=organizations_client.organization, + resource=organizations_client.organization, ) report.region = organizations_client.region if ( diff --git a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py index f849ac6ced3..5cb5bdf35cf 100644 --- a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py +++ b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py @@ -14,7 +14,7 @@ def execute(self): ): # Access Denied to list_policies report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=organizations_client.organization, + resource=organizations_client.organization, ) report.region = organizations_client.region report.status = "FAIL" diff --git a/prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.py b/prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.py index d20996af92a..8de3f30cdda 100644 --- a/prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.py +++ b/prowler/providers/aws/services/organizations/organizations_scp_check_deny_regions/organizations_scp_check_deny_regions.py @@ -17,7 +17,7 @@ def execute(self): ): # Access denied to list policies report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=organizations_client.organization, + resource=organizations_client.organization, ) report.region = organizations_client.region report.status = "FAIL" @@ -33,7 +33,6 @@ def execute(self): for policy in organizations_client.organization.policies.get( "SERVICE_CONTROL_POLICY", [] ): - # Statements are not always list statements = policy.content.get("Statement") if type(policy.content["Statement"]) is not list: diff --git a/prowler/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached.py b/prowler/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached.py index bedc1f05016..d49ff5b3ad2 100644 --- a/prowler/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached.py +++ b/prowler/providers/aws/services/organizations/organizations_tags_policies_enabled_and_attached/organizations_tags_policies_enabled_and_attached.py @@ -14,7 +14,7 @@ def execute(self): ): # Access Denied to list_policies report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=organizations_client.organization, + resource=organizations_client.organization, ) report.region = organizations_client.region report.status = "FAIL" diff --git a/prowler/providers/aws/services/rds/rds_cluster_backtrack_enabled/rds_cluster_backtrack_enabled.py b/prowler/providers/aws/services/rds/rds_cluster_backtrack_enabled/rds_cluster_backtrack_enabled.py index 942c84c7483..ff0e1a81992 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_backtrack_enabled/rds_cluster_backtrack_enabled.py +++ b/prowler/providers/aws/services/rds/rds_cluster_backtrack_enabled/rds_cluster_backtrack_enabled.py @@ -8,7 +8,7 @@ def execute(self): for db_cluster in rds_client.db_clusters: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=rds_client.db_clusters[db_cluster], + resource=rds_client.db_clusters[db_cluster], ) report.resource_arn = db_cluster report.status = "FAIL" diff --git a/prowler/providers/aws/services/rds/rds_cluster_copy_tags_to_snapshots/rds_cluster_copy_tags_to_snapshots.py b/prowler/providers/aws/services/rds/rds_cluster_copy_tags_to_snapshots/rds_cluster_copy_tags_to_snapshots.py index 0da87cbbda7..2fd69dfb58b 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_copy_tags_to_snapshots/rds_cluster_copy_tags_to_snapshots.py +++ b/prowler/providers/aws/services/rds/rds_cluster_copy_tags_to_snapshots/rds_cluster_copy_tags_to_snapshots.py @@ -6,9 +6,7 @@ class rds_cluster_copy_tags_to_snapshots(Check): def execute(self): findings = [] for db_cluster in rds_client.db_clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_cluster) if db_cluster.copy_tags_to_snapshot: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/rds/rds_cluster_critical_event_subscription/rds_cluster_critical_event_subscription.py b/prowler/providers/aws/services/rds/rds_cluster_critical_event_subscription/rds_cluster_critical_event_subscription.py index e08e4bf94c3..336d2f3d805 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_critical_event_subscription/rds_cluster_critical_event_subscription.py +++ b/prowler/providers/aws/services/rds/rds_cluster_critical_event_subscription/rds_cluster_critical_event_subscription.py @@ -7,16 +7,14 @@ def execute(self): findings = [] if rds_client.provider.scan_unused_services or rds_client.db_clusters: for db_event in rds_client.db_event_subscriptions: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_event - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_event) report.status = "FAIL" report.status_extended = "RDS cluster event categories of maintenance and failure are not subscribed." report.resource_id = rds_client.audited_account report.resource_arn = rds_client._get_rds_arn_template(db_event.region) if db_event.source_type == "db-cluster" and db_event.enabled: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_event + metadata=self.metadata(), resource=db_event ) if db_event.event_list == [] or set(db_event.event_list) == { "maintenance", diff --git a/prowler/providers/aws/services/rds/rds_cluster_default_admin/rds_cluster_default_admin.py b/prowler/providers/aws/services/rds/rds_cluster_default_admin/rds_cluster_default_admin.py index 514c5219e0f..6d1ef569191 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_default_admin/rds_cluster_default_admin.py +++ b/prowler/providers/aws/services/rds/rds_cluster_default_admin/rds_cluster_default_admin.py @@ -8,7 +8,7 @@ def execute(self): for db_cluster in rds_client.db_clusters: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=rds_client.db_clusters[db_cluster], + resource=rds_client.db_clusters[db_cluster], ) report.status = "FAIL" report.status_extended = f"RDS Cluster {rds_client.db_clusters[db_cluster].id} is using the default master username." diff --git a/prowler/providers/aws/services/rds/rds_cluster_deletion_protection/rds_cluster_deletion_protection.py b/prowler/providers/aws/services/rds/rds_cluster_deletion_protection/rds_cluster_deletion_protection.py index 0f469b59f27..4e98ea783b4 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_deletion_protection/rds_cluster_deletion_protection.py +++ b/prowler/providers/aws/services/rds/rds_cluster_deletion_protection/rds_cluster_deletion_protection.py @@ -8,7 +8,7 @@ def execute(self): for db_cluster in rds_client.db_clusters: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=rds_client.db_clusters[db_cluster], + resource=rds_client.db_clusters[db_cluster], ) report.status = "FAIL" report.status_extended = f"RDS Cluster {rds_client.db_clusters[db_cluster].id} does not have deletion protection enabled." diff --git a/prowler/providers/aws/services/rds/rds_cluster_iam_authentication_enabled/rds_cluster_iam_authentication_enabled.py b/prowler/providers/aws/services/rds/rds_cluster_iam_authentication_enabled/rds_cluster_iam_authentication_enabled.py index de5d6ff12a9..a48d0cff053 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_iam_authentication_enabled/rds_cluster_iam_authentication_enabled.py +++ b/prowler/providers/aws/services/rds/rds_cluster_iam_authentication_enabled/rds_cluster_iam_authentication_enabled.py @@ -20,7 +20,7 @@ def execute(self): ): report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=rds_client.db_clusters[db_cluster], + resource=rds_client.db_clusters[db_cluster], ) if rds_client.db_clusters[db_cluster].iam_auth: diff --git a/prowler/providers/aws/services/rds/rds_cluster_integration_cloudwatch_logs/rds_cluster_integration_cloudwatch_logs.py b/prowler/providers/aws/services/rds/rds_cluster_integration_cloudwatch_logs/rds_cluster_integration_cloudwatch_logs.py index 5eaad4f2d80..ca15d30961a 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_integration_cloudwatch_logs/rds_cluster_integration_cloudwatch_logs.py +++ b/prowler/providers/aws/services/rds/rds_cluster_integration_cloudwatch_logs/rds_cluster_integration_cloudwatch_logs.py @@ -8,9 +8,7 @@ def execute(self): valid_engines = ["aurora-mysql", "aurora-postgresql", "mysql", "postgres"] for db_cluster in rds_client.db_clusters.values(): if db_cluster.engine in valid_engines: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_cluster) if db_cluster.cloudwatch_logs: report.status = "PASS" report.status_extended = f"RDS Cluster {db_cluster.id} is shipping {', '.join(db_cluster.cloudwatch_logs)} logs to CloudWatch Logs." diff --git a/prowler/providers/aws/services/rds/rds_cluster_minor_version_upgrade_enabled/rds_cluster_minor_version_upgrade_enabled.py b/prowler/providers/aws/services/rds/rds_cluster_minor_version_upgrade_enabled/rds_cluster_minor_version_upgrade_enabled.py index a66652ed7b3..b356496310c 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_minor_version_upgrade_enabled/rds_cluster_minor_version_upgrade_enabled.py +++ b/prowler/providers/aws/services/rds/rds_cluster_minor_version_upgrade_enabled/rds_cluster_minor_version_upgrade_enabled.py @@ -10,7 +10,7 @@ def execute(self): if rds_client.db_clusters[db_cluster].multi_az: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=rds_client.db_clusters[db_cluster], + resource=rds_client.db_clusters[db_cluster], ) if rds_client.db_clusters[db_cluster].auto_minor_version_upgrade: report.status = "PASS" diff --git a/prowler/providers/aws/services/rds/rds_cluster_multi_az/rds_cluster_multi_az.py b/prowler/providers/aws/services/rds/rds_cluster_multi_az/rds_cluster_multi_az.py index bee3c506696..e1eb93f6511 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_multi_az/rds_cluster_multi_az.py +++ b/prowler/providers/aws/services/rds/rds_cluster_multi_az/rds_cluster_multi_az.py @@ -6,9 +6,7 @@ class rds_cluster_multi_az(Check): def execute(self): findings = [] for db_cluster in rds_client.db_clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_cluster) report.status = "FAIL" report.status_extended = ( f"RDS Cluster {db_cluster.id} does not have multi-AZ enabled." diff --git a/prowler/providers/aws/services/rds/rds_cluster_non_default_port/rds_cluster_non_default_port.py b/prowler/providers/aws/services/rds/rds_cluster_non_default_port/rds_cluster_non_default_port.py index fae5074224b..6cc836c57b2 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_non_default_port/rds_cluster_non_default_port.py +++ b/prowler/providers/aws/services/rds/rds_cluster_non_default_port/rds_cluster_non_default_port.py @@ -13,9 +13,7 @@ def execute(self): 50000: ["db2"], } for db_cluster in rds_client.db_clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_cluster) report.status = "PASS" report.status_extended = ( f"RDS Cluster {db_cluster.id} is not using the default port " diff --git a/prowler/providers/aws/services/rds/rds_cluster_protected_by_backup_plan/rds_cluster_protected_by_backup_plan.py b/prowler/providers/aws/services/rds/rds_cluster_protected_by_backup_plan/rds_cluster_protected_by_backup_plan.py index 38b922c4f47..1ac366d0eaf 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_protected_by_backup_plan/rds_cluster_protected_by_backup_plan.py +++ b/prowler/providers/aws/services/rds/rds_cluster_protected_by_backup_plan/rds_cluster_protected_by_backup_plan.py @@ -7,9 +7,7 @@ class rds_cluster_protected_by_backup_plan(Check): def execute(self): findings = [] for db_cluster in rds_client.db_clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_cluster) report.status = "FAIL" report.status_extended = ( f"RDS Cluster {db_cluster.id} is not protected by a backup plan." diff --git a/prowler/providers/aws/services/rds/rds_cluster_storage_encrypted/rds_cluster_storage_encrypted.py b/prowler/providers/aws/services/rds/rds_cluster_storage_encrypted/rds_cluster_storage_encrypted.py index 72a2ba4ebc3..a609fc35d5f 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_storage_encrypted/rds_cluster_storage_encrypted.py +++ b/prowler/providers/aws/services/rds/rds_cluster_storage_encrypted/rds_cluster_storage_encrypted.py @@ -6,9 +6,7 @@ class rds_cluster_storage_encrypted(Check): def execute(self): findings = [] for db_cluster in rds_client.db_clusters.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_cluster) if db_cluster.encrypted: report.status = "PASS" report.status_extended = f"RDS cluster {db_cluster.id} is encrypted." diff --git a/prowler/providers/aws/services/rds/rds_instance_backup_enabled/rds_instance_backup_enabled.py b/prowler/providers/aws/services/rds/rds_instance_backup_enabled/rds_instance_backup_enabled.py index b10d84fabd7..ff9c28d6eca 100644 --- a/prowler/providers/aws/services/rds/rds_instance_backup_enabled/rds_instance_backup_enabled.py +++ b/prowler/providers/aws/services/rds/rds_instance_backup_enabled/rds_instance_backup_enabled.py @@ -6,9 +6,7 @@ class rds_instance_backup_enabled(Check): def execute(self): findings = [] for db_instance in rds_client.db_instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_instance) if db_instance.backup_retention_period > 0: report.status = "PASS" report.status_extended = f"RDS Instance {db_instance.id} has backup enabled with retention period {db_instance.backup_retention_period} days." diff --git a/prowler/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration.py b/prowler/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration.py index d2b7be0bcf6..877ed7cd79a 100644 --- a/prowler/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration.py +++ b/prowler/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration.py @@ -15,9 +15,7 @@ class rds_instance_certificate_expiration(Check): def execute(self): findings = [] for db_instance in rds_client.db_instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_instance) report.status = "FAIL" report.check_metadata.Severity = Severity.critical report.status_extended = ( diff --git a/prowler/providers/aws/services/rds/rds_instance_copy_tags_to_snapshots/rds_instance_copy_tags_to_snapshots.py b/prowler/providers/aws/services/rds/rds_instance_copy_tags_to_snapshots/rds_instance_copy_tags_to_snapshots.py index d1b2a5162c1..9bb8366895a 100644 --- a/prowler/providers/aws/services/rds/rds_instance_copy_tags_to_snapshots/rds_instance_copy_tags_to_snapshots.py +++ b/prowler/providers/aws/services/rds/rds_instance_copy_tags_to_snapshots/rds_instance_copy_tags_to_snapshots.py @@ -12,7 +12,7 @@ def execute(self): "aurora-postgresql", ]: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance + metadata=self.metadata(), resource=db_instance ) if db_instance.copy_tags_to_snapshot: report.status = "PASS" diff --git a/prowler/providers/aws/services/rds/rds_instance_critical_event_subscription/rds_instance_critical_event_subscription.py b/prowler/providers/aws/services/rds/rds_instance_critical_event_subscription/rds_instance_critical_event_subscription.py index 282d24ae1b3..e2f379232b5 100644 --- a/prowler/providers/aws/services/rds/rds_instance_critical_event_subscription/rds_instance_critical_event_subscription.py +++ b/prowler/providers/aws/services/rds/rds_instance_critical_event_subscription/rds_instance_critical_event_subscription.py @@ -7,9 +7,7 @@ def execute(self): findings = [] if rds_client.provider.scan_unused_services or rds_client.db_instances: for db_event in rds_client.db_event_subscriptions: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_event - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_event) report.status = "FAIL" report.status_extended = "RDS instance event categories of maintenance, configuration change, and failure are not subscribed." report.resource_id = rds_client.audited_account @@ -18,7 +16,7 @@ def execute(self): report.resource_tags = db_event.tags if db_event.source_type == "db-instance" and db_event.enabled: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_event + metadata=self.metadata(), resource=db_event ) if db_event.event_list == [] or set(db_event.event_list) == { "maintenance", diff --git a/prowler/providers/aws/services/rds/rds_instance_default_admin/rds_instance_default_admin.py b/prowler/providers/aws/services/rds/rds_instance_default_admin/rds_instance_default_admin.py index f08aaa33d0e..9df6d8e8fef 100644 --- a/prowler/providers/aws/services/rds/rds_instance_default_admin/rds_instance_default_admin.py +++ b/prowler/providers/aws/services/rds/rds_instance_default_admin/rds_instance_default_admin.py @@ -6,9 +6,7 @@ class rds_instance_default_admin(Check): def execute(self): findings = [] for db_instance in rds_client.db_instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_instance) # Check if is member of a cluster if db_instance.cluster_id: if ( diff --git a/prowler/providers/aws/services/rds/rds_instance_deletion_protection/rds_instance_deletion_protection.py b/prowler/providers/aws/services/rds/rds_instance_deletion_protection/rds_instance_deletion_protection.py index a7b87d725ac..29d37653adf 100644 --- a/prowler/providers/aws/services/rds/rds_instance_deletion_protection/rds_instance_deletion_protection.py +++ b/prowler/providers/aws/services/rds/rds_instance_deletion_protection/rds_instance_deletion_protection.py @@ -6,9 +6,7 @@ class rds_instance_deletion_protection(Check): def execute(self): findings = [] for db_instance in rds_client.db_instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_instance) # Check if is member of a cluster if db_instance.cluster_id: if ( diff --git a/prowler/providers/aws/services/rds/rds_instance_deprecated_engine_version/rds_instance_deprecated_engine_version.py b/prowler/providers/aws/services/rds/rds_instance_deprecated_engine_version/rds_instance_deprecated_engine_version.py index 182c66ffe5d..6bfbb9d5f6a 100644 --- a/prowler/providers/aws/services/rds/rds_instance_deprecated_engine_version/rds_instance_deprecated_engine_version.py +++ b/prowler/providers/aws/services/rds/rds_instance_deprecated_engine_version/rds_instance_deprecated_engine_version.py @@ -6,9 +6,7 @@ class rds_instance_deprecated_engine_version(Check): def execute(self): findings = [] for db_instance in rds_client.db_instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_instance) report.status = "FAIL" report.status_extended = f"RDS instance {db_instance.id} is using a deprecated engine {db_instance.engine} with version {db_instance.engine_version}." if ( diff --git a/prowler/providers/aws/services/rds/rds_instance_enhanced_monitoring_enabled/rds_instance_enhanced_monitoring_enabled.py b/prowler/providers/aws/services/rds/rds_instance_enhanced_monitoring_enabled/rds_instance_enhanced_monitoring_enabled.py index 37354b0586c..846ad5c1081 100644 --- a/prowler/providers/aws/services/rds/rds_instance_enhanced_monitoring_enabled/rds_instance_enhanced_monitoring_enabled.py +++ b/prowler/providers/aws/services/rds/rds_instance_enhanced_monitoring_enabled/rds_instance_enhanced_monitoring_enabled.py @@ -6,9 +6,7 @@ class rds_instance_enhanced_monitoring_enabled(Check): def execute(self): findings = [] for db_instance in rds_client.db_instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_instance) if db_instance.enhanced_monitoring_arn: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/rds/rds_instance_event_subscription_parameter_groups/rds_instance_event_subscription_parameter_groups.py b/prowler/providers/aws/services/rds/rds_instance_event_subscription_parameter_groups/rds_instance_event_subscription_parameter_groups.py index 820099011df..02026316596 100644 --- a/prowler/providers/aws/services/rds/rds_instance_event_subscription_parameter_groups/rds_instance_event_subscription_parameter_groups.py +++ b/prowler/providers/aws/services/rds/rds_instance_event_subscription_parameter_groups/rds_instance_event_subscription_parameter_groups.py @@ -7,9 +7,7 @@ def execute(self): findings = [] if rds_client.provider.scan_unused_services or rds_client.db_instances: for db_event in rds_client.db_event_subscriptions: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_event - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_event) report.status = "FAIL" report.status_extended = "RDS parameter group event categories of configuration change is not subscribed." report.resource_id = rds_client.audited_account @@ -21,7 +19,7 @@ def execute(self): "configuration change", ]: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_event + metadata=self.metadata(), resource=db_event ) report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/rds/rds_instance_event_subscription_security_groups/rds_instance_event_subscription_security_groups.py b/prowler/providers/aws/services/rds/rds_instance_event_subscription_security_groups/rds_instance_event_subscription_security_groups.py index c98a306cc67..6bc69f0dc74 100644 --- a/prowler/providers/aws/services/rds/rds_instance_event_subscription_security_groups/rds_instance_event_subscription_security_groups.py +++ b/prowler/providers/aws/services/rds/rds_instance_event_subscription_security_groups/rds_instance_event_subscription_security_groups.py @@ -7,9 +7,7 @@ def execute(self): findings = [] if rds_client.provider.scan_unused_services or rds_client.db_instances: for db_event in rds_client.db_event_subscriptions: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_event - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_event) report.status = "FAIL" report.status_extended = "RDS security group event categories of configuration change and failure are not subscribed." report.resource_id = rds_client.audited_account @@ -17,7 +15,7 @@ def execute(self): report.resource_tags = [] if db_event.source_type == "db-security-group" and db_event.enabled: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_event + metadata=self.metadata(), resource=db_event ) if db_event.event_list == [] or set(db_event.event_list) == { "failure", diff --git a/prowler/providers/aws/services/rds/rds_instance_iam_authentication_enabled/rds_instance_iam_authentication_enabled.py b/prowler/providers/aws/services/rds/rds_instance_iam_authentication_enabled/rds_instance_iam_authentication_enabled.py index d448be4e719..a9e64ca8f93 100644 --- a/prowler/providers/aws/services/rds/rds_instance_iam_authentication_enabled/rds_instance_iam_authentication_enabled.py +++ b/prowler/providers/aws/services/rds/rds_instance_iam_authentication_enabled/rds_instance_iam_authentication_enabled.py @@ -16,7 +16,7 @@ def execute(self): for db_instance in rds_client.db_instances.values(): if any(engine in db_instance.engine for engine in supported_engines): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance + metadata=self.metadata(), resource=db_instance ) # Check if is member of a cluster if db_instance.cluster_id: diff --git a/prowler/providers/aws/services/rds/rds_instance_inside_vpc/rds_instance_inside_vpc.py b/prowler/providers/aws/services/rds/rds_instance_inside_vpc/rds_instance_inside_vpc.py index 60b8374ad0c..2a43979112e 100644 --- a/prowler/providers/aws/services/rds/rds_instance_inside_vpc/rds_instance_inside_vpc.py +++ b/prowler/providers/aws/services/rds/rds_instance_inside_vpc/rds_instance_inside_vpc.py @@ -6,9 +6,7 @@ class rds_instance_inside_vpc(Check): def execute(self): findings = [] for db_instance in rds_client.db_instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_instance) if db_instance.vpc_id: report.status = "PASS" report.status_extended = f"RDS Instance {db_instance.id} is deployed in a VPC {db_instance.vpc_id}." diff --git a/prowler/providers/aws/services/rds/rds_instance_integration_cloudwatch_logs/rds_instance_integration_cloudwatch_logs.py b/prowler/providers/aws/services/rds/rds_instance_integration_cloudwatch_logs/rds_instance_integration_cloudwatch_logs.py index 7d086676fd3..7018943487f 100644 --- a/prowler/providers/aws/services/rds/rds_instance_integration_cloudwatch_logs/rds_instance_integration_cloudwatch_logs.py +++ b/prowler/providers/aws/services/rds/rds_instance_integration_cloudwatch_logs/rds_instance_integration_cloudwatch_logs.py @@ -6,9 +6,7 @@ class rds_instance_integration_cloudwatch_logs(Check): def execute(self): findings = [] for db_instance in rds_client.db_instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_instance) if db_instance.cloudwatch_logs: report.status = "PASS" report.status_extended = f"RDS Instance {db_instance.id} is shipping {', '.join(db_instance.cloudwatch_logs)} logs to CloudWatch Logs." diff --git a/prowler/providers/aws/services/rds/rds_instance_minor_version_upgrade_enabled/rds_instance_minor_version_upgrade_enabled.py b/prowler/providers/aws/services/rds/rds_instance_minor_version_upgrade_enabled/rds_instance_minor_version_upgrade_enabled.py index 4673d048137..5ddf4c0df90 100644 --- a/prowler/providers/aws/services/rds/rds_instance_minor_version_upgrade_enabled/rds_instance_minor_version_upgrade_enabled.py +++ b/prowler/providers/aws/services/rds/rds_instance_minor_version_upgrade_enabled/rds_instance_minor_version_upgrade_enabled.py @@ -6,9 +6,7 @@ class rds_instance_minor_version_upgrade_enabled(Check): def execute(self): findings = [] for db_instance in rds_client.db_instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_instance) if db_instance.auto_minor_version_upgrade: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/rds/rds_instance_multi_az/rds_instance_multi_az.py b/prowler/providers/aws/services/rds/rds_instance_multi_az/rds_instance_multi_az.py index b86e7371495..0563f024396 100644 --- a/prowler/providers/aws/services/rds/rds_instance_multi_az/rds_instance_multi_az.py +++ b/prowler/providers/aws/services/rds/rds_instance_multi_az/rds_instance_multi_az.py @@ -6,9 +6,7 @@ class rds_instance_multi_az(Check): def execute(self): findings = [] for db_instance in rds_client.db_instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_instance) # Check if is member of a cluster if db_instance.cluster_id: if ( diff --git a/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access.py b/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access.py index f2a4940c18e..e5db667c623 100644 --- a/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access.py +++ b/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access.py @@ -9,9 +9,7 @@ class rds_instance_no_public_access(Check): def execute(self): findings = [] for db_instance in rds_client.db_instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_instance) report.status = "PASS" report.status_extended = ( f"RDS Instance {db_instance.id} is not publicly accessible." diff --git a/prowler/providers/aws/services/rds/rds_instance_non_default_port/rds_instance_non_default_port.py b/prowler/providers/aws/services/rds/rds_instance_non_default_port/rds_instance_non_default_port.py index 50fc81bb27d..8a9072800a8 100644 --- a/prowler/providers/aws/services/rds/rds_instance_non_default_port/rds_instance_non_default_port.py +++ b/prowler/providers/aws/services/rds/rds_instance_non_default_port/rds_instance_non_default_port.py @@ -13,9 +13,7 @@ def execute(self): 50000: ["db2"], } for db_instance in rds_client.db_instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_instance) report.status = "PASS" report.status_extended = ( f"RDS Instance {db_instance.id} is not using the default port " diff --git a/prowler/providers/aws/services/rds/rds_instance_protected_by_backup_plan/rds_instance_protected_by_backup_plan.py b/prowler/providers/aws/services/rds/rds_instance_protected_by_backup_plan/rds_instance_protected_by_backup_plan.py index 7b37ed00c3c..284ac013f84 100644 --- a/prowler/providers/aws/services/rds/rds_instance_protected_by_backup_plan/rds_instance_protected_by_backup_plan.py +++ b/prowler/providers/aws/services/rds/rds_instance_protected_by_backup_plan/rds_instance_protected_by_backup_plan.py @@ -7,9 +7,7 @@ class rds_instance_protected_by_backup_plan(Check): def execute(self): findings = [] for db_instance in rds_client.db_instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_instance) # Makes sure the instance is not running with an Aurora engine # Aurora backup plans require enabling it separately from RDS if db_instance.engine not in [ diff --git a/prowler/providers/aws/services/rds/rds_instance_storage_encrypted/rds_instance_storage_encrypted.py b/prowler/providers/aws/services/rds/rds_instance_storage_encrypted/rds_instance_storage_encrypted.py index 3fc696d7f25..cf3cd176f1d 100644 --- a/prowler/providers/aws/services/rds/rds_instance_storage_encrypted/rds_instance_storage_encrypted.py +++ b/prowler/providers/aws/services/rds/rds_instance_storage_encrypted/rds_instance_storage_encrypted.py @@ -6,9 +6,7 @@ class rds_instance_storage_encrypted(Check): def execute(self): findings = [] for db_instance in rds_client.db_instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_instance) if db_instance.encrypted: report.status = "PASS" report.status_extended = f"RDS Instance {db_instance.id} is encrypted." diff --git a/prowler/providers/aws/services/rds/rds_instance_transport_encrypted/rds_instance_transport_encrypted.py b/prowler/providers/aws/services/rds/rds_instance_transport_encrypted/rds_instance_transport_encrypted.py index ef1e570f0d3..2663c5ea227 100644 --- a/prowler/providers/aws/services/rds/rds_instance_transport_encrypted/rds_instance_transport_encrypted.py +++ b/prowler/providers/aws/services/rds/rds_instance_transport_encrypted/rds_instance_transport_encrypted.py @@ -17,9 +17,7 @@ def execute(self): "aurora-mysql", ] for db_instance in rds_client.db_instances.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_instance - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_instance) report.status = "FAIL" report.status_extended = ( f"RDS Instance {db_instance.id} connections are not encrypted." @@ -58,7 +56,7 @@ def execute(self): for db_cluster in rds_client.db_clusters: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=rds_client.db_clusters[db_cluster], + resource=rds_client.db_clusters[db_cluster], ) report.status = "FAIL" report.status_extended = f"RDS Cluster {rds_client.db_clusters[db_cluster].id} connections are not encrypted." diff --git a/prowler/providers/aws/services/rds/rds_snapshots_encrypted/rds_snapshots_encrypted.py b/prowler/providers/aws/services/rds/rds_snapshots_encrypted/rds_snapshots_encrypted.py index 6eb6b48fc1a..d61ee9408b6 100644 --- a/prowler/providers/aws/services/rds/rds_snapshots_encrypted/rds_snapshots_encrypted.py +++ b/prowler/providers/aws/services/rds/rds_snapshots_encrypted/rds_snapshots_encrypted.py @@ -6,9 +6,7 @@ class rds_snapshots_encrypted(Check): def execute(self): findings = [] for db_snap in rds_client.db_snapshots: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_snap - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_snap) if db_snap.encrypted: report.status = "PASS" report.status_extended = ( @@ -23,9 +21,7 @@ def execute(self): findings.append(report) for db_snap in rds_client.db_cluster_snapshots: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_snap - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_snap) if db_snap.encrypted: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/rds/rds_snapshots_public_access/rds_snapshots_public_access.py b/prowler/providers/aws/services/rds/rds_snapshots_public_access/rds_snapshots_public_access.py index 536edfcd50b..2687c860be7 100644 --- a/prowler/providers/aws/services/rds/rds_snapshots_public_access/rds_snapshots_public_access.py +++ b/prowler/providers/aws/services/rds/rds_snapshots_public_access/rds_snapshots_public_access.py @@ -6,9 +6,7 @@ class rds_snapshots_public_access(Check): def execute(self): findings = [] for db_snap in rds_client.db_snapshots: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_snap - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_snap) if db_snap.public: report.status = "FAIL" report.status_extended = ( @@ -23,9 +21,7 @@ def execute(self): findings.append(report) for db_snap in rds_client.db_cluster_snapshots: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=db_snap - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=db_snap) if db_snap.public: report.status = "FAIL" report.status_extended = f"RDS Cluster Snapshot {db_snap.id} is public." diff --git a/prowler/providers/aws/services/redshift/redshift_cluster_audit_logging/redshift_cluster_audit_logging.py b/prowler/providers/aws/services/redshift/redshift_cluster_audit_logging/redshift_cluster_audit_logging.py index cbb3f5d5b3f..9b09c50ecc9 100644 --- a/prowler/providers/aws/services/redshift/redshift_cluster_audit_logging/redshift_cluster_audit_logging.py +++ b/prowler/providers/aws/services/redshift/redshift_cluster_audit_logging/redshift_cluster_audit_logging.py @@ -6,9 +6,7 @@ class redshift_cluster_audit_logging(Check): def execute(self): findings = [] for cluster in redshift_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "PASS" report.status_extended = ( f"Redshift Cluster {cluster.id} has audit logging enabled." diff --git a/prowler/providers/aws/services/redshift/redshift_cluster_automated_snapshot/redshift_cluster_automated_snapshot.py b/prowler/providers/aws/services/redshift/redshift_cluster_automated_snapshot/redshift_cluster_automated_snapshot.py index 0f4d70140cd..c735c6fcc21 100644 --- a/prowler/providers/aws/services/redshift/redshift_cluster_automated_snapshot/redshift_cluster_automated_snapshot.py +++ b/prowler/providers/aws/services/redshift/redshift_cluster_automated_snapshot/redshift_cluster_automated_snapshot.py @@ -6,9 +6,7 @@ class redshift_cluster_automated_snapshot(Check): def execute(self): findings = [] for cluster in redshift_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "PASS" report.status_extended = ( f"Redshift Cluster {cluster.id} has automated snapshots enabled." diff --git a/prowler/providers/aws/services/redshift/redshift_cluster_automatic_upgrades/redshift_cluster_automatic_upgrades.py b/prowler/providers/aws/services/redshift/redshift_cluster_automatic_upgrades/redshift_cluster_automatic_upgrades.py index 333a2e48b83..8748922cbbd 100644 --- a/prowler/providers/aws/services/redshift/redshift_cluster_automatic_upgrades/redshift_cluster_automatic_upgrades.py +++ b/prowler/providers/aws/services/redshift/redshift_cluster_automatic_upgrades/redshift_cluster_automatic_upgrades.py @@ -6,9 +6,7 @@ class redshift_cluster_automatic_upgrades(Check): def execute(self): findings = [] for cluster in redshift_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "PASS" report.status_extended = ( f"Redshift Cluster {cluster.id} has AllowVersionUpgrade enabled." diff --git a/prowler/providers/aws/services/redshift/redshift_cluster_encrypted_at_rest/redshift_cluster_encrypted_at_rest.py b/prowler/providers/aws/services/redshift/redshift_cluster_encrypted_at_rest/redshift_cluster_encrypted_at_rest.py index 3bf0fd7acfa..11f37f0ce56 100644 --- a/prowler/providers/aws/services/redshift/redshift_cluster_encrypted_at_rest/redshift_cluster_encrypted_at_rest.py +++ b/prowler/providers/aws/services/redshift/redshift_cluster_encrypted_at_rest/redshift_cluster_encrypted_at_rest.py @@ -6,9 +6,7 @@ class redshift_cluster_encrypted_at_rest(Check): def execute(self): findings = [] for cluster in redshift_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = ( f"Redshift Cluster {cluster.id} is not encrypted at rest." diff --git a/prowler/providers/aws/services/redshift/redshift_cluster_enhanced_vpc_routing/redshift_cluster_enhanced_vpc_routing.py b/prowler/providers/aws/services/redshift/redshift_cluster_enhanced_vpc_routing/redshift_cluster_enhanced_vpc_routing.py index d0ada32aecf..56c16766c2c 100644 --- a/prowler/providers/aws/services/redshift/redshift_cluster_enhanced_vpc_routing/redshift_cluster_enhanced_vpc_routing.py +++ b/prowler/providers/aws/services/redshift/redshift_cluster_enhanced_vpc_routing/redshift_cluster_enhanced_vpc_routing.py @@ -6,9 +6,7 @@ class redshift_cluster_enhanced_vpc_routing(Check): def execute(self): findings = [] for cluster in redshift_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = f"Redshift Cluster {cluster.id} does not have Enhanced VPC Routing security feature enabled." if cluster.enhanced_vpc_routing: diff --git a/prowler/providers/aws/services/redshift/redshift_cluster_in_transit_encryption_enabled/redshift_cluster_in_transit_encryption_enabled.py b/prowler/providers/aws/services/redshift/redshift_cluster_in_transit_encryption_enabled/redshift_cluster_in_transit_encryption_enabled.py index e6a927dfa81..01b3ea134ca 100644 --- a/prowler/providers/aws/services/redshift/redshift_cluster_in_transit_encryption_enabled/redshift_cluster_in_transit_encryption_enabled.py +++ b/prowler/providers/aws/services/redshift/redshift_cluster_in_transit_encryption_enabled/redshift_cluster_in_transit_encryption_enabled.py @@ -6,9 +6,7 @@ class redshift_cluster_in_transit_encryption_enabled(Check): def execute(self): findings = [] for cluster in redshift_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = ( f"Redshift Cluster {cluster.id} is not encrypted in transit." diff --git a/prowler/providers/aws/services/redshift/redshift_cluster_multi_az_enabled/redshift_cluster_multi_az_enabled.py b/prowler/providers/aws/services/redshift/redshift_cluster_multi_az_enabled/redshift_cluster_multi_az_enabled.py index d37abfff59b..63500e03603 100644 --- a/prowler/providers/aws/services/redshift/redshift_cluster_multi_az_enabled/redshift_cluster_multi_az_enabled.py +++ b/prowler/providers/aws/services/redshift/redshift_cluster_multi_az_enabled/redshift_cluster_multi_az_enabled.py @@ -6,9 +6,7 @@ class redshift_cluster_multi_az_enabled(Check): def execute(self): findings = [] for cluster in redshift_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "FAIL" report.status_extended = ( f"Redshift Cluster {cluster.id} does not have Multi-AZ enabled." diff --git a/prowler/providers/aws/services/redshift/redshift_cluster_non_default_database_name/redshift_cluster_non_default_database_name.py b/prowler/providers/aws/services/redshift/redshift_cluster_non_default_database_name/redshift_cluster_non_default_database_name.py index 4e68f47ca91..2744d15e6ae 100644 --- a/prowler/providers/aws/services/redshift/redshift_cluster_non_default_database_name/redshift_cluster_non_default_database_name.py +++ b/prowler/providers/aws/services/redshift/redshift_cluster_non_default_database_name/redshift_cluster_non_default_database_name.py @@ -6,9 +6,7 @@ class redshift_cluster_non_default_database_name(Check): def execute(self): findings = [] for cluster in redshift_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "PASS" report.status_extended = f"Redshift Cluster {cluster.id} does not have the default database name." if cluster.database_name == "dev": diff --git a/prowler/providers/aws/services/redshift/redshift_cluster_non_default_username/redshift_cluster_non_default_username.py b/prowler/providers/aws/services/redshift/redshift_cluster_non_default_username/redshift_cluster_non_default_username.py index c43b0d1a763..2994103e9b5 100644 --- a/prowler/providers/aws/services/redshift/redshift_cluster_non_default_username/redshift_cluster_non_default_username.py +++ b/prowler/providers/aws/services/redshift/redshift_cluster_non_default_username/redshift_cluster_non_default_username.py @@ -6,9 +6,7 @@ class redshift_cluster_non_default_username(Check): def execute(self): findings = [] for cluster in redshift_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "PASS" report.status_extended = f"Redshift Cluster {cluster.id} does not have the default Admin username." if cluster.master_username == "awsuser": diff --git a/prowler/providers/aws/services/redshift/redshift_cluster_public_access/redshift_cluster_public_access.py b/prowler/providers/aws/services/redshift/redshift_cluster_public_access/redshift_cluster_public_access.py index 97806be213c..2b4e00c8d3b 100644 --- a/prowler/providers/aws/services/redshift/redshift_cluster_public_access/redshift_cluster_public_access.py +++ b/prowler/providers/aws/services/redshift/redshift_cluster_public_access/redshift_cluster_public_access.py @@ -9,9 +9,7 @@ class redshift_cluster_public_access(Check): def execute(self): findings = [] for cluster in redshift_client.clusters: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=cluster) report.status = "PASS" report.status_extended = ( f"Redshift Cluster {cluster.id} is not publicly accessible." diff --git a/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py b/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py index 1550c7f85bb..c0249cf8850 100644 --- a/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py +++ b/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py @@ -10,7 +10,7 @@ def execute(self): if resource_explorer_2_client.indexes is not None: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=resource_explorer_2_client.indexes, + resource=resource_explorer_2_client.indexes, ) report.status = "FAIL" report.status_extended = "No Resource Explorer Indexes found." diff --git a/prowler/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover.py b/prowler/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover.py index 5b02f2e821d..dca63d47ef5 100644 --- a/prowler/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover.py +++ b/prowler/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover.py @@ -29,7 +29,7 @@ def execute(self) -> Check_Report_AWS: # Check if record is an IP Address if validate_ip_address(record): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=record_set + metadata=self.metadata(), resource=record_set ) report.resource_id = ( f"{record_set.hosted_zone_id}/{record_set.name}/{record}" diff --git a/prowler/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled.py b/prowler/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled.py index 2c5230eb7ab..b86eb8381af 100644 --- a/prowler/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled.py +++ b/prowler/providers/aws/services/route53/route53_domains_privacy_protection_enabled/route53_domains_privacy_protection_enabled.py @@ -9,9 +9,7 @@ def execute(self) -> Check_Report_AWS: findings = [] for domain in route53domains_client.domains.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=domain - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=domain) if domain.admin_privacy: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled.py b/prowler/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled.py index de4cc10bd55..e2fd3832315 100644 --- a/prowler/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled.py +++ b/prowler/providers/aws/services/route53/route53_domains_transferlock_enabled/route53_domains_transferlock_enabled.py @@ -9,9 +9,7 @@ def execute(self) -> Check_Report_AWS: findings = [] for domain in route53domains_client.domains.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=domain - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=domain) if domain.status_list and "clientTransferProhibited" in domain.status_list: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/route53/route53_public_hosted_zones_cloudwatch_logging_enabled/route53_public_hosted_zones_cloudwatch_logging_enabled.py b/prowler/providers/aws/services/route53/route53_public_hosted_zones_cloudwatch_logging_enabled/route53_public_hosted_zones_cloudwatch_logging_enabled.py index 49223542b4f..aed2b60633d 100644 --- a/prowler/providers/aws/services/route53/route53_public_hosted_zones_cloudwatch_logging_enabled/route53_public_hosted_zones_cloudwatch_logging_enabled.py +++ b/prowler/providers/aws/services/route53/route53_public_hosted_zones_cloudwatch_logging_enabled/route53_public_hosted_zones_cloudwatch_logging_enabled.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_AWS: for hosted_zone in route53_client.hosted_zones.values(): if not hosted_zone.private_zone: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=hosted_zone + metadata=self.metadata(), resource=hosted_zone ) if ( hosted_zone.logging_config diff --git a/prowler/providers/aws/services/s3/s3_access_point_public_access_block/s3_access_point_public_access_block.py b/prowler/providers/aws/services/s3/s3_access_point_public_access_block/s3_access_point_public_access_block.py index e366580cc5f..0eb1f9c45e4 100644 --- a/prowler/providers/aws/services/s3/s3_access_point_public_access_block/s3_access_point_public_access_block.py +++ b/prowler/providers/aws/services/s3/s3_access_point_public_access_block/s3_access_point_public_access_block.py @@ -6,9 +6,7 @@ class s3_access_point_public_access_block(Check): def execute(self): findings = [] for access_point in s3control_client.access_points.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=access_point - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=access_point) report.status = "PASS" report.status_extended = f"Access Point {access_point.name} of bucket {access_point.bucket} does have Public Access Block enabled." diff --git a/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks.py b/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks.py index 88359622102..5e027c15102 100644 --- a/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks.py +++ b/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks.py @@ -8,7 +8,7 @@ def execute(self): findings = [] report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=s3control_client.account_public_access_block, + resource=s3control_client.account_public_access_block, ) if ( s3control_client.account_public_access_block diff --git a/prowler/providers/aws/services/s3/s3_bucket_acl_prohibited/s3_bucket_acl_prohibited.py b/prowler/providers/aws/services/s3/s3_bucket_acl_prohibited/s3_bucket_acl_prohibited.py index ae96350c564..031d822047d 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_acl_prohibited/s3_bucket_acl_prohibited.py +++ b/prowler/providers/aws/services/s3/s3_bucket_acl_prohibited/s3_bucket_acl_prohibited.py @@ -6,9 +6,7 @@ class s3_bucket_acl_prohibited(Check): def execute(self): findings = [] for bucket in s3_client.buckets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) report.status = "FAIL" report.status_extended = f"S3 Bucket {bucket.name} has bucket ACLs enabled." if bucket.ownership: diff --git a/prowler/providers/aws/services/s3/s3_bucket_cross_account_access/s3_bucket_cross_account_access.py b/prowler/providers/aws/services/s3/s3_bucket_cross_account_access/s3_bucket_cross_account_access.py index 37b820365de..a98483c7671 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_cross_account_access/s3_bucket_cross_account_access.py +++ b/prowler/providers/aws/services/s3/s3_bucket_cross_account_access/s3_bucket_cross_account_access.py @@ -7,9 +7,7 @@ class s3_bucket_cross_account_access(Check): def execute(self): findings = [] for bucket in s3_client.buckets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) report.status = "PASS" report.status_extended = f"S3 Bucket {bucket.name} has a bucket policy but it does not allow cross account access." diff --git a/prowler/providers/aws/services/s3/s3_bucket_cross_region_replication/s3_bucket_cross_region_replication.py b/prowler/providers/aws/services/s3/s3_bucket_cross_region_replication/s3_bucket_cross_region_replication.py index 498549db8df..21c33ed895d 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_cross_region_replication/s3_bucket_cross_region_replication.py +++ b/prowler/providers/aws/services/s3/s3_bucket_cross_region_replication/s3_bucket_cross_region_replication.py @@ -6,9 +6,7 @@ class s3_bucket_cross_region_replication(Check): def execute(self): findings = [] for bucket in s3_client.buckets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) report.status = "FAIL" report.status_extended = f"S3 Bucket {bucket.name} does not have correct cross region replication configuration." if bucket.replication_rules: diff --git a/prowler/providers/aws/services/s3/s3_bucket_default_encryption/s3_bucket_default_encryption.py b/prowler/providers/aws/services/s3/s3_bucket_default_encryption/s3_bucket_default_encryption.py index 7a6ba134c24..00caec593ce 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_default_encryption/s3_bucket_default_encryption.py +++ b/prowler/providers/aws/services/s3/s3_bucket_default_encryption/s3_bucket_default_encryption.py @@ -6,9 +6,7 @@ class s3_bucket_default_encryption(Check): def execute(self): findings = [] for bucket in s3_client.buckets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) if bucket.encryption: report.status = "PASS" report.status_extended = f"S3 Bucket {bucket.name} has Server Side Encryption with {bucket.encryption}." diff --git a/prowler/providers/aws/services/s3/s3_bucket_event_notifications_enabled/s3_bucket_event_notifications_enabled.py b/prowler/providers/aws/services/s3/s3_bucket_event_notifications_enabled/s3_bucket_event_notifications_enabled.py index e017a5d383d..605b68d29e6 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_event_notifications_enabled/s3_bucket_event_notifications_enabled.py +++ b/prowler/providers/aws/services/s3/s3_bucket_event_notifications_enabled/s3_bucket_event_notifications_enabled.py @@ -18,9 +18,7 @@ def execute(self) -> list[Check_Report_AWS]: """ findings = [] for bucket in s3_client.buckets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) report.status = "FAIL" report.status_extended = ( f"S3 Bucket {bucket.name} does not have event notifications enabled." diff --git a/prowler/providers/aws/services/s3/s3_bucket_kms_encryption/s3_bucket_kms_encryption.py b/prowler/providers/aws/services/s3/s3_bucket_kms_encryption/s3_bucket_kms_encryption.py index 83fde210721..78c2a88a577 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_kms_encryption/s3_bucket_kms_encryption.py +++ b/prowler/providers/aws/services/s3/s3_bucket_kms_encryption/s3_bucket_kms_encryption.py @@ -6,9 +6,7 @@ class s3_bucket_kms_encryption(Check): def execute(self): findings = [] for bucket in s3_client.buckets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) if bucket.encryption == "aws:kms" or bucket.encryption == "aws:kms:dsse": report.status = "PASS" report.status_extended = f"S3 Bucket {bucket.name} has Server Side Encryption with {bucket.encryption}." diff --git a/prowler/providers/aws/services/s3/s3_bucket_level_public_access_block/s3_bucket_level_public_access_block.py b/prowler/providers/aws/services/s3/s3_bucket_level_public_access_block/s3_bucket_level_public_access_block.py index 4ac3242a52b..d335c4ff800 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_level_public_access_block/s3_bucket_level_public_access_block.py +++ b/prowler/providers/aws/services/s3/s3_bucket_level_public_access_block/s3_bucket_level_public_access_block.py @@ -8,9 +8,7 @@ def execute(self): findings = [] for bucket in s3_client.buckets.values(): if bucket.public_access_block: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) report.status = "PASS" report.status_extended = f"Block Public Access is configured for the S3 Bucket {bucket.name}." if not ( diff --git a/prowler/providers/aws/services/s3/s3_bucket_lifecycle_enabled/s3_bucket_lifecycle_enabled.py b/prowler/providers/aws/services/s3/s3_bucket_lifecycle_enabled/s3_bucket_lifecycle_enabled.py index 51d93151418..9649916db83 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_lifecycle_enabled/s3_bucket_lifecycle_enabled.py +++ b/prowler/providers/aws/services/s3/s3_bucket_lifecycle_enabled/s3_bucket_lifecycle_enabled.py @@ -6,9 +6,7 @@ class s3_bucket_lifecycle_enabled(Check): def execute(self): findings = [] for bucket in s3_client.buckets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) report.status = "FAIL" report.status_extended = f"S3 Bucket {bucket.name} does not have a lifecycle configuration enabled." diff --git a/prowler/providers/aws/services/s3/s3_bucket_no_mfa_delete/s3_bucket_no_mfa_delete.py b/prowler/providers/aws/services/s3/s3_bucket_no_mfa_delete/s3_bucket_no_mfa_delete.py index d5a232f1196..8df0877e821 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_no_mfa_delete/s3_bucket_no_mfa_delete.py +++ b/prowler/providers/aws/services/s3/s3_bucket_no_mfa_delete/s3_bucket_no_mfa_delete.py @@ -6,9 +6,7 @@ class s3_bucket_no_mfa_delete(Check): def execute(self): findings = [] for bucket in s3_client.buckets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) if bucket.mfa_delete: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/s3/s3_bucket_object_lock/s3_bucket_object_lock.py b/prowler/providers/aws/services/s3/s3_bucket_object_lock/s3_bucket_object_lock.py index 7e1db9830d0..1795c0e273f 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_object_lock/s3_bucket_object_lock.py +++ b/prowler/providers/aws/services/s3/s3_bucket_object_lock/s3_bucket_object_lock.py @@ -6,9 +6,7 @@ class s3_bucket_object_lock(Check): def execute(self): findings = [] for bucket in s3_client.buckets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) if bucket.object_lock: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/s3/s3_bucket_object_versioning/s3_bucket_object_versioning.py b/prowler/providers/aws/services/s3/s3_bucket_object_versioning/s3_bucket_object_versioning.py index f3a72b923e0..27e88635ff3 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_object_versioning/s3_bucket_object_versioning.py +++ b/prowler/providers/aws/services/s3/s3_bucket_object_versioning/s3_bucket_object_versioning.py @@ -6,9 +6,7 @@ class s3_bucket_object_versioning(Check): def execute(self): findings = [] for bucket in s3_client.buckets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) if bucket.versioning: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/s3/s3_bucket_policy_public_write_access/s3_bucket_policy_public_write_access.py b/prowler/providers/aws/services/s3/s3_bucket_policy_public_write_access/s3_bucket_policy_public_write_access.py index 4437859a465..4fef8cf3305 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_policy_public_write_access/s3_bucket_policy_public_write_access.py +++ b/prowler/providers/aws/services/s3/s3_bucket_policy_public_write_access/s3_bucket_policy_public_write_access.py @@ -8,9 +8,7 @@ class s3_bucket_policy_public_write_access(Check): def execute(self): findings = [] for bucket in s3_client.buckets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) # Check if bucket policy allow public write access if not bucket.policy: report.status = "PASS" diff --git a/prowler/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access.py b/prowler/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access.py index 68816740f4c..8a779588632 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access.py +++ b/prowler/providers/aws/services/s3/s3_bucket_public_access/s3_bucket_public_access.py @@ -15,7 +15,7 @@ def execute(self): ): report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=s3control_client.account_public_access_block, + resource=s3control_client.account_public_access_block, ) report.status = "PASS" report.status_extended = "All S3 public access blocked at account level." @@ -27,9 +27,7 @@ def execute(self): # 2. If public access is not blocked at account level, check it at each bucket level for bucket in s3_client.buckets.values(): if bucket.public_access_block: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) report.status = "PASS" report.status_extended = f"S3 Bucket {bucket.name} is not public." if not ( diff --git a/prowler/providers/aws/services/s3/s3_bucket_public_list_acl/s3_bucket_public_list_acl.py b/prowler/providers/aws/services/s3/s3_bucket_public_list_acl/s3_bucket_public_list_acl.py index 66b265f7d11..cd27f256436 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_public_list_acl/s3_bucket_public_list_acl.py +++ b/prowler/providers/aws/services/s3/s3_bucket_public_list_acl/s3_bucket_public_list_acl.py @@ -14,7 +14,7 @@ def execute(self): ): report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=s3control_client.account_public_access_block, + resource=s3control_client.account_public_access_block, ) report.status = "PASS" report.status_extended = "All S3 public access blocked at account level." @@ -26,9 +26,7 @@ def execute(self): # 2. If public access is not blocked at account level, check it at each bucket level for bucket in s3_client.buckets.values(): if bucket.public_access_block: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) report.status = "PASS" report.status_extended = ( f"S3 Bucket {bucket.name} is not publicly listable." diff --git a/prowler/providers/aws/services/s3/s3_bucket_public_write_acl/s3_bucket_public_write_acl.py b/prowler/providers/aws/services/s3/s3_bucket_public_write_acl/s3_bucket_public_write_acl.py index 83eef25ceb0..becb8d0db04 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_public_write_acl/s3_bucket_public_write_acl.py +++ b/prowler/providers/aws/services/s3/s3_bucket_public_write_acl/s3_bucket_public_write_acl.py @@ -14,7 +14,7 @@ def execute(self): ): report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=s3control_client.account_public_access_block, + resource=s3control_client.account_public_access_block, ) report.status = "PASS" report.status_extended = "All S3 public access blocked at account level." @@ -26,9 +26,7 @@ def execute(self): # 2. If public access is not blocked at account level, check it at each bucket level for bucket in s3_client.buckets.values(): if bucket.public_access_block: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) report.status = "PASS" report.status_extended = ( f"S3 Bucket {bucket.name} is not publicly writable." diff --git a/prowler/providers/aws/services/s3/s3_bucket_secure_transport_policy/s3_bucket_secure_transport_policy.py b/prowler/providers/aws/services/s3/s3_bucket_secure_transport_policy/s3_bucket_secure_transport_policy.py index b31a5aca59e..8ad706a5f7e 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_secure_transport_policy/s3_bucket_secure_transport_policy.py +++ b/prowler/providers/aws/services/s3/s3_bucket_secure_transport_policy/s3_bucket_secure_transport_policy.py @@ -6,9 +6,7 @@ class s3_bucket_secure_transport_policy(Check): def execute(self): findings = [] for bucket in s3_client.buckets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) # Check if bucket policy enforces SSL if not bucket.policy: report.status = "FAIL" diff --git a/prowler/providers/aws/services/s3/s3_bucket_server_access_logging_enabled/s3_bucket_server_access_logging_enabled.py b/prowler/providers/aws/services/s3/s3_bucket_server_access_logging_enabled/s3_bucket_server_access_logging_enabled.py index f27c68db9a1..a500432d62a 100644 --- a/prowler/providers/aws/services/s3/s3_bucket_server_access_logging_enabled/s3_bucket_server_access_logging_enabled.py +++ b/prowler/providers/aws/services/s3/s3_bucket_server_access_logging_enabled/s3_bucket_server_access_logging_enabled.py @@ -6,9 +6,7 @@ class s3_bucket_server_access_logging_enabled(Check): def execute(self): findings = [] for bucket in s3_client.buckets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=bucket) if bucket.logging: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/s3/s3_multi_region_access_point_public_access_block/s3_multi_region_access_point_public_access_block.py b/prowler/providers/aws/services/s3/s3_multi_region_access_point_public_access_block/s3_multi_region_access_point_public_access_block.py index b517197ce16..d570e2fc391 100644 --- a/prowler/providers/aws/services/s3/s3_multi_region_access_point_public_access_block/s3_multi_region_access_point_public_access_block.py +++ b/prowler/providers/aws/services/s3/s3_multi_region_access_point_public_access_block/s3_multi_region_access_point_public_access_block.py @@ -19,7 +19,7 @@ def execute(self): findings = [] for mr_access_point in s3control_client.multi_region_access_points.values(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=mr_access_point + metadata=self.metadata(), resource=mr_access_point ) report.status = "PASS" report.status_extended = f"S3 Multi Region Access Point {mr_access_point.name} of buckets {', '.join(mr_access_point.buckets)} does have Public Access Block enabled." diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_endpoint_config_prod_variant_instances/sagemaker_endpoint_config_prod_variant_instances.py b/prowler/providers/aws/services/sagemaker/sagemaker_endpoint_config_prod_variant_instances/sagemaker_endpoint_config_prod_variant_instances.py index fa772136b0e..3b16ca0e79d 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_endpoint_config_prod_variant_instances/sagemaker_endpoint_config_prod_variant_instances.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_endpoint_config_prod_variant_instances/sagemaker_endpoint_config_prod_variant_instances.py @@ -7,7 +7,7 @@ def execute(self): findings = [] for endpoint_config in sagemaker_client.endpoint_configs.values(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=endpoint_config + metadata=self.metadata(), resource=endpoint_config ) report.status = "PASS" report.status_extended = f"Sagemaker Endpoint Config {endpoint_config.name} has all production variants with more than one initial instance." diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_models_network_isolation_enabled/sagemaker_models_network_isolation_enabled.py b/prowler/providers/aws/services/sagemaker/sagemaker_models_network_isolation_enabled/sagemaker_models_network_isolation_enabled.py index 769dbc9ebea..8a86e3c240f 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_models_network_isolation_enabled/sagemaker_models_network_isolation_enabled.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_models_network_isolation_enabled/sagemaker_models_network_isolation_enabled.py @@ -6,7 +6,7 @@ class sagemaker_models_network_isolation_enabled(Check): def execute(self): findings = [] for model in sagemaker_client.sagemaker_models: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=model) + report = Check_Report_AWS(metadata=self.metadata(), resource=model) report.status = "PASS" report.status_extended = f"Sagemaker notebook instance {model.name} has network isolation enabled." if not model.network_isolation: diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_models_vpc_settings_configured/sagemaker_models_vpc_settings_configured.py b/prowler/providers/aws/services/sagemaker/sagemaker_models_vpc_settings_configured/sagemaker_models_vpc_settings_configured.py index 7995dde1cb8..ede24a3250f 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_models_vpc_settings_configured/sagemaker_models_vpc_settings_configured.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_models_vpc_settings_configured/sagemaker_models_vpc_settings_configured.py @@ -6,7 +6,7 @@ class sagemaker_models_vpc_settings_configured(Check): def execute(self): findings = [] for model in sagemaker_client.sagemaker_models: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=model) + report = Check_Report_AWS(metadata=self.metadata(), resource=model) report.status = "PASS" report.status_extended = ( f"Sagemaker notebook instance {model.name} has VPC settings enabled." diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_encryption_enabled/sagemaker_notebook_instance_encryption_enabled.py b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_encryption_enabled/sagemaker_notebook_instance_encryption_enabled.py index b17f6e1db38..90b3b292eb0 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_encryption_enabled/sagemaker_notebook_instance_encryption_enabled.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_encryption_enabled/sagemaker_notebook_instance_encryption_enabled.py @@ -7,7 +7,7 @@ def execute(self): findings = [] for notebook_instance in sagemaker_client.sagemaker_notebook_instances: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=notebook_instance + metadata=self.metadata(), resource=notebook_instance ) report.status = "PASS" report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has data encryption enabled." diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_root_access_disabled/sagemaker_notebook_instance_root_access_disabled.py b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_root_access_disabled/sagemaker_notebook_instance_root_access_disabled.py index c45a03956b1..091534ce759 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_root_access_disabled/sagemaker_notebook_instance_root_access_disabled.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_root_access_disabled/sagemaker_notebook_instance_root_access_disabled.py @@ -7,7 +7,7 @@ def execute(self): findings = [] for notebook_instance in sagemaker_client.sagemaker_notebook_instances: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=notebook_instance + metadata=self.metadata(), resource=notebook_instance ) report.status = "PASS" report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has root access disabled." diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_vpc_settings_configured/sagemaker_notebook_instance_vpc_settings_configured.py b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_vpc_settings_configured/sagemaker_notebook_instance_vpc_settings_configured.py index fb2a4c23568..d8c38dff401 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_vpc_settings_configured/sagemaker_notebook_instance_vpc_settings_configured.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_vpc_settings_configured/sagemaker_notebook_instance_vpc_settings_configured.py @@ -7,7 +7,7 @@ def execute(self): findings = [] for notebook_instance in sagemaker_client.sagemaker_notebook_instances: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=notebook_instance + metadata=self.metadata(), resource=notebook_instance ) report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_without_direct_internet_access_configured/sagemaker_notebook_instance_without_direct_internet_access_configured.py b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_without_direct_internet_access_configured/sagemaker_notebook_instance_without_direct_internet_access_configured.py index 1fffbf9e421..8acfee1522d 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_without_direct_internet_access_configured/sagemaker_notebook_instance_without_direct_internet_access_configured.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_notebook_instance_without_direct_internet_access_configured/sagemaker_notebook_instance_without_direct_internet_access_configured.py @@ -7,7 +7,7 @@ def execute(self): findings = [] for notebook_instance in sagemaker_client.sagemaker_notebook_instances: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=notebook_instance + metadata=self.metadata(), resource=notebook_instance ) report.status = "PASS" report.status_extended = f"Sagemaker notebook instance {notebook_instance.name} has direct internet access disabled." diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_intercontainer_encryption_enabled/sagemaker_training_jobs_intercontainer_encryption_enabled.py b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_intercontainer_encryption_enabled/sagemaker_training_jobs_intercontainer_encryption_enabled.py index 32d782b1b26..7bbe394dcb4 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_intercontainer_encryption_enabled/sagemaker_training_jobs_intercontainer_encryption_enabled.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_intercontainer_encryption_enabled/sagemaker_training_jobs_intercontainer_encryption_enabled.py @@ -6,9 +6,7 @@ class sagemaker_training_jobs_intercontainer_encryption_enabled(Check): def execute(self): findings = [] for training_job in sagemaker_client.sagemaker_training_jobs: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=training_job - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=training_job) report.status = "PASS" report.status_extended = f"Sagemaker training job {training_job.name} has intercontainer encryption enabled." if not training_job.container_traffic_encryption: diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_network_isolation_enabled/sagemaker_training_jobs_network_isolation_enabled.py b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_network_isolation_enabled/sagemaker_training_jobs_network_isolation_enabled.py index b86878d9301..c23c61928e0 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_network_isolation_enabled/sagemaker_training_jobs_network_isolation_enabled.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_network_isolation_enabled/sagemaker_training_jobs_network_isolation_enabled.py @@ -6,9 +6,7 @@ class sagemaker_training_jobs_network_isolation_enabled(Check): def execute(self): findings = [] for training_job in sagemaker_client.sagemaker_training_jobs: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=training_job - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=training_job) report.status = "PASS" report.status_extended = f"Sagemaker training job {training_job.name} has network isolation enabled." if not training_job.network_isolation: diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_volume_and_output_encryption_enabled/sagemaker_training_jobs_volume_and_output_encryption_enabled.py b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_volume_and_output_encryption_enabled/sagemaker_training_jobs_volume_and_output_encryption_enabled.py index cdf62235f5d..55064f522df 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_volume_and_output_encryption_enabled/sagemaker_training_jobs_volume_and_output_encryption_enabled.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_volume_and_output_encryption_enabled/sagemaker_training_jobs_volume_and_output_encryption_enabled.py @@ -6,9 +6,7 @@ class sagemaker_training_jobs_volume_and_output_encryption_enabled(Check): def execute(self): findings = [] for training_job in sagemaker_client.sagemaker_training_jobs: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=training_job - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=training_job) report.status = "PASS" report.status_extended = f"Sagemaker training job {training_job.name} has KMS encryption enabled." if not training_job.volume_kms_key_id: diff --git a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_vpc_settings_configured/sagemaker_training_jobs_vpc_settings_configured.py b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_vpc_settings_configured/sagemaker_training_jobs_vpc_settings_configured.py index 29d8de35e56..e397eec4d8f 100644 --- a/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_vpc_settings_configured/sagemaker_training_jobs_vpc_settings_configured.py +++ b/prowler/providers/aws/services/sagemaker/sagemaker_training_jobs_vpc_settings_configured/sagemaker_training_jobs_vpc_settings_configured.py @@ -6,9 +6,7 @@ class sagemaker_training_jobs_vpc_settings_configured(Check): def execute(self): findings = [] for training_job in sagemaker_client.sagemaker_training_jobs: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=training_job - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=training_job) report.status = "PASS" report.status_extended = f"Sagemaker training job {training_job.name} has VPC settings for the training job volume and output enabled." if not training_job.vpc_config_subnets: diff --git a/prowler/providers/aws/services/secretsmanager/secretsmanager_automatic_rotation_enabled/secretsmanager_automatic_rotation_enabled.py b/prowler/providers/aws/services/secretsmanager/secretsmanager_automatic_rotation_enabled/secretsmanager_automatic_rotation_enabled.py index 955a0f2863e..e3c41c04972 100644 --- a/prowler/providers/aws/services/secretsmanager/secretsmanager_automatic_rotation_enabled/secretsmanager_automatic_rotation_enabled.py +++ b/prowler/providers/aws/services/secretsmanager/secretsmanager_automatic_rotation_enabled/secretsmanager_automatic_rotation_enabled.py @@ -8,9 +8,7 @@ class secretsmanager_automatic_rotation_enabled(Check): def execute(self): findings = [] for secret in secretsmanager_client.secrets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=secret - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=secret) if secret.rotation_enabled: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/aws/services/secretsmanager/secretsmanager_not_publicly_accessible/secretsmanager_not_publicly_accessible.py b/prowler/providers/aws/services/secretsmanager/secretsmanager_not_publicly_accessible/secretsmanager_not_publicly_accessible.py index 11cb22bdd8e..8c8601d158f 100644 --- a/prowler/providers/aws/services/secretsmanager/secretsmanager_not_publicly_accessible/secretsmanager_not_publicly_accessible.py +++ b/prowler/providers/aws/services/secretsmanager/secretsmanager_not_publicly_accessible/secretsmanager_not_publicly_accessible.py @@ -9,9 +9,7 @@ class secretsmanager_not_publicly_accessible(Check): def execute(self): findings = [] for secret in secretsmanager_client.secrets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=secret - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=secret) report.status = "PASS" report.status_extended = ( f"SecretsManager secret {secret.name} is not publicly accessible." diff --git a/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_rotated_periodically/secretsmanager_secret_rotated_periodically.py b/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_rotated_periodically/secretsmanager_secret_rotated_periodically.py index a058e686f16..400bbde7e35 100644 --- a/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_rotated_periodically/secretsmanager_secret_rotated_periodically.py +++ b/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_rotated_periodically/secretsmanager_secret_rotated_periodically.py @@ -25,9 +25,7 @@ def execute(self) -> List[Check_Report_AWS]: """ findings = [] for secret in secretsmanager_client.secrets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=secret - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=secret) report.status = "PASS" report.status_extended = f"Secret {secret.name} was last rotated on {secret.last_rotated_date.strftime('%B %d, %Y')}." diff --git a/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_unused/secretsmanager_secret_unused.py b/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_unused/secretsmanager_secret_unused.py index 3a415b9ffdc..5ce89b94922 100644 --- a/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_unused/secretsmanager_secret_unused.py +++ b/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_unused/secretsmanager_secret_unused.py @@ -10,9 +10,7 @@ class secretsmanager_secret_unused(Check): def execute(self): findings = [] for secret in secretsmanager_client.secrets.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=secret - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=secret) report.status = "PASS" report.status_extended = f"Secret {secret.name} has been accessed recently, last accessed on {secret.last_accessed_date.strftime('%B %d, %Y')}." diff --git a/prowler/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled.py b/prowler/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled.py index d36c98c9df8..c5cbb4d2a4b 100644 --- a/prowler/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled.py +++ b/prowler/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled.py @@ -8,9 +8,7 @@ class securityhub_enabled(Check): def execute(self): findings = [] for securityhub in securityhub_client.securityhubs: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=securityhub - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=securityhub) if securityhub.status == "ACTIVE": report.status = "PASS" if securityhub.standards: diff --git a/prowler/providers/aws/services/servicecatalog/servicecatalog_portfolio_shared_within_organization_only/servicecatalog_portfolio_shared_within_organization_only.py b/prowler/providers/aws/services/servicecatalog/servicecatalog_portfolio_shared_within_organization_only/servicecatalog_portfolio_shared_within_organization_only.py index 85484c462fe..1cd9965b080 100644 --- a/prowler/providers/aws/services/servicecatalog/servicecatalog_portfolio_shared_within_organization_only/servicecatalog_portfolio_shared_within_organization_only.py +++ b/prowler/providers/aws/services/servicecatalog/servicecatalog_portfolio_shared_within_organization_only/servicecatalog_portfolio_shared_within_organization_only.py @@ -17,7 +17,7 @@ def execute(self): for portfolio in servicecatalog_client.portfolios.values(): if portfolio.shares is not None: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=portfolio + metadata=self.metadata(), resource=portfolio ) report.status = "PASS" report.status_extended = f"ServiceCatalog Portfolio {portfolio.name} is shared within your AWS Organization." diff --git a/prowler/providers/aws/services/ses/ses_identity_not_publicly_accessible/ses_identity_not_publicly_accessible.py b/prowler/providers/aws/services/ses/ses_identity_not_publicly_accessible/ses_identity_not_publicly_accessible.py index 395c19663fd..0238de01a70 100644 --- a/prowler/providers/aws/services/ses/ses_identity_not_publicly_accessible/ses_identity_not_publicly_accessible.py +++ b/prowler/providers/aws/services/ses/ses_identity_not_publicly_accessible/ses_identity_not_publicly_accessible.py @@ -7,9 +7,7 @@ class ses_identity_not_publicly_accessible(Check): def execute(self): findings = [] for identity in ses_client.email_identities.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=identity - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=identity) report.status = "PASS" report.status_extended = ( f"SES identity {identity.name} is not publicly accessible." diff --git a/prowler/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips.py b/prowler/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips.py index 3539fa5aa1e..af28b03739e 100644 --- a/prowler/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips.py +++ b/prowler/providers/aws/services/shield/shield_advanced_protection_in_associated_elastic_ips/shield_advanced_protection_in_associated_elastic_ips.py @@ -8,9 +8,7 @@ def execute(self): findings = [] if shield_client.enabled: for elastic_ip in ec2_client.elastic_ips: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=elastic_ip - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=elastic_ip) report.region = shield_client.region report.resource_id = elastic_ip.allocation_id report.status = "FAIL" diff --git a/prowler/providers/aws/services/shield/shield_advanced_protection_in_classic_load_balancers/shield_advanced_protection_in_classic_load_balancers.py b/prowler/providers/aws/services/shield/shield_advanced_protection_in_classic_load_balancers/shield_advanced_protection_in_classic_load_balancers.py index 3194fb5c167..0e583e4cdd2 100644 --- a/prowler/providers/aws/services/shield/shield_advanced_protection_in_classic_load_balancers/shield_advanced_protection_in_classic_load_balancers.py +++ b/prowler/providers/aws/services/shield/shield_advanced_protection_in_classic_load_balancers/shield_advanced_protection_in_classic_load_balancers.py @@ -8,9 +8,7 @@ def execute(self): findings = [] if shield_client.enabled: for lb in elb_client.loadbalancers.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=lb - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=lb) report.region = shield_client.region report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/shield/shield_advanced_protection_in_cloudfront_distributions/shield_advanced_protection_in_cloudfront_distributions.py b/prowler/providers/aws/services/shield/shield_advanced_protection_in_cloudfront_distributions/shield_advanced_protection_in_cloudfront_distributions.py index bf5d3a2a7ca..e4c0f561572 100644 --- a/prowler/providers/aws/services/shield/shield_advanced_protection_in_cloudfront_distributions/shield_advanced_protection_in_cloudfront_distributions.py +++ b/prowler/providers/aws/services/shield/shield_advanced_protection_in_cloudfront_distributions/shield_advanced_protection_in_cloudfront_distributions.py @@ -11,7 +11,7 @@ def execute(self): if shield_client.enabled: for distribution in cloudfront_client.distributions.values(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=distribution + metadata=self.metadata(), resource=distribution ) report.region = shield_client.region report.status = "FAIL" diff --git a/prowler/providers/aws/services/shield/shield_advanced_protection_in_global_accelerators/shield_advanced_protection_in_global_accelerators.py b/prowler/providers/aws/services/shield/shield_advanced_protection_in_global_accelerators/shield_advanced_protection_in_global_accelerators.py index 6c28414e13d..1eea874b582 100644 --- a/prowler/providers/aws/services/shield/shield_advanced_protection_in_global_accelerators/shield_advanced_protection_in_global_accelerators.py +++ b/prowler/providers/aws/services/shield/shield_advanced_protection_in_global_accelerators/shield_advanced_protection_in_global_accelerators.py @@ -11,7 +11,7 @@ def execute(self): if shield_client.enabled: for accelerator in globalaccelerator_client.accelerators.values(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=accelerator + metadata=self.metadata(), resource=accelerator ) report.region = shield_client.region report.status = "FAIL" diff --git a/prowler/providers/aws/services/shield/shield_advanced_protection_in_internet_facing_load_balancers/shield_advanced_protection_in_internet_facing_load_balancers.py b/prowler/providers/aws/services/shield/shield_advanced_protection_in_internet_facing_load_balancers/shield_advanced_protection_in_internet_facing_load_balancers.py index d6eb56b9ca5..afcd2670919 100644 --- a/prowler/providers/aws/services/shield/shield_advanced_protection_in_internet_facing_load_balancers/shield_advanced_protection_in_internet_facing_load_balancers.py +++ b/prowler/providers/aws/services/shield/shield_advanced_protection_in_internet_facing_load_balancers/shield_advanced_protection_in_internet_facing_load_balancers.py @@ -9,9 +9,7 @@ def execute(self): if shield_client.enabled: for elbv2_arn, elbv2 in elbv2_client.loadbalancersv2.items(): if elbv2.type == "application" and elbv2.scheme == "internet-facing": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=elbv2 - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=elbv2) report.region = shield_client.region report.status = "FAIL" report.status_extended = f"ELBv2 ALB {elbv2.name} is not protected by AWS Shield Advanced." diff --git a/prowler/providers/aws/services/shield/shield_advanced_protection_in_route53_hosted_zones/shield_advanced_protection_in_route53_hosted_zones.py b/prowler/providers/aws/services/shield/shield_advanced_protection_in_route53_hosted_zones/shield_advanced_protection_in_route53_hosted_zones.py index 54d52722fd2..ee8ac97bf6d 100644 --- a/prowler/providers/aws/services/shield/shield_advanced_protection_in_route53_hosted_zones/shield_advanced_protection_in_route53_hosted_zones.py +++ b/prowler/providers/aws/services/shield/shield_advanced_protection_in_route53_hosted_zones/shield_advanced_protection_in_route53_hosted_zones.py @@ -9,7 +9,7 @@ def execute(self): if shield_client.enabled: for hosted_zone in route53_client.hosted_zones.values(): report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=hosted_zone + metadata=self.metadata(), resource=hosted_zone ) report.region = shield_client.region report.status = "FAIL" diff --git a/prowler/providers/aws/services/sns/sns_subscription_not_using_http_endpoints/sns_subscription_not_using_http_endpoints.py b/prowler/providers/aws/services/sns/sns_subscription_not_using_http_endpoints/sns_subscription_not_using_http_endpoints.py index 322d426597e..b84a506ecfd 100644 --- a/prowler/providers/aws/services/sns/sns_subscription_not_using_http_endpoints/sns_subscription_not_using_http_endpoints.py +++ b/prowler/providers/aws/services/sns/sns_subscription_not_using_http_endpoints/sns_subscription_not_using_http_endpoints.py @@ -10,7 +10,7 @@ def execute(self): if subscription.arn == "PendingConfirmation": continue report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=subscription + metadata=self.metadata(), resource=subscription ) report.resource_details = topic.arn report.status = "PASS" diff --git a/prowler/providers/aws/services/sns/sns_topics_kms_encryption_at_rest_enabled/sns_topics_kms_encryption_at_rest_enabled.py b/prowler/providers/aws/services/sns/sns_topics_kms_encryption_at_rest_enabled/sns_topics_kms_encryption_at_rest_enabled.py index 9c2693b54af..86aa0df3f6a 100644 --- a/prowler/providers/aws/services/sns/sns_topics_kms_encryption_at_rest_enabled/sns_topics_kms_encryption_at_rest_enabled.py +++ b/prowler/providers/aws/services/sns/sns_topics_kms_encryption_at_rest_enabled/sns_topics_kms_encryption_at_rest_enabled.py @@ -6,7 +6,7 @@ class sns_topics_kms_encryption_at_rest_enabled(Check): def execute(self): findings = [] for topic in sns_client.topics: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=topic) + report = Check_Report_AWS(metadata=self.metadata(), resource=topic) report.status = "PASS" report.status_extended = f"SNS topic {topic.name} is encrypted." if not topic.kms_master_key_id: diff --git a/prowler/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible.py b/prowler/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible.py index 3fcc59137c1..536bf4f800a 100644 --- a/prowler/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible.py +++ b/prowler/providers/aws/services/sns/sns_topics_not_publicly_accessible/sns_topics_not_publicly_accessible.py @@ -10,7 +10,7 @@ class sns_topics_not_publicly_accessible(Check): def execute(self): findings = [] for topic in sns_client.topics: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=topic) + report = Check_Report_AWS(metadata=self.metadata(), resource=topic) report.status = "PASS" report.status_extended = ( f"SNS topic {topic.name} is not publicly accessible." diff --git a/prowler/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible.py b/prowler/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible.py index 5d13ab9d57b..9db9c8e76f7 100644 --- a/prowler/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible.py +++ b/prowler/providers/aws/services/sqs/sqs_queues_not_publicly_accessible/sqs_queues_not_publicly_accessible.py @@ -7,7 +7,7 @@ class sqs_queues_not_publicly_accessible(Check): def execute(self): findings = [] for queue in sqs_client.queues: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=queue) + report = Check_Report_AWS(metadata=self.metadata(), resource=queue) report.status = "PASS" report.status_extended = f"SQS queue {queue.id} is not public." if queue.policy: diff --git a/prowler/providers/aws/services/sqs/sqs_queues_server_side_encryption_enabled/sqs_queues_server_side_encryption_enabled.py b/prowler/providers/aws/services/sqs/sqs_queues_server_side_encryption_enabled/sqs_queues_server_side_encryption_enabled.py index 93f752952c0..12df21f58a4 100644 --- a/prowler/providers/aws/services/sqs/sqs_queues_server_side_encryption_enabled/sqs_queues_server_side_encryption_enabled.py +++ b/prowler/providers/aws/services/sqs/sqs_queues_server_side_encryption_enabled/sqs_queues_server_side_encryption_enabled.py @@ -6,7 +6,7 @@ class sqs_queues_server_side_encryption_enabled(Check): def execute(self): findings = [] for queue in sqs_client.queues: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=queue) + report = Check_Report_AWS(metadata=self.metadata(), resource=queue) report.status = "PASS" report.status_extended = ( f"SQS queue {queue.id} is using Server Side Encryption." diff --git a/prowler/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.py b/prowler/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.py index 08cdb337bf0..12d983f936f 100644 --- a/prowler/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.py +++ b/prowler/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.py @@ -12,9 +12,7 @@ def execute(self): "secrets_ignore_patterns", [] ) for document in ssm_client.documents.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=document - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=document) report.status = "PASS" report.status_extended = ( f"No secrets found in SSM Document {document.name}." diff --git a/prowler/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public.py b/prowler/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public.py index 960ff1eef59..96dd85f0f3c 100644 --- a/prowler/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public.py +++ b/prowler/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public.py @@ -6,9 +6,7 @@ class ssm_documents_set_as_public(Check): def execute(self): findings = [] for document in ssm_client.documents.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=document - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=document) trusted_account_ids = ssm_client.audit_config.get("trusted_account_ids", []) if ssm_client.audited_account not in trusted_account_ids: trusted_account_ids.append(ssm_client.audited_account) diff --git a/prowler/providers/aws/services/ssm/ssm_managed_compliant_patching/ssm_managed_compliant_patching.py b/prowler/providers/aws/services/ssm/ssm_managed_compliant_patching/ssm_managed_compliant_patching.py index f757386aaa0..95c83bd40ff 100644 --- a/prowler/providers/aws/services/ssm/ssm_managed_compliant_patching/ssm_managed_compliant_patching.py +++ b/prowler/providers/aws/services/ssm/ssm_managed_compliant_patching/ssm_managed_compliant_patching.py @@ -8,9 +8,7 @@ class ssm_managed_compliant_patching(Check): def execute(self): findings = [] for resource in ssm_client.compliance_resources.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=resource - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=resource) # Find tags of the instance in ec2_client for instance in ec2_client.instances: if instance.id == resource.id: diff --git a/prowler/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans.py b/prowler/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans.py index 3e0204b805b..2eb2739c31c 100644 --- a/prowler/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans.py +++ b/prowler/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans.py @@ -10,7 +10,7 @@ def execute(self): if ssmincidents_client.replication_set is not None: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=ssmincidents_client.replication_set, + resource=ssmincidents_client.replication_set, ) report.status = "FAIL" report.status_extended = "No SSM Incidents replication set exists." diff --git a/prowler/providers/aws/services/stepfunctions/stepfunctions_statemachine_logging_enabled/stepfunctions_statemachine_logging_enabled.py b/prowler/providers/aws/services/stepfunctions/stepfunctions_statemachine_logging_enabled/stepfunctions_statemachine_logging_enabled.py index f7ac29332e7..f5dc00e1217 100644 --- a/prowler/providers/aws/services/stepfunctions/stepfunctions_statemachine_logging_enabled/stepfunctions_statemachine_logging_enabled.py +++ b/prowler/providers/aws/services/stepfunctions/stepfunctions_statemachine_logging_enabled/stepfunctions_statemachine_logging_enabled.py @@ -29,9 +29,7 @@ def execute(self) -> List[Check_Report_AWS]: """ findings = [] for state_machine in stepfunctions_client.state_machines.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=state_machine - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=state_machine) report.status = "PASS" report.status_extended = f"Step Functions state machine {state_machine.name} has logging enabled." diff --git a/prowler/providers/aws/services/storagegateway/storagegateway_fileshare_encryption_enabled/storagegateway_fileshare_encryption_enabled.py b/prowler/providers/aws/services/storagegateway/storagegateway_fileshare_encryption_enabled/storagegateway_fileshare_encryption_enabled.py index cdd1306a518..acadbf7f967 100644 --- a/prowler/providers/aws/services/storagegateway/storagegateway_fileshare_encryption_enabled/storagegateway_fileshare_encryption_enabled.py +++ b/prowler/providers/aws/services/storagegateway/storagegateway_fileshare_encryption_enabled/storagegateway_fileshare_encryption_enabled.py @@ -8,9 +8,7 @@ class storagegateway_fileshare_encryption_enabled(Check): def execute(self): findings = [] for fileshare in storagegateway_client.fileshares: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=fileshare - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=fileshare) report.status = "FAIL" report.status_extended = ( f"StorageGateway File Share {fileshare.id} is not using KMS CMK." diff --git a/prowler/providers/aws/services/storagegateway/storagegateway_gateway_fault_tolerant/storagegateway_gateway_fault_tolerant.py b/prowler/providers/aws/services/storagegateway/storagegateway_gateway_fault_tolerant/storagegateway_gateway_fault_tolerant.py index 2459a749bda..99976766320 100644 --- a/prowler/providers/aws/services/storagegateway/storagegateway_gateway_fault_tolerant/storagegateway_gateway_fault_tolerant.py +++ b/prowler/providers/aws/services/storagegateway/storagegateway_gateway_fault_tolerant/storagegateway_gateway_fault_tolerant.py @@ -8,9 +8,7 @@ class storagegateway_gateway_fault_tolerant(Check): def execute(self): findings = [] for gateway in storagegateway_client.gateways: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=gateway - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=gateway) report.status = "FAIL" report.status_extended = f"StorageGateway Gateway {gateway.name} may not be fault tolerant as it is hosted on {gateway.environment}." if gateway.environment != "EC2": diff --git a/prowler/providers/aws/services/transfer/transfer_server_in_transit_encryption_enabled/transfer_server_in_transit_encryption_enabled.py b/prowler/providers/aws/services/transfer/transfer_server_in_transit_encryption_enabled/transfer_server_in_transit_encryption_enabled.py index 24853cf7725..77c3514c824 100644 --- a/prowler/providers/aws/services/transfer/transfer_server_in_transit_encryption_enabled/transfer_server_in_transit_encryption_enabled.py +++ b/prowler/providers/aws/services/transfer/transfer_server_in_transit_encryption_enabled/transfer_server_in_transit_encryption_enabled.py @@ -21,9 +21,7 @@ def execute(self) -> List[Check_Report_AWS]: """ findings = [] for server in transfer_client.servers.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=server - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=server) report.status = "PASS" report.status_extended = ( f"Transfer Server {server.id} does have encryption in transit enabled." diff --git a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py index d0301d6b04d..0ca8c5891a3 100644 --- a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py +++ b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py @@ -15,7 +15,7 @@ def execute(self): check.status != "not_available" ): # avoid not_available checks since there are no resources that apply report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=check + metadata=self.metadata(), resource=check ) report.status = "FAIL" report.status_extended = f"Trusted Advisor check {check.name} is in state {check.status}." @@ -25,7 +25,7 @@ def execute(self): else: report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=trustedadvisor_client.checks, + resource=trustedadvisor_client.checks, ) report.status = "MANUAL" report.status_extended = "Amazon Web Services Premium Support Subscription is required to use this service." diff --git a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_premium_support_plan_subscribed/trustedadvisor_premium_support_plan_subscribed.py b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_premium_support_plan_subscribed/trustedadvisor_premium_support_plan_subscribed.py index a5b3c8e861a..0a4846cef29 100644 --- a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_premium_support_plan_subscribed/trustedadvisor_premium_support_plan_subscribed.py +++ b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_premium_support_plan_subscribed/trustedadvisor_premium_support_plan_subscribed.py @@ -15,7 +15,7 @@ def execute(self): ): report = Check_Report_AWS( metadata=self.metadata(), - resource_metadata=trustedadvisor_client.premium_support, + resource=trustedadvisor_client.premium_support, ) report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions.py b/prowler/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions.py index f646d48595b..0cfc03452fb 100644 --- a/prowler/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions.py +++ b/prowler/providers/aws/services/vpc/vpc_different_regions/vpc_different_regions.py @@ -12,7 +12,7 @@ def execute(self): vpc_regions.add(vpc.region) report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=vpc_client.vpcs + metadata=self.metadata(), resource=vpc_client.vpcs ) report.region = vpc_client.region report.resource_id = vpc_client.audited_account diff --git a/prowler/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries.py b/prowler/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries.py index d08133227d0..2023fab7258 100644 --- a/prowler/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries.py +++ b/prowler/providers/aws/services/vpc/vpc_endpoint_connections_trust_boundaries/vpc_endpoint_connections_trust_boundaries.py @@ -26,7 +26,7 @@ def execute(self): if "*" == statement["Principal"]: access_from_trusted_accounts = False report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=endpoint + metadata=self.metadata(), resource=endpoint ) if "Condition" in statement: @@ -61,7 +61,7 @@ def execute(self): principals = [] for principal_arn in principals: report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=endpoint + metadata=self.metadata(), resource=endpoint ) if principal_arn == "*": diff --git a/prowler/providers/aws/services/vpc/vpc_endpoint_for_ec2_enabled/vpc_endpoint_for_ec2_enabled.py b/prowler/providers/aws/services/vpc/vpc_endpoint_for_ec2_enabled/vpc_endpoint_for_ec2_enabled.py index 8eb608e9fc9..e6da2d2c302 100644 --- a/prowler/providers/aws/services/vpc/vpc_endpoint_for_ec2_enabled/vpc_endpoint_for_ec2_enabled.py +++ b/prowler/providers/aws/services/vpc/vpc_endpoint_for_ec2_enabled/vpc_endpoint_for_ec2_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for vpc_id, vpc in vpc_client.vpcs.items(): if vpc_client.provider.scan_unused_services or vpc.in_use: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=vpc - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=vpc) report.status = "FAIL" report.status_extended = f"VPC {vpc.id} has no EC2 endpoint." for endpoint in vpc_client.vpc_endpoints: diff --git a/prowler/providers/aws/services/vpc/vpc_endpoint_multi_az_enabled/vpc_endpoint_multi_az_enabled.py b/prowler/providers/aws/services/vpc/vpc_endpoint_multi_az_enabled/vpc_endpoint_multi_az_enabled.py index f7f668b5a96..2a795941726 100644 --- a/prowler/providers/aws/services/vpc/vpc_endpoint_multi_az_enabled/vpc_endpoint_multi_az_enabled.py +++ b/prowler/providers/aws/services/vpc/vpc_endpoint_multi_az_enabled/vpc_endpoint_multi_az_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for endpoint in vpc_client.vpc_endpoints: if endpoint.vpc_id in vpc_client.vpcs and endpoint.type == "Interface": - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=endpoint - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=endpoint) report.status = "FAIL" report.status_extended = f"VPC Endpoint {endpoint.id} in VPC {endpoint.vpc_id} has subnets in different AZs." if len(endpoint.subnet_ids) > 1: diff --git a/prowler/providers/aws/services/vpc/vpc_endpoint_services_allowed_principals_trust_boundaries/vpc_endpoint_services_allowed_principals_trust_boundaries.py b/prowler/providers/aws/services/vpc/vpc_endpoint_services_allowed_principals_trust_boundaries/vpc_endpoint_services_allowed_principals_trust_boundaries.py index feffc02ea01..cc8815e56e7 100644 --- a/prowler/providers/aws/services/vpc/vpc_endpoint_services_allowed_principals_trust_boundaries/vpc_endpoint_services_allowed_principals_trust_boundaries.py +++ b/prowler/providers/aws/services/vpc/vpc_endpoint_services_allowed_principals_trust_boundaries/vpc_endpoint_services_allowed_principals_trust_boundaries.py @@ -10,9 +10,7 @@ def execute(self): # Get trusted account_ids from prowler.config.yaml trusted_account_ids = vpc_client.audit_config.get("trusted_account_ids", []) for service in vpc_client.vpc_endpoint_services: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=service - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=service) if not service.allowed_principals: report.status = "PASS" diff --git a/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py b/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py index a465eec0a6c..216c9b50e1f 100644 --- a/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py +++ b/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for vpc in vpc_client.vpcs.values(): if vpc_client.provider.scan_unused_services or vpc.in_use: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=vpc - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=vpc) report.status = "FAIL" report.status_extended = ( f"VPC {vpc.name if vpc.name else vpc.id} Flow logs are disabled." diff --git a/prowler/providers/aws/services/vpc/vpc_peering_routing_tables_with_least_privilege/vpc_peering_routing_tables_with_least_privilege.py b/prowler/providers/aws/services/vpc/vpc_peering_routing_tables_with_least_privilege/vpc_peering_routing_tables_with_least_privilege.py index 3446f3233a4..5244a6a1915 100644 --- a/prowler/providers/aws/services/vpc/vpc_peering_routing_tables_with_least_privilege/vpc_peering_routing_tables_with_least_privilege.py +++ b/prowler/providers/aws/services/vpc/vpc_peering_routing_tables_with_least_privilege/vpc_peering_routing_tables_with_least_privilege.py @@ -6,7 +6,7 @@ class vpc_peering_routing_tables_with_least_privilege(Check): def execute(self): findings = [] for peer in vpc_client.vpc_peering_connections: - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=peer) + report = Check_Report_AWS(metadata=self.metadata(), resource=peer) report.status = "PASS" report.status_extended = ( f"VPC Peering Connection {peer.id} comply with least privilege access." diff --git a/prowler/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az.py b/prowler/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az.py index 36bcdca03e2..bbc4b97c046 100644 --- a/prowler/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az.py +++ b/prowler/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for vpc in vpc_client.vpcs.values(): if vpc_client.provider.scan_unused_services or vpc.in_use: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=vpc - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=vpc) report.status = "FAIL" report.status_extended = ( f"VPC {vpc.name if vpc.name else vpc.id} has no subnets." diff --git a/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py b/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py index 98d9af26612..464cce4943b 100644 --- a/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py +++ b/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py @@ -9,9 +9,7 @@ def execute(self): for subnet in vpc.subnets: # Check if ignoring flag is set and if the VPC Subnet is in use if vpc_client.provider.scan_unused_services or subnet.in_use: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=subnet - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=subnet) if subnet.mapPublicIpOnLaunch: report.status = "FAIL" report.status_extended = f"VPC subnet {subnet.name if subnet.name else subnet.id} assigns public IP by default." diff --git a/prowler/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public.py b/prowler/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public.py index 5eb873eed7e..e4b39a52af2 100644 --- a/prowler/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public.py +++ b/prowler/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public.py @@ -7,9 +7,7 @@ def execute(self): findings = [] for vpc in vpc_client.vpcs.values(): if vpc_client.provider.scan_unused_services or vpc.in_use: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=vpc - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=vpc) report.status = "FAIL" report.status_extended = ( f"VPC {vpc.name if vpc.name else vpc.id} has no subnets." diff --git a/prowler/providers/aws/services/vpc/vpc_vpn_connection_tunnels_up/vpc_vpn_connection_tunnels_up.py b/prowler/providers/aws/services/vpc/vpc_vpn_connection_tunnels_up/vpc_vpn_connection_tunnels_up.py index 3940856ce88..86cdfb598fc 100644 --- a/prowler/providers/aws/services/vpc/vpc_vpn_connection_tunnels_up/vpc_vpn_connection_tunnels_up.py +++ b/prowler/providers/aws/services/vpc/vpc_vpn_connection_tunnels_up/vpc_vpn_connection_tunnels_up.py @@ -6,9 +6,7 @@ class vpc_vpn_connection_tunnels_up(Check): def execute(self): findings = [] for vpn_connection in vpc_client.vpn_connections.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=vpn_connection - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=vpn_connection) if ( vpn_connection.tunnels[0].status != "UP" diff --git a/prowler/providers/aws/services/waf/waf_global_rule_with_conditions/waf_global_rule_with_conditions.py b/prowler/providers/aws/services/waf/waf_global_rule_with_conditions/waf_global_rule_with_conditions.py index 86a310f7e9c..bdca94a6857 100644 --- a/prowler/providers/aws/services/waf/waf_global_rule_with_conditions/waf_global_rule_with_conditions.py +++ b/prowler/providers/aws/services/waf/waf_global_rule_with_conditions/waf_global_rule_with_conditions.py @@ -6,7 +6,7 @@ class waf_global_rule_with_conditions(Check): def execute(self): findings = [] for rule in waf_client.rules.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=rule) + report = Check_Report_AWS(metadata=self.metadata(), resource=rule) report.status = "FAIL" report.status_extended = ( f"AWS WAF Global Rule {rule.name} does not have any conditions." diff --git a/prowler/providers/aws/services/waf/waf_global_rulegroup_not_empty/waf_global_rulegroup_not_empty.py b/prowler/providers/aws/services/waf/waf_global_rulegroup_not_empty/waf_global_rulegroup_not_empty.py index e2f94c12d7e..564c683a666 100644 --- a/prowler/providers/aws/services/waf/waf_global_rulegroup_not_empty/waf_global_rulegroup_not_empty.py +++ b/prowler/providers/aws/services/waf/waf_global_rulegroup_not_empty/waf_global_rulegroup_not_empty.py @@ -6,9 +6,7 @@ class waf_global_rulegroup_not_empty(Check): def execute(self): findings = [] for rule_group in waf_client.rule_groups.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=rule_group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=rule_group) report.status = "FAIL" report.status_extended = ( f"AWS WAF Global Rule Group {rule_group.name} does not have any rules." diff --git a/prowler/providers/aws/services/waf/waf_global_webacl_logging_enabled/waf_global_webacl_logging_enabled.py b/prowler/providers/aws/services/waf/waf_global_webacl_logging_enabled/waf_global_webacl_logging_enabled.py index 8fc92cedb06..de5bb26ca4e 100644 --- a/prowler/providers/aws/services/waf/waf_global_webacl_logging_enabled/waf_global_webacl_logging_enabled.py +++ b/prowler/providers/aws/services/waf/waf_global_webacl_logging_enabled/waf_global_webacl_logging_enabled.py @@ -6,7 +6,7 @@ class waf_global_webacl_logging_enabled(Check): def execute(self): findings = [] for acl in waf_client.web_acls.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=acl) + report = Check_Report_AWS(metadata=self.metadata(), resource=acl) report.status = "FAIL" report.status_extended = ( f"AWS WAF Global Web ACL {acl.name} does not have logging enabled." diff --git a/prowler/providers/aws/services/waf/waf_global_webacl_with_rules/waf_global_webacl_with_rules.py b/prowler/providers/aws/services/waf/waf_global_webacl_with_rules/waf_global_webacl_with_rules.py index a5705aa138f..dfe0bc3f39c 100644 --- a/prowler/providers/aws/services/waf/waf_global_webacl_with_rules/waf_global_webacl_with_rules.py +++ b/prowler/providers/aws/services/waf/waf_global_webacl_with_rules/waf_global_webacl_with_rules.py @@ -6,7 +6,7 @@ class waf_global_webacl_with_rules(Check): def execute(self): findings = [] for acl in waf_client.web_acls.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=acl) + report = Check_Report_AWS(metadata=self.metadata(), resource=acl) report.status = "FAIL" report.status_extended = f"AWS WAF Global Web ACL {acl.name} does not have any rules or rule groups." diff --git a/prowler/providers/aws/services/waf/waf_regional_rule_with_conditions/waf_regional_rule_with_conditions.py b/prowler/providers/aws/services/waf/waf_regional_rule_with_conditions/waf_regional_rule_with_conditions.py index d2396b20873..8c7ab60e151 100644 --- a/prowler/providers/aws/services/waf/waf_regional_rule_with_conditions/waf_regional_rule_with_conditions.py +++ b/prowler/providers/aws/services/waf/waf_regional_rule_with_conditions/waf_regional_rule_with_conditions.py @@ -6,7 +6,7 @@ class waf_regional_rule_with_conditions(Check): def execute(self): findings = [] for rule in wafregional_client.rules.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=rule) + report = Check_Report_AWS(metadata=self.metadata(), resource=rule) report.status = "FAIL" report.status_extended = ( f"AWS WAF Regional Rule {rule.name} does not have any conditions." diff --git a/prowler/providers/aws/services/waf/waf_regional_rulegroup_not_empty/waf_regional_rulegroup_not_empty.py b/prowler/providers/aws/services/waf/waf_regional_rulegroup_not_empty/waf_regional_rulegroup_not_empty.py index c9f22673cc2..4acf06a24f3 100644 --- a/prowler/providers/aws/services/waf/waf_regional_rulegroup_not_empty/waf_regional_rulegroup_not_empty.py +++ b/prowler/providers/aws/services/waf/waf_regional_rulegroup_not_empty/waf_regional_rulegroup_not_empty.py @@ -6,9 +6,7 @@ class waf_regional_rulegroup_not_empty(Check): def execute(self): findings = [] for rule_group in wafregional_client.rule_groups.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=rule_group - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=rule_group) report.status = "FAIL" report.status_extended = f"AWS WAF Regional Rule Group {rule_group.name} does not have any rules." diff --git a/prowler/providers/aws/services/waf/waf_regional_webacl_with_rules/waf_regional_webacl_with_rules.py b/prowler/providers/aws/services/waf/waf_regional_webacl_with_rules/waf_regional_webacl_with_rules.py index a617cfbe408..583430cc851 100644 --- a/prowler/providers/aws/services/waf/waf_regional_webacl_with_rules/waf_regional_webacl_with_rules.py +++ b/prowler/providers/aws/services/waf/waf_regional_webacl_with_rules/waf_regional_webacl_with_rules.py @@ -6,7 +6,7 @@ class waf_regional_webacl_with_rules(Check): def execute(self): findings = [] for acl in wafregional_client.web_acls.values(): - report = Check_Report_AWS(metadata=self.metadata(), resource_metadata=acl) + report = Check_Report_AWS(metadata=self.metadata(), resource=acl) report.status = "FAIL" report.status_extended = f"AWS WAF Regional Web ACL {acl.name} does not have any rules or rule groups." diff --git a/prowler/providers/aws/services/wafv2/wafv2_webacl_logging_enabled/wafv2_webacl_logging_enabled.py b/prowler/providers/aws/services/wafv2/wafv2_webacl_logging_enabled/wafv2_webacl_logging_enabled.py index 98777de30a9..83807664c33 100644 --- a/prowler/providers/aws/services/wafv2/wafv2_webacl_logging_enabled/wafv2_webacl_logging_enabled.py +++ b/prowler/providers/aws/services/wafv2/wafv2_webacl_logging_enabled/wafv2_webacl_logging_enabled.py @@ -6,9 +6,7 @@ class wafv2_webacl_logging_enabled(Check): def execute(self): findings = [] for web_acl in wafv2_client.web_acls.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=web_acl - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=web_acl) if web_acl.logging_enabled: report.status = "PASS" diff --git a/prowler/providers/aws/services/wafv2/wafv2_webacl_rule_logging_enabled/wafv2_webacl_rule_logging_enabled.py b/prowler/providers/aws/services/wafv2/wafv2_webacl_rule_logging_enabled/wafv2_webacl_rule_logging_enabled.py index 2c2770952a8..b2d0022a979 100644 --- a/prowler/providers/aws/services/wafv2/wafv2_webacl_rule_logging_enabled/wafv2_webacl_rule_logging_enabled.py +++ b/prowler/providers/aws/services/wafv2/wafv2_webacl_rule_logging_enabled/wafv2_webacl_rule_logging_enabled.py @@ -6,9 +6,7 @@ class wafv2_webacl_rule_logging_enabled(Check): def execute(self): findings = [] for web_acl in wafv2_client.web_acls.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=web_acl - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=web_acl) if web_acl.rules or web_acl.rule_groups: report.status = "PASS" diff --git a/prowler/providers/aws/services/wafv2/wafv2_webacl_with_rules/wafv2_webacl_with_rules.py b/prowler/providers/aws/services/wafv2/wafv2_webacl_with_rules/wafv2_webacl_with_rules.py index 6173f2becbd..ce94b9fa74f 100644 --- a/prowler/providers/aws/services/wafv2/wafv2_webacl_with_rules/wafv2_webacl_with_rules.py +++ b/prowler/providers/aws/services/wafv2/wafv2_webacl_with_rules/wafv2_webacl_with_rules.py @@ -6,9 +6,7 @@ class wafv2_webacl_with_rules(Check): def execute(self): findings = [] for web_acl in wafv2_client.web_acls.values(): - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=web_acl - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=web_acl) report.status = "FAIL" report.status_extended = f"AWS WAFv2 Web ACL {web_acl.name} does not have any rules or rule groups attached." diff --git a/prowler/providers/aws/services/wellarchitected/wellarchitected_workload_no_high_or_medium_risks/wellarchitected_workload_no_high_or_medium_risks.py b/prowler/providers/aws/services/wellarchitected/wellarchitected_workload_no_high_or_medium_risks/wellarchitected_workload_no_high_or_medium_risks.py index d9aa682bc6a..947f0c9c810 100644 --- a/prowler/providers/aws/services/wellarchitected/wellarchitected_workload_no_high_or_medium_risks/wellarchitected_workload_no_high_or_medium_risks.py +++ b/prowler/providers/aws/services/wellarchitected/wellarchitected_workload_no_high_or_medium_risks/wellarchitected_workload_no_high_or_medium_risks.py @@ -8,9 +8,7 @@ class wellarchitected_workload_no_high_or_medium_risks(Check): def execute(self): findings = [] for workload in wellarchitected_client.workloads: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=workload - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=workload) report.status = "PASS" report.status_extended = f"Well Architected workload {workload.name} does not contain high or medium risks." if "HIGH" in workload.risks or "MEDIUM" in workload.risks: diff --git a/prowler/providers/aws/services/workspaces/workspaces_volume_encryption_enabled/workspaces_volume_encryption_enabled.py b/prowler/providers/aws/services/workspaces/workspaces_volume_encryption_enabled/workspaces_volume_encryption_enabled.py index acfddadfa53..6765fee58f0 100644 --- a/prowler/providers/aws/services/workspaces/workspaces_volume_encryption_enabled/workspaces_volume_encryption_enabled.py +++ b/prowler/providers/aws/services/workspaces/workspaces_volume_encryption_enabled/workspaces_volume_encryption_enabled.py @@ -8,9 +8,7 @@ class workspaces_volume_encryption_enabled(Check): def execute(self): findings = [] for workspace in workspaces_client.workspaces: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=workspace - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=workspace) report.status = "PASS" report.status_extended = f"WorkSpaces workspace {workspace.id} root and user volumes are encrypted." if not workspace.user_volume_encryption_enabled: diff --git a/prowler/providers/aws/services/workspaces/workspaces_vpc_2private_1public_subnets_nat/workspaces_vpc_2private_1public_subnets_nat.py b/prowler/providers/aws/services/workspaces/workspaces_vpc_2private_1public_subnets_nat/workspaces_vpc_2private_1public_subnets_nat.py index d75e60bb0c4..67933f295dd 100644 --- a/prowler/providers/aws/services/workspaces/workspaces_vpc_2private_1public_subnets_nat/workspaces_vpc_2private_1public_subnets_nat.py +++ b/prowler/providers/aws/services/workspaces/workspaces_vpc_2private_1public_subnets_nat/workspaces_vpc_2private_1public_subnets_nat.py @@ -9,9 +9,7 @@ class workspaces_vpc_2private_1public_subnets_nat(Check): def execute(self): findings = [] for workspace in workspaces_client.workspaces: - report = Check_Report_AWS( - metadata=self.metadata(), resource_metadata=workspace - ) + report = Check_Report_AWS(metadata=self.metadata(), resource=workspace) report.status = "PASS" report.status_extended = f"Workspace {workspace.id} is in a private subnet within a VPC which has 1 public subnet 2 private subnets with a NAT Gateway attached." vpc_object = None diff --git a/prowler/providers/azure/services/aisearch/aisearch_service_not_publicly_accessible/aisearch_service_not_publicly_accessible.py b/prowler/providers/azure/services/aisearch/aisearch_service_not_publicly_accessible/aisearch_service_not_publicly_accessible.py index f22e147138f..424b7a832e9 100644 --- a/prowler/providers/azure/services/aisearch/aisearch_service_not_publicly_accessible/aisearch_service_not_publicly_accessible.py +++ b/prowler/providers/azure/services/aisearch/aisearch_service_not_publicly_accessible/aisearch_service_not_publicly_accessible.py @@ -14,7 +14,7 @@ def execute(self) -> List[Check_Report_Azure]: ) in aisearch_client.aisearch_services.items(): for aisearch_service in aisearch_services.values(): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=aisearch_service + metadata=self.metadata(), resource=aisearch_service ) report.subscription = subscription_name report.status = "FAIL" diff --git a/prowler/providers/azure/services/aks/aks_cluster_rbac_enabled/aks_cluster_rbac_enabled.py b/prowler/providers/azure/services/aks/aks_cluster_rbac_enabled/aks_cluster_rbac_enabled.py index 86004cc65c8..e5478b0d906 100644 --- a/prowler/providers/azure/services/aks/aks_cluster_rbac_enabled/aks_cluster_rbac_enabled.py +++ b/prowler/providers/azure/services/aks/aks_cluster_rbac_enabled/aks_cluster_rbac_enabled.py @@ -8,9 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription_name, clusters in aks_client.clusters.items(): for cluster in clusters.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=cluster) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"RBAC is enabled for cluster '{cluster.name}' in subscription '{subscription_name}'." diff --git a/prowler/providers/azure/services/aks/aks_clusters_created_with_private_nodes/aks_clusters_created_with_private_nodes.py b/prowler/providers/azure/services/aks/aks_clusters_created_with_private_nodes/aks_clusters_created_with_private_nodes.py index 57efa3704fa..6de9b3653f3 100644 --- a/prowler/providers/azure/services/aks/aks_clusters_created_with_private_nodes/aks_clusters_created_with_private_nodes.py +++ b/prowler/providers/azure/services/aks/aks_clusters_created_with_private_nodes/aks_clusters_created_with_private_nodes.py @@ -8,9 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription_name, clusters in aks_client.clusters.items(): for cluster in clusters.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=cluster) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"Cluster '{cluster.name}' was created with private nodes in subscription '{subscription_name}'" diff --git a/prowler/providers/azure/services/aks/aks_clusters_public_access_disabled/aks_clusters_public_access_disabled.py b/prowler/providers/azure/services/aks/aks_clusters_public_access_disabled/aks_clusters_public_access_disabled.py index bcd91b99560..b607abb6d9d 100644 --- a/prowler/providers/azure/services/aks/aks_clusters_public_access_disabled/aks_clusters_public_access_disabled.py +++ b/prowler/providers/azure/services/aks/aks_clusters_public_access_disabled/aks_clusters_public_access_disabled.py @@ -8,9 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription_name, clusters in aks_client.clusters.items(): for cluster in clusters.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=cluster) report.subscription = subscription_name report.status = "FAIL" report.status_extended = f"Public access to nodes is enabled for cluster '{cluster.name}' in subscription '{subscription_name}'" diff --git a/prowler/providers/azure/services/aks/aks_network_policy_enabled/aks_network_policy_enabled.py b/prowler/providers/azure/services/aks/aks_network_policy_enabled/aks_network_policy_enabled.py index f27f36af438..2af996ffa5d 100644 --- a/prowler/providers/azure/services/aks/aks_network_policy_enabled/aks_network_policy_enabled.py +++ b/prowler/providers/azure/services/aks/aks_network_policy_enabled/aks_network_policy_enabled.py @@ -8,9 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription_name, clusters in aks_client.clusters.items(): for cluster_id, cluster in clusters.items(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=cluster) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"Network policy is enabled for cluster '{cluster.name}' in subscription '{subscription_name}'." diff --git a/prowler/providers/azure/services/app/app_client_certificates_on/app_client_certificates_on.py b/prowler/providers/azure/services/app/app_client_certificates_on/app_client_certificates_on.py index df97c77d0e9..44103a76252 100644 --- a/prowler/providers/azure/services/app/app_client_certificates_on/app_client_certificates_on.py +++ b/prowler/providers/azure/services/app/app_client_certificates_on/app_client_certificates_on.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: apps, ) in app_client.apps.items(): for app in apps.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=app - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=app) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"Clients are required to present a certificate for app '{app.name}' in subscription '{subscription_name}'." diff --git a/prowler/providers/azure/services/app/app_ensure_auth_is_set_up/app_ensure_auth_is_set_up.py b/prowler/providers/azure/services/app/app_ensure_auth_is_set_up/app_ensure_auth_is_set_up.py index a091e16123c..93d9d5b9441 100644 --- a/prowler/providers/azure/services/app/app_ensure_auth_is_set_up/app_ensure_auth_is_set_up.py +++ b/prowler/providers/azure/services/app/app_ensure_auth_is_set_up/app_ensure_auth_is_set_up.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: apps, ) in app_client.apps.items(): for app in apps.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=app - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=app) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"Authentication is set up for app '{app.name}' in subscription '{subscription_name}'." diff --git a/prowler/providers/azure/services/app/app_ensure_http_is_redirected_to_https/app_ensure_http_is_redirected_to_https.py b/prowler/providers/azure/services/app/app_ensure_http_is_redirected_to_https/app_ensure_http_is_redirected_to_https.py index 3ae110a82b2..47a0b8851a0 100644 --- a/prowler/providers/azure/services/app/app_ensure_http_is_redirected_to_https/app_ensure_http_is_redirected_to_https.py +++ b/prowler/providers/azure/services/app/app_ensure_http_is_redirected_to_https/app_ensure_http_is_redirected_to_https.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: apps, ) in app_client.apps.items(): for app in apps.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=app - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=app) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"HTTP is redirected to HTTPS for app '{app.name}' in subscription '{subscription_name}'." diff --git a/prowler/providers/azure/services/app/app_ensure_java_version_is_latest/app_ensure_java_version_is_latest.py b/prowler/providers/azure/services/app/app_ensure_java_version_is_latest/app_ensure_java_version_is_latest.py index 8f5d213726d..bc4caf7cf31 100644 --- a/prowler/providers/azure/services/app/app_ensure_java_version_is_latest/app_ensure_java_version_is_latest.py +++ b/prowler/providers/azure/services/app/app_ensure_java_version_is_latest/app_ensure_java_version_is_latest.py @@ -17,9 +17,7 @@ def execute(self) -> Check_Report_Azure: ) if "java" in linux_framework.lower() or windows_framework_version: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=app - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=app) report.subscription = subscription_name report.status = "FAIL" java_latest_version = app_client.audit_config.get( diff --git a/prowler/providers/azure/services/app/app_ensure_php_version_is_latest/app_ensure_php_version_is_latest.py b/prowler/providers/azure/services/app/app_ensure_php_version_is_latest/app_ensure_php_version_is_latest.py index 28da941b681..8c48c629e33 100644 --- a/prowler/providers/azure/services/app/app_ensure_php_version_is_latest/app_ensure_php_version_is_latest.py +++ b/prowler/providers/azure/services/app/app_ensure_php_version_is_latest/app_ensure_php_version_is_latest.py @@ -16,9 +16,7 @@ def execute(self) -> Check_Report_Azure: if "php" in framework.lower() or getattr( app.configurations, "php_version", "" ): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=app - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=app) report.subscription = subscription_name report.status = "FAIL" diff --git a/prowler/providers/azure/services/app/app_ensure_python_version_is_latest/app_ensure_python_version_is_latest.py b/prowler/providers/azure/services/app/app_ensure_python_version_is_latest/app_ensure_python_version_is_latest.py index e861052c4be..9be2d127e16 100644 --- a/prowler/providers/azure/services/app/app_ensure_python_version_is_latest/app_ensure_python_version_is_latest.py +++ b/prowler/providers/azure/services/app/app_ensure_python_version_is_latest/app_ensure_python_version_is_latest.py @@ -16,9 +16,7 @@ def execute(self) -> Check_Report_Azure: if "python" in framework.lower() or getattr( app.configurations, "python_version", "" ): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=app - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=app) report.subscription = subscription_name report.status = "FAIL" python_latest_version = app_client.audit_config.get( diff --git a/prowler/providers/azure/services/app/app_ensure_using_http20/app_ensure_using_http20.py b/prowler/providers/azure/services/app/app_ensure_using_http20/app_ensure_using_http20.py index fa410d098ab..52ea5c83cd0 100644 --- a/prowler/providers/azure/services/app/app_ensure_using_http20/app_ensure_using_http20.py +++ b/prowler/providers/azure/services/app/app_ensure_using_http20/app_ensure_using_http20.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: apps, ) in app_client.apps.items(): for app in apps.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=app - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=app) report.subscription = subscription_name report.status = "FAIL" report.status_extended = f"HTTP/2.0 is not enabled for app '{app.name}' in subscription '{subscription_name}'." diff --git a/prowler/providers/azure/services/app/app_ftp_deployment_disabled/app_ftp_deployment_disabled.py b/prowler/providers/azure/services/app/app_ftp_deployment_disabled/app_ftp_deployment_disabled.py index 5b8588bb26b..7177b05a69b 100644 --- a/prowler/providers/azure/services/app/app_ftp_deployment_disabled/app_ftp_deployment_disabled.py +++ b/prowler/providers/azure/services/app/app_ftp_deployment_disabled/app_ftp_deployment_disabled.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: apps, ) in app_client.apps.items(): for app in apps.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=app - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=app) report.subscription = subscription_name report.status = "FAIL" report.status_extended = f"FTP is enabled for app '{app.name}' in subscription '{subscription_name}'." diff --git a/prowler/providers/azure/services/app/app_function_access_keys_configured/app_function_access_keys_configured.py b/prowler/providers/azure/services/app/app_function_access_keys_configured/app_function_access_keys_configured.py index 66cc033bccd..e942aabc6fb 100644 --- a/prowler/providers/azure/services/app/app_function_access_keys_configured/app_function_access_keys_configured.py +++ b/prowler/providers/azure/services/app/app_function_access_keys_configured/app_function_access_keys_configured.py @@ -11,9 +11,7 @@ def execute(self): functions, ) in app_client.functions.items(): for function in functions.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=function - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=function) report.subscription = subscription_name report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/azure/services/app/app_function_application_insights_enabled/app_function_application_insights_enabled.py b/prowler/providers/azure/services/app/app_function_application_insights_enabled/app_function_application_insights_enabled.py index d3ad162f3f4..06ce41a2b01 100644 --- a/prowler/providers/azure/services/app/app_function_application_insights_enabled/app_function_application_insights_enabled.py +++ b/prowler/providers/azure/services/app/app_function_application_insights_enabled/app_function_application_insights_enabled.py @@ -14,9 +14,7 @@ def execute(self): functions, ) in app_client.functions.items(): for function in functions.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=function - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=function) report.subscription = subscription_name report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/azure/services/app/app_function_ftps_deployment_disabled/app_function_ftps_deployment_disabled.py b/prowler/providers/azure/services/app/app_function_ftps_deployment_disabled/app_function_ftps_deployment_disabled.py index c52c045a525..c8999860369 100644 --- a/prowler/providers/azure/services/app/app_function_ftps_deployment_disabled/app_function_ftps_deployment_disabled.py +++ b/prowler/providers/azure/services/app/app_function_ftps_deployment_disabled/app_function_ftps_deployment_disabled.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: functions, ) in app_client.functions.items(): for function in functions.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=function - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=function) report.subscription = subscription_name report.status = "FAIL" report.status_extended = f"Function {function.name} has {'FTP' if function.ftps_state == 'AllAllowed' else 'FTPS' if function.ftps_state == 'FtpsOnly' else 'FTP or FTPS'} deployment enabled" diff --git a/prowler/providers/azure/services/app/app_function_identity_is_configured/app_function_identity_is_configured.py b/prowler/providers/azure/services/app/app_function_identity_is_configured/app_function_identity_is_configured.py index da72cb5e9d4..0d68971f95a 100644 --- a/prowler/providers/azure/services/app/app_function_identity_is_configured/app_function_identity_is_configured.py +++ b/prowler/providers/azure/services/app/app_function_identity_is_configured/app_function_identity_is_configured.py @@ -11,9 +11,7 @@ def execute(self): functions, ) in app_client.functions.items(): for function in functions.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=function - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=function) report.subscription = subscription_name report.status = "FAIL" report.status_extended = f"Function {function.name} does not have a managed identity enabled." diff --git a/prowler/providers/azure/services/app/app_function_identity_without_admin_privileges/app_function_identity_without_admin_privileges.py b/prowler/providers/azure/services/app/app_function_identity_without_admin_privileges/app_function_identity_without_admin_privileges.py index df4fe2f9c1c..c4db014bc3f 100644 --- a/prowler/providers/azure/services/app/app_function_identity_without_admin_privileges/app_function_identity_without_admin_privileges.py +++ b/prowler/providers/azure/services/app/app_function_identity_without_admin_privileges/app_function_identity_without_admin_privileges.py @@ -20,7 +20,7 @@ def execute(self): for function in functions.values(): if function.identity: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=function + metadata=self.metadata(), resource=function ) report.subscription = subscription_name report.status = "PASS" diff --git a/prowler/providers/azure/services/app/app_function_latest_runtime_version/app_function_latest_runtime_version.py b/prowler/providers/azure/services/app/app_function_latest_runtime_version/app_function_latest_runtime_version.py index 79299b002b7..180434ec21f 100644 --- a/prowler/providers/azure/services/app/app_function_latest_runtime_version/app_function_latest_runtime_version.py +++ b/prowler/providers/azure/services/app/app_function_latest_runtime_version/app_function_latest_runtime_version.py @@ -11,9 +11,7 @@ def execute(self): functions, ) in app_client.functions.items(): for function in functions.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=function - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=function) report.subscription = subscription_name report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/azure/services/app/app_function_not_publicly_accessible/app_function_not_publicly_accessible.py b/prowler/providers/azure/services/app/app_function_not_publicly_accessible/app_function_not_publicly_accessible.py index 846f1226a34..3d506ae6e80 100644 --- a/prowler/providers/azure/services/app/app_function_not_publicly_accessible/app_function_not_publicly_accessible.py +++ b/prowler/providers/azure/services/app/app_function_not_publicly_accessible/app_function_not_publicly_accessible.py @@ -11,9 +11,7 @@ def execute(self): functions, ) in app_client.functions.items(): for function in functions.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=function - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=function) report.subscription = subscription_name report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/azure/services/app/app_function_vnet_integration_enabled/app_function_vnet_integration_enabled.py b/prowler/providers/azure/services/app/app_function_vnet_integration_enabled/app_function_vnet_integration_enabled.py index 1e184b6a5e9..027b98ac885 100644 --- a/prowler/providers/azure/services/app/app_function_vnet_integration_enabled/app_function_vnet_integration_enabled.py +++ b/prowler/providers/azure/services/app/app_function_vnet_integration_enabled/app_function_vnet_integration_enabled.py @@ -11,9 +11,7 @@ def execute(self): functions, ) in app_client.functions.items(): for function in functions.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=function - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=function) report.subscription = subscription_name report.status = "FAIL" report.status_extended = f"Function {function.name} does not have virtual network integration enabled." diff --git a/prowler/providers/azure/services/app/app_http_logs_enabled/app_http_logs_enabled.py b/prowler/providers/azure/services/app/app_http_logs_enabled/app_http_logs_enabled.py index 2aec2e6ff37..ea70bb708a6 100644 --- a/prowler/providers/azure/services/app/app_http_logs_enabled/app_http_logs_enabled.py +++ b/prowler/providers/azure/services/app/app_http_logs_enabled/app_http_logs_enabled.py @@ -9,9 +9,7 @@ def execute(self) -> Check_Report_Azure: for subscription_name, apps in app_client.apps.items(): for app in apps.values(): if "functionapp" not in app.kind: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=app - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=app) report.subscription = subscription_name report.status = "FAIL" if not app.monitor_diagnostic_settings: diff --git a/prowler/providers/azure/services/app/app_minimum_tls_version_12/app_minimum_tls_version_12.py b/prowler/providers/azure/services/app/app_minimum_tls_version_12/app_minimum_tls_version_12.py index 6a3cccb9205..f6931ba7cff 100644 --- a/prowler/providers/azure/services/app/app_minimum_tls_version_12/app_minimum_tls_version_12.py +++ b/prowler/providers/azure/services/app/app_minimum_tls_version_12/app_minimum_tls_version_12.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: apps, ) in app_client.apps.items(): for app in apps.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=app - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=app) report.subscription = subscription_name report.status = "FAIL" report.status_extended = f"Minimum TLS version is not set to 1.2 for app '{app.name}' in subscription '{subscription_name}'." diff --git a/prowler/providers/azure/services/app/app_register_with_identity/app_register_with_identity.py b/prowler/providers/azure/services/app/app_register_with_identity/app_register_with_identity.py index dda70c37e23..35961046f9a 100644 --- a/prowler/providers/azure/services/app/app_register_with_identity/app_register_with_identity.py +++ b/prowler/providers/azure/services/app/app_register_with_identity/app_register_with_identity.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: apps, ) in app_client.apps.items(): for app in apps.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=app - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=app) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"App '{app.name}' in subscription '{subscription_name}' has an identity configured." diff --git a/prowler/providers/azure/services/appinsights/appinsights_ensure_is_configured/appinsights_ensure_is_configured.py b/prowler/providers/azure/services/appinsights/appinsights_ensure_is_configured/appinsights_ensure_is_configured.py index 04e72f794f3..aa6510804a1 100644 --- a/prowler/providers/azure/services/appinsights/appinsights_ensure_is_configured/appinsights_ensure_is_configured.py +++ b/prowler/providers/azure/services/appinsights/appinsights_ensure_is_configured/appinsights_ensure_is_configured.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_Azure: findings = [] for subscription_name, components in appinsights_client.components.items(): - report = Check_Report_Azure(metadata=self.metadata(), resource_metadata={}) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.status = "PASS" report.subscription = subscription_name report.resource_name = "AppInsights" diff --git a/prowler/providers/azure/services/containerregistry/containerregistry_admin_user_disabled/containerregistry_admin_user_disabled.py b/prowler/providers/azure/services/containerregistry/containerregistry_admin_user_disabled/containerregistry_admin_user_disabled.py index 593c9252206..05cd0b1d6d8 100644 --- a/prowler/providers/azure/services/containerregistry/containerregistry_admin_user_disabled/containerregistry_admin_user_disabled.py +++ b/prowler/providers/azure/services/containerregistry/containerregistry_admin_user_disabled/containerregistry_admin_user_disabled.py @@ -11,7 +11,7 @@ def execute(self) -> list[Check_Report_Azure]: for subscription, registries in containerregistry_client.registries.items(): for container_registry_info in registries.values(): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=container_registry_info + metadata=self.metadata(), resource=container_registry_info ) report.subscription = subscription report.status = "FAIL" diff --git a/prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.py b/prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.py index 9eb3ce9a610..e6401af404e 100644 --- a/prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.py +++ b/prowler/providers/azure/services/containerregistry/containerregistry_not_publicly_accessible/containerregistry_not_publicly_accessible.py @@ -11,7 +11,7 @@ def execute(self) -> list[Check_Report_Azure]: for subscription, registries in containerregistry_client.registries.items(): for container_registry_info in registries.values(): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=container_registry_info + metadata=self.metadata(), resource=container_registry_info ) report.subscription = subscription report.status = "FAIL" diff --git a/prowler/providers/azure/services/containerregistry/containerregistry_uses_private_link/containerregistry_uses_private_link.py b/prowler/providers/azure/services/containerregistry/containerregistry_uses_private_link/containerregistry_uses_private_link.py index 90660ccaf2b..5962a34c773 100644 --- a/prowler/providers/azure/services/containerregistry/containerregistry_uses_private_link/containerregistry_uses_private_link.py +++ b/prowler/providers/azure/services/containerregistry/containerregistry_uses_private_link/containerregistry_uses_private_link.py @@ -11,7 +11,7 @@ def execute(self) -> list[Check_Report_Azure]: for subscription, registries in containerregistry_client.registries.items(): for container_registry_info in registries.values(): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=container_registry_info + metadata=self.metadata(), resource=container_registry_info ) report.subscription = subscription report.status = "FAIL" diff --git a/prowler/providers/azure/services/cosmosdb/cosmosdb_account_firewall_use_selected_networks/cosmosdb_account_firewall_use_selected_networks.py b/prowler/providers/azure/services/cosmosdb/cosmosdb_account_firewall_use_selected_networks/cosmosdb_account_firewall_use_selected_networks.py index 90bf3da3556..d664fbfa3aa 100644 --- a/prowler/providers/azure/services/cosmosdb/cosmosdb_account_firewall_use_selected_networks/cosmosdb_account_firewall_use_selected_networks.py +++ b/prowler/providers/azure/services/cosmosdb/cosmosdb_account_firewall_use_selected_networks/cosmosdb_account_firewall_use_selected_networks.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_Azure: findings = [] for subscription, accounts in cosmosdb_client.accounts.items(): for account in accounts: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=account - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=account) report.subscription = subscription report.status = "FAIL" report.status_extended = f"CosmosDB account {account.name} from subscription {subscription} has firewall rules that allow access from all networks." diff --git a/prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_aad_and_rbac/cosmosdb_account_use_aad_and_rbac.py b/prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_aad_and_rbac/cosmosdb_account_use_aad_and_rbac.py index 1aa25d65e8f..b521792256e 100644 --- a/prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_aad_and_rbac/cosmosdb_account_use_aad_and_rbac.py +++ b/prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_aad_and_rbac/cosmosdb_account_use_aad_and_rbac.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_Azure: findings = [] for subscription, accounts in cosmosdb_client.accounts.items(): for account in accounts: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=account - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=account) report.subscription = subscription report.status = "FAIL" report.status_extended = f"CosmosDB account {account.name} from subscription {subscription} is not using AAD and RBAC" diff --git a/prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_private_endpoints/cosmosdb_account_use_private_endpoints.py b/prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_private_endpoints/cosmosdb_account_use_private_endpoints.py index b99d3dd9fba..82298011342 100644 --- a/prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_private_endpoints/cosmosdb_account_use_private_endpoints.py +++ b/prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_private_endpoints/cosmosdb_account_use_private_endpoints.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_Azure: findings = [] for subscription, accounts in cosmosdb_client.accounts.items(): for account in accounts: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=account - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=account) report.subscription = subscription report.status = "FAIL" report.status_extended = f"CosmosDB account {account.name} from subscription {subscription} is not using private endpoints connections" diff --git a/prowler/providers/azure/services/defender/defender_additional_email_configured_with_a_security_contact/defender_additional_email_configured_with_a_security_contact.py b/prowler/providers/azure/services/defender/defender_additional_email_configured_with_a_security_contact/defender_additional_email_configured_with_a_security_contact.py index 3020b395b52..2e7fa7c9d36 100644 --- a/prowler/providers/azure/services/defender/defender_additional_email_configured_with_a_security_contact/defender_additional_email_configured_with_a_security_contact.py +++ b/prowler/providers/azure/services/defender/defender_additional_email_configured_with_a_security_contact/defender_additional_email_configured_with_a_security_contact.py @@ -13,9 +13,7 @@ def execute(self) -> Check_Report_Azure: security_contacts, ) in defender_client.security_contacts.items(): for contact in security_contacts.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=contact - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=contact) report.status = "PASS" report.subscription = subscription_name report.status_extended = f"There is another correct email configured for subscription {subscription_name}." diff --git a/prowler/providers/azure/services/defender/defender_assessments_vm_endpoint_protection_installed/defender_assessments_vm_endpoint_protection_installed.py b/prowler/providers/azure/services/defender/defender_assessments_vm_endpoint_protection_installed/defender_assessments_vm_endpoint_protection_installed.py index 30ad4ee47db..1e24f4918ae 100644 --- a/prowler/providers/azure/services/defender/defender_assessments_vm_endpoint_protection_installed/defender_assessments_vm_endpoint_protection_installed.py +++ b/prowler/providers/azure/services/defender/defender_assessments_vm_endpoint_protection_installed/defender_assessments_vm_endpoint_protection_installed.py @@ -16,7 +16,7 @@ def execute(self) -> Check_Report_Azure: ): report = Check_Report_Azure( metadata=self.metadata(), - resource_metadata=assessments[ + resource=assessments[ "Install endpoint protection solution on virtual machines" ], ) diff --git a/prowler/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on.py b/prowler/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on.py index 4713e0c138f..5a4121a5113 100644 --- a/prowler/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on.py +++ b/prowler/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on.py @@ -13,7 +13,7 @@ def execute(self) -> Check_Report_Azure: for auto_provisioning_setting in auto_provisioning_settings.values(): report = Check_Report_Azure( metadata=self.metadata(), - resource_metadata=auto_provisioning_setting, + resource=auto_provisioning_setting, ) report.subscription = subscription_name report.status = "PASS" diff --git a/prowler/providers/azure/services/defender/defender_auto_provisioning_vulnerabilty_assessments_machines_on/defender_auto_provisioning_vulnerabilty_assessments_machines_on.py b/prowler/providers/azure/services/defender/defender_auto_provisioning_vulnerabilty_assessments_machines_on/defender_auto_provisioning_vulnerabilty_assessments_machines_on.py index 5b407edbecf..f3bb4dbc25f 100644 --- a/prowler/providers/azure/services/defender/defender_auto_provisioning_vulnerabilty_assessments_machines_on/defender_auto_provisioning_vulnerabilty_assessments_machines_on.py +++ b/prowler/providers/azure/services/defender/defender_auto_provisioning_vulnerabilty_assessments_machines_on/defender_auto_provisioning_vulnerabilty_assessments_machines_on.py @@ -16,7 +16,7 @@ def execute(self) -> Check_Report_Azure: ): report = Check_Report_Azure( metadata=self.metadata(), - resource_metadata=assessments[ + resource=assessments[ "Machines should have a vulnerability assessment solution" ], ) diff --git a/prowler/providers/azure/services/defender/defender_container_images_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities.py b/prowler/providers/azure/services/defender/defender_container_images_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities.py index 0f6962cd179..51dd1e36485 100644 --- a/prowler/providers/azure/services/defender/defender_container_images_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities.py +++ b/prowler/providers/azure/services/defender/defender_container_images_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities.py @@ -24,7 +24,7 @@ def execute(self) -> Check_Report_Azure: ): report = Check_Report_Azure( metadata=self.metadata(), - resource_metadata=assessments[ + resource=assessments[ "Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)" ], ) diff --git a/prowler/providers/azure/services/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled.py b/prowler/providers/azure/services/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled.py index aa9f1a9a14b..9aa966e6089 100644 --- a/prowler/providers/azure/services/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled.py +++ b/prowler/providers/azure/services/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, pricings in defender_client.pricings.items(): if "Containers" in pricings: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=pricings["Containers"] + metadata=self.metadata(), resource=pricings["Containers"] ) report.subscription = subscription report.resource_name = "Dender plan for Containers" diff --git a/prowler/providers/azure/services/defender/defender_ensure_defender_for_app_services_is_on/defender_ensure_defender_for_app_services_is_on.py b/prowler/providers/azure/services/defender/defender_ensure_defender_for_app_services_is_on/defender_ensure_defender_for_app_services_is_on.py index f65d42a62ed..cd30f2e5ddd 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_app_services_is_on/defender_ensure_defender_for_app_services_is_on.py +++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_app_services_is_on/defender_ensure_defender_for_app_services_is_on.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, pricings in defender_client.pricings.items(): if "AppServices" in pricings: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=pricings["AppServices"] + metadata=self.metadata(), resource=pricings["AppServices"] ) report.subscription = subscription report.resource_name = "Defender plan App Services" diff --git a/prowler/providers/azure/services/defender/defender_ensure_defender_for_arm_is_on/defender_ensure_defender_for_arm_is_on.py b/prowler/providers/azure/services/defender/defender_ensure_defender_for_arm_is_on/defender_ensure_defender_for_arm_is_on.py index 03915a409ec..c05102b3516 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_arm_is_on/defender_ensure_defender_for_arm_is_on.py +++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_arm_is_on/defender_ensure_defender_for_arm_is_on.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, pricings in defender_client.pricings.items(): if "Arm" in pricings: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=pricings["Arm"] + metadata=self.metadata(), resource=pricings["Arm"] ) report.subscription = subscription report.resource_name = "Defender plan ARM" diff --git a/prowler/providers/azure/services/defender/defender_ensure_defender_for_azure_sql_databases_is_on/defender_ensure_defender_for_azure_sql_databases_is_on.py b/prowler/providers/azure/services/defender/defender_ensure_defender_for_azure_sql_databases_is_on/defender_ensure_defender_for_azure_sql_databases_is_on.py index c195715f0a1..5dc3220cf12 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_azure_sql_databases_is_on/defender_ensure_defender_for_azure_sql_databases_is_on.py +++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_azure_sql_databases_is_on/defender_ensure_defender_for_azure_sql_databases_is_on.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, pricings in defender_client.pricings.items(): if "SqlServers" in pricings: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=pricings["SqlServers"] + metadata=self.metadata(), resource=pricings["SqlServers"] ) report.subscription = subscription report.resource_name = "Defender plan Azure SQL DB Servers" diff --git a/prowler/providers/azure/services/defender/defender_ensure_defender_for_containers_is_on/defender_ensure_defender_for_containers_is_on.py b/prowler/providers/azure/services/defender/defender_ensure_defender_for_containers_is_on/defender_ensure_defender_for_containers_is_on.py index aa055e1471f..3771b0ecfde 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_containers_is_on/defender_ensure_defender_for_containers_is_on.py +++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_containers_is_on/defender_ensure_defender_for_containers_is_on.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, pricings in defender_client.pricings.items(): if "Containers" in pricings: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=pricings["Containers"] + metadata=self.metadata(), resource=pricings["Containers"] ) report.subscription = subscription report.resource_name = "Defender plan Container Registries" diff --git a/prowler/providers/azure/services/defender/defender_ensure_defender_for_cosmosdb_is_on/defender_ensure_defender_for_cosmosdb_is_on.py b/prowler/providers/azure/services/defender/defender_ensure_defender_for_cosmosdb_is_on/defender_ensure_defender_for_cosmosdb_is_on.py index 924d772dc7b..eba77eb94ff 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_cosmosdb_is_on/defender_ensure_defender_for_cosmosdb_is_on.py +++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_cosmosdb_is_on/defender_ensure_defender_for_cosmosdb_is_on.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, pricings in defender_client.pricings.items(): if "CosmosDbs" in pricings: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=pricings["CosmosDbs"] + metadata=self.metadata(), resource=pricings["CosmosDbs"] ) report.subscription = subscription report.resource_name = "Defender plan Cosmos DB" diff --git a/prowler/providers/azure/services/defender/defender_ensure_defender_for_databases_is_on/defender_ensure_defender_for_databases_is_on.py b/prowler/providers/azure/services/defender/defender_ensure_defender_for_databases_is_on/defender_ensure_defender_for_databases_is_on.py index 558179e2cdc..7ae6fa9a9be 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_databases_is_on/defender_ensure_defender_for_databases_is_on.py +++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_databases_is_on/defender_ensure_defender_for_databases_is_on.py @@ -13,7 +13,7 @@ def execute(self) -> Check_Report_Azure: and "CosmosDbs" in pricings ): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=pricings["SqlServers"] + metadata=self.metadata(), resource=pricings["SqlServers"] ) report.subscription = subscription report.resource_name = "Defender plan Databases" diff --git a/prowler/providers/azure/services/defender/defender_ensure_defender_for_dns_is_on/defender_ensure_defender_for_dns_is_on.py b/prowler/providers/azure/services/defender/defender_ensure_defender_for_dns_is_on/defender_ensure_defender_for_dns_is_on.py index 96bbca1bd3d..e096e93baba 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_dns_is_on/defender_ensure_defender_for_dns_is_on.py +++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_dns_is_on/defender_ensure_defender_for_dns_is_on.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, pricings in defender_client.pricings.items(): if "Dns" in pricings: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=pricings["Dns"] + metadata=self.metadata(), resource=pricings["Dns"] ) report.subscription = subscription report.resource_name = "Defender plan DNS" diff --git a/prowler/providers/azure/services/defender/defender_ensure_defender_for_keyvault_is_on/defender_ensure_defender_for_keyvault_is_on.py b/prowler/providers/azure/services/defender/defender_ensure_defender_for_keyvault_is_on/defender_ensure_defender_for_keyvault_is_on.py index 7ed2e0a6ec3..202e76b4b4f 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_keyvault_is_on/defender_ensure_defender_for_keyvault_is_on.py +++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_keyvault_is_on/defender_ensure_defender_for_keyvault_is_on.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, pricings in defender_client.pricings.items(): if "KeyVaults" in pricings: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=pricings["KeyVaults"] + metadata=self.metadata(), resource=pricings["KeyVaults"] ) report.subscription = subscription report.resource_name = "Defender plan KeyVaults" diff --git a/prowler/providers/azure/services/defender/defender_ensure_defender_for_os_relational_databases_is_on/defender_ensure_defender_for_os_relational_databases_is_on.py b/prowler/providers/azure/services/defender/defender_ensure_defender_for_os_relational_databases_is_on/defender_ensure_defender_for_os_relational_databases_is_on.py index cc114ac4f1e..7497e9fc2a6 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_os_relational_databases_is_on/defender_ensure_defender_for_os_relational_databases_is_on.py +++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_os_relational_databases_is_on/defender_ensure_defender_for_os_relational_databases_is_on.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_Azure: if "OpenSourceRelationalDatabases" in pricings: report = Check_Report_Azure( metadata=self.metadata(), - resource_metadata=pricings["OpenSourceRelationalDatabases"], + resource=pricings["OpenSourceRelationalDatabases"], ) report.subscription = subscription report.resource_name = "Defender plan Open-Source Relational Databases" diff --git a/prowler/providers/azure/services/defender/defender_ensure_defender_for_server_is_on/defender_ensure_defender_for_server_is_on.py b/prowler/providers/azure/services/defender/defender_ensure_defender_for_server_is_on/defender_ensure_defender_for_server_is_on.py index 0ce39b36921..54cf846b782 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_server_is_on/defender_ensure_defender_for_server_is_on.py +++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_server_is_on/defender_ensure_defender_for_server_is_on.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_Azure: if "VirtualMachines" in pricings: report = Check_Report_Azure( metadata=self.metadata(), - resource_metadata=pricings["VirtualMachines"], + resource=pricings["VirtualMachines"], ) report.subscription = subscription report.resource_name = "Defender plan Servers" diff --git a/prowler/providers/azure/services/defender/defender_ensure_defender_for_sql_servers_is_on/defender_ensure_defender_for_sql_servers_is_on.py b/prowler/providers/azure/services/defender/defender_ensure_defender_for_sql_servers_is_on/defender_ensure_defender_for_sql_servers_is_on.py index 7b8349e2ee4..741b5906a94 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_sql_servers_is_on/defender_ensure_defender_for_sql_servers_is_on.py +++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_sql_servers_is_on/defender_ensure_defender_for_sql_servers_is_on.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_Azure: if "SqlServerVirtualMachines" in pricings: report = Check_Report_Azure( metadata=self.metadata(), - resource_metadata=pricings["SqlServerVirtualMachines"], + resource=pricings["SqlServerVirtualMachines"], ) report.subscription = subscription report.resource_name = "Defender plan SQL Server VMs" diff --git a/prowler/providers/azure/services/defender/defender_ensure_defender_for_storage_is_on/defender_ensure_defender_for_storage_is_on.py b/prowler/providers/azure/services/defender/defender_ensure_defender_for_storage_is_on/defender_ensure_defender_for_storage_is_on.py index d5cccbc3972..390d6e8cde8 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_storage_is_on/defender_ensure_defender_for_storage_is_on.py +++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_storage_is_on/defender_ensure_defender_for_storage_is_on.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_Azure: if "StorageAccounts" in pricings: report = Check_Report_Azure( metadata=self.metadata(), - resource_metadata=pricings["StorageAccounts"], + resource=pricings["StorageAccounts"], ) report.subscription = subscription report.resource_name = "Defender plan Storage Accounts" diff --git a/prowler/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on.py b/prowler/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on.py index 4d834b39ff5..92b09b100e8 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on.py +++ b/prowler/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: iot_security_solutions, ) in defender_client.iot_security_solutions.items(): if not iot_security_solutions: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.status = "FAIL" report.subscription = subscription_name report.resource_name = "IoT Hub Defender" @@ -24,7 +22,7 @@ def execute(self) -> Check_Report_Azure: for iot_security_solution in iot_security_solutions.values(): report = Check_Report_Azure( metadata=self.metadata(), - resource_metadata=iot_security_solution, + resource=iot_security_solution, ) report.subscription = subscription_name report.status = "PASS" diff --git a/prowler/providers/azure/services/defender/defender_ensure_mcas_is_enabled/defender_ensure_mcas_is_enabled.py b/prowler/providers/azure/services/defender/defender_ensure_mcas_is_enabled/defender_ensure_mcas_is_enabled.py index 9061a9b0fc0..fb21e4c9d20 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_mcas_is_enabled/defender_ensure_mcas_is_enabled.py +++ b/prowler/providers/azure/services/defender/defender_ensure_mcas_is_enabled/defender_ensure_mcas_is_enabled.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: settings, ) in defender_client.settings.items(): if "MCAS" not in settings: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription_name report.resource_name = "MCAS" report.resource_id = "MCAS" @@ -21,7 +19,7 @@ def execute(self) -> Check_Report_Azure: report.status_extended = f"Microsoft Defender for Cloud Apps not exists for subscription {subscription_name}." else: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=settings["MCAS"] + metadata=self.metadata(), resource=settings["MCAS"] ) report.subscription = subscription_name report.resource_name = "MCAS" diff --git a/prowler/providers/azure/services/defender/defender_ensure_notify_alerts_severity_is_high/defender_ensure_notify_alerts_severity_is_high.py b/prowler/providers/azure/services/defender/defender_ensure_notify_alerts_severity_is_high/defender_ensure_notify_alerts_severity_is_high.py index ad01fbc9785..b7154e99aa0 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_notify_alerts_severity_is_high/defender_ensure_notify_alerts_severity_is_high.py +++ b/prowler/providers/azure/services/defender/defender_ensure_notify_alerts_severity_is_high/defender_ensure_notify_alerts_severity_is_high.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: security_contacts, ) in defender_client.security_contacts.items(): for contact in security_contacts.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=contact - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=contact) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"Notifiy alerts are enabled for severity high in subscription {subscription_name}." diff --git a/prowler/providers/azure/services/defender/defender_ensure_notify_emails_to_owners/defender_ensure_notify_emails_to_owners.py b/prowler/providers/azure/services/defender/defender_ensure_notify_emails_to_owners/defender_ensure_notify_emails_to_owners.py index c6b8c0fcc8d..be18d2bfb1d 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_notify_emails_to_owners/defender_ensure_notify_emails_to_owners.py +++ b/prowler/providers/azure/services/defender/defender_ensure_notify_emails_to_owners/defender_ensure_notify_emails_to_owners.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: security_contacts, ) in defender_client.security_contacts.items(): for contact in security_contacts.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=contact - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=contact) report.subscription = subscription_name report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/azure/services/defender/defender_ensure_system_updates_are_applied/defender_ensure_system_updates_are_applied.py b/prowler/providers/azure/services/defender/defender_ensure_system_updates_are_applied/defender_ensure_system_updates_are_applied.py index 431ec387927..1984888f021 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_system_updates_are_applied/defender_ensure_system_updates_are_applied.py +++ b/prowler/providers/azure/services/defender/defender_ensure_system_updates_are_applied/defender_ensure_system_updates_are_applied.py @@ -19,7 +19,7 @@ def execute(self) -> Check_Report_Azure: ): report = Check_Report_Azure( metadata=self.metadata(), - resource_metadata=assessments[ + resource=assessments[ "System updates should be installed on your machines" ], ) diff --git a/prowler/providers/azure/services/defender/defender_ensure_wdatp_is_enabled/defender_ensure_wdatp_is_enabled.py b/prowler/providers/azure/services/defender/defender_ensure_wdatp_is_enabled/defender_ensure_wdatp_is_enabled.py index 90a16c4f4ab..5cc6ebde570 100644 --- a/prowler/providers/azure/services/defender/defender_ensure_wdatp_is_enabled/defender_ensure_wdatp_is_enabled.py +++ b/prowler/providers/azure/services/defender/defender_ensure_wdatp_is_enabled/defender_ensure_wdatp_is_enabled.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: settings, ) in defender_client.settings.items(): if "WDATP" not in settings: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription_name report.resource_name = "WDATP" report.resource_id = "WDATP" @@ -21,7 +19,7 @@ def execute(self) -> Check_Report_Azure: report.status_extended = f"Microsoft Defender for Endpoint integration not exists for subscription {subscription_name}." else: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=settings["WDATP"] + metadata=self.metadata(), resource=settings["WDATP"] ) report.subscription = subscription_name report.resource_name = "WDATP" diff --git a/prowler/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_management_api/entra_conditional_access_policy_require_mfa_for_management_api.py b/prowler/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_management_api/entra_conditional_access_policy_require_mfa_for_management_api.py index 8baa858b43d..e5a5083f2c8 100644 --- a/prowler/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_management_api/entra_conditional_access_policy_require_mfa_for_management_api.py +++ b/prowler/providers/azure/services/entra/entra_conditional_access_policy_require_mfa_for_management_api/entra_conditional_access_policy_require_mfa_for_management_api.py @@ -23,7 +23,7 @@ def execute(self) -> Check_Report_Azure: ) ): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=policy + metadata=self.metadata(), resource=policy ) report.subscription = f"Tenant: {tenant_name}" report.status = "PASS" @@ -34,7 +34,7 @@ def execute(self) -> Check_Report_Azure: else: report = Check_Report_Azure( metadata=self.metadata(), - resource_metadata=conditional_access_policies, + resource=conditional_access_policies, ) report.subscription = f"Tenant: {tenant_name}" report.resource_name = "Conditional Access Policy" diff --git a/prowler/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users.py b/prowler/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users.py index 62ba2b789ea..05ca5082791 100644 --- a/prowler/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users.py +++ b/prowler/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_Azure: for tenant_domain, directory_roles in entra_client.directory_roles.items(): report = Check_Report_Azure( metadata=self.metadata(), - resource_metadata=directory_roles["Global Administrator"], + resource=directory_roles["Global Administrator"], ) report.status = "FAIL" report.subscription = f"Tenant: {tenant_domain}" diff --git a/prowler/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa.py b/prowler/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa.py index 305f6123c88..706f912a82a 100644 --- a/prowler/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa.py +++ b/prowler/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa.py @@ -14,9 +14,7 @@ def execute(self) -> Check_Report_Azure: if not is_privileged_user( user, entra_client.directory_roles[tenant_domain] ): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=user - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=user) report.subscription = f"Tenant: {tenant_domain}" report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/azure/services/entra/entra_policy_default_users_cannot_create_security_groups/entra_policy_default_users_cannot_create_security_groups.py b/prowler/providers/azure/services/entra/entra_policy_default_users_cannot_create_security_groups/entra_policy_default_users_cannot_create_security_groups.py index 6cf96507c9e..6387f8d7262 100644 --- a/prowler/providers/azure/services/entra/entra_policy_default_users_cannot_create_security_groups/entra_policy_default_users_cannot_create_security_groups.py +++ b/prowler/providers/azure/services/entra/entra_policy_default_users_cannot_create_security_groups/entra_policy_default_users_cannot_create_security_groups.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_Azure: findings = [] for tenant_domain, auth_policy in entra_client.authorization_policy.items(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=auth_policy - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=auth_policy) report.subscription = f"Tenant: {tenant_domain}" report.resource_name = getattr(auth_policy, "name", "Authorization Policy") report.resource_id = getattr(auth_policy, "id", "authorizationPolicy") diff --git a/prowler/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_apps/entra_policy_ensure_default_user_cannot_create_apps.py b/prowler/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_apps/entra_policy_ensure_default_user_cannot_create_apps.py index 1451c521700..5d4115347f8 100644 --- a/prowler/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_apps/entra_policy_ensure_default_user_cannot_create_apps.py +++ b/prowler/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_apps/entra_policy_ensure_default_user_cannot_create_apps.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_Azure: findings = [] for tenant_domain, auth_policy in entra_client.authorization_policy.items(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=auth_policy - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=auth_policy) report.subscription = f"Tenant: {tenant_domain}" report.resource_name = getattr(auth_policy, "name", "Authorization Policy") report.resource_id = getattr(auth_policy, "id", "authorizationPolicy") diff --git a/prowler/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants.py b/prowler/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants.py index 3ff924c73ac..6f621d10421 100644 --- a/prowler/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants.py +++ b/prowler/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_Azure: findings = [] for tenant_domain, auth_policy in entra_client.authorization_policy.items(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=auth_policy - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=auth_policy) report.subscription = f"Tenant: {tenant_domain}" report.resource_name = getattr(auth_policy, "name", "Authorization Policy") report.resource_id = getattr(auth_policy, "id", "authorizationPolicy") diff --git a/prowler/providers/azure/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles.py b/prowler/providers/azure/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles.py index e40ed9deb79..1a9ffc40af8 100644 --- a/prowler/providers/azure/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles.py +++ b/prowler/providers/azure/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_Azure: findings = [] for tenant_domain, auth_policy in entra_client.authorization_policy.items(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=auth_policy - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=auth_policy) report.subscription = f"Tenant: {tenant_domain}" report.resource_name = getattr(auth_policy, "name", "Authorization Policy") report.resource_id = getattr(auth_policy, "id", "authorizationPolicy") diff --git a/prowler/providers/azure/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions.py b/prowler/providers/azure/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions.py index ca730463d7f..2563c3330b2 100644 --- a/prowler/providers/azure/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions.py +++ b/prowler/providers/azure/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions.py @@ -8,9 +8,7 @@ def execute(self) -> Check_Report_Azure: findings = [] for tenant_domain, auth_policy in entra_client.authorization_policy.items(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=auth_policy - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=auth_policy) report.subscription = f"Tenant: {tenant_domain}" report.resource_name = getattr(auth_policy, "name", "Authorization Policy") report.resource_id = getattr(auth_policy, "id", "authorizationPolicy") diff --git a/prowler/providers/azure/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps.py b/prowler/providers/azure/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps.py index df66fa550a7..882ae71f618 100644 --- a/prowler/providers/azure/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps.py +++ b/prowler/providers/azure/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_Azure: findings = [] for tenant_domain, auth_policy in entra_client.authorization_policy.items(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=auth_policy - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=auth_policy) report.subscription = f"Tenant: {tenant_domain}" report.resource_name = getattr(auth_policy, "name", "Authorization Policy") report.resource_id = getattr(auth_policy, "id", "authorizationPolicy") diff --git a/prowler/providers/azure/services/entra/entra_policy_user_consent_for_verified_apps/entra_policy_user_consent_for_verified_apps.py b/prowler/providers/azure/services/entra/entra_policy_user_consent_for_verified_apps/entra_policy_user_consent_for_verified_apps.py index 869114dc9f7..ab893e044a5 100644 --- a/prowler/providers/azure/services/entra/entra_policy_user_consent_for_verified_apps/entra_policy_user_consent_for_verified_apps.py +++ b/prowler/providers/azure/services/entra/entra_policy_user_consent_for_verified_apps/entra_policy_user_consent_for_verified_apps.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_Azure: findings = [] for tenant_domain, auth_policy in entra_client.authorization_policy.items(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=auth_policy - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=auth_policy) report.subscription = f"Tenant: {tenant_domain}" report.resource_name = getattr(auth_policy, "name", "Authorization Policy") report.resource_id = getattr(auth_policy, "id", "authorizationPolicy") diff --git a/prowler/providers/azure/services/entra/entra_privileged_user_has_mfa/entra_privileged_user_has_mfa.py b/prowler/providers/azure/services/entra/entra_privileged_user_has_mfa/entra_privileged_user_has_mfa.py index 72b2e7b2f3d..5605ba4a83a 100644 --- a/prowler/providers/azure/services/entra/entra_privileged_user_has_mfa/entra_privileged_user_has_mfa.py +++ b/prowler/providers/azure/services/entra/entra_privileged_user_has_mfa/entra_privileged_user_has_mfa.py @@ -14,9 +14,7 @@ def execute(self) -> Check_Report_Azure: if is_privileged_user( user, entra_client.directory_roles[tenant_domain] ): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=user - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=user) report.subscription = f"Tenant: {tenant_domain}" report.status = "FAIL" report.status_extended = ( diff --git a/prowler/providers/azure/services/entra/entra_security_defaults_enabled/entra_security_defaults_enabled.py b/prowler/providers/azure/services/entra/entra_security_defaults_enabled/entra_security_defaults_enabled.py index a922b7c166b..b7deed387b1 100644 --- a/prowler/providers/azure/services/entra/entra_security_defaults_enabled/entra_security_defaults_enabled.py +++ b/prowler/providers/azure/services/entra/entra_security_defaults_enabled/entra_security_defaults_enabled.py @@ -11,7 +11,7 @@ def execute(self) -> Check_Report_Azure: security_default, ) in entra_client.security_default.items(): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=security_default + metadata=self.metadata(), resource=security_default ) report.subscription = f"Tenant: {tenant}" report.status = "FAIL" diff --git a/prowler/providers/azure/services/entra/entra_trusted_named_locations_exists/entra_trusted_named_locations_exists.py b/prowler/providers/azure/services/entra/entra_trusted_named_locations_exists/entra_trusted_named_locations_exists.py index d2731b5f15f..4b930b9c57c 100644 --- a/prowler/providers/azure/services/entra/entra_trusted_named_locations_exists/entra_trusted_named_locations_exists.py +++ b/prowler/providers/azure/services/entra/entra_trusted_named_locations_exists/entra_trusted_named_locations_exists.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for tenant, named_locations in entra_client.named_locations.items(): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=named_locations + metadata=self.metadata(), resource=named_locations ) report.status = "FAIL" report.subscription = f"Tenant: {tenant}" @@ -20,7 +20,7 @@ def execute(self) -> Check_Report_Azure: for named_location in named_locations.values(): if named_location.ip_ranges_addresses and named_location.is_trusted: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=named_location + metadata=self.metadata(), resource=named_location ) report.subscription = f"Tenant: {tenant}" report.status = "PASS" diff --git a/prowler/providers/azure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa.py b/prowler/providers/azure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa.py index 5a053e294e4..9a6283e1c69 100644 --- a/prowler/providers/azure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa.py +++ b/prowler/providers/azure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa.py @@ -38,7 +38,7 @@ def execute(self) -> Check_Report_Azure: and assignment.agent_id == user.id ): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=user + metadata=self.metadata(), resource=user ) report.subscription = subscription_name report.status = "FAIL" diff --git a/prowler/providers/azure/services/entra/entra_users_cannot_create_microsoft_365_groups/entra_users_cannot_create_microsoft_365_groups.py b/prowler/providers/azure/services/entra/entra_users_cannot_create_microsoft_365_groups/entra_users_cannot_create_microsoft_365_groups.py index cde6f3e1a33..5dc0d7f4458 100644 --- a/prowler/providers/azure/services/entra/entra_users_cannot_create_microsoft_365_groups/entra_users_cannot_create_microsoft_365_groups.py +++ b/prowler/providers/azure/services/entra/entra_users_cannot_create_microsoft_365_groups/entra_users_cannot_create_microsoft_365_groups.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for tenant_domain, group_settings in entra_client.group_settings.items(): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=group_settings + metadata=self.metadata(), resource=group_settings ) report.status = "FAIL" report.subscription = f"Tenant: {tenant_domain}" diff --git a/prowler/providers/azure/services/iam/iam_custom_role_has_permissions_to_administer_resource_locks/iam_custom_role_has_permissions_to_administer_resource_locks.py b/prowler/providers/azure/services/iam/iam_custom_role_has_permissions_to_administer_resource_locks/iam_custom_role_has_permissions_to_administer_resource_locks.py index 796f88c71c6..d3df749b209 100644 --- a/prowler/providers/azure/services/iam/iam_custom_role_has_permissions_to_administer_resource_locks/iam_custom_role_has_permissions_to_administer_resource_locks.py +++ b/prowler/providers/azure/services/iam/iam_custom_role_has_permissions_to_administer_resource_locks/iam_custom_role_has_permissions_to_administer_resource_locks.py @@ -14,7 +14,7 @@ def execute(self) -> Check_Report_Azure: if exits_role_with_permission_over_locks: break report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=custom_role + metadata=self.metadata(), resource=custom_role ) report.subscription = subscription report.status = "FAIL" diff --git a/prowler/providers/azure/services/iam/iam_subscription_roles_owner_custom_not_created/iam_subscription_roles_owner_custom_not_created.py b/prowler/providers/azure/services/iam/iam_subscription_roles_owner_custom_not_created/iam_subscription_roles_owner_custom_not_created.py index a804d749c27..df735162523 100644 --- a/prowler/providers/azure/services/iam/iam_subscription_roles_owner_custom_not_created/iam_subscription_roles_owner_custom_not_created.py +++ b/prowler/providers/azure/services/iam/iam_subscription_roles_owner_custom_not_created/iam_subscription_roles_owner_custom_not_created.py @@ -10,7 +10,7 @@ def execute(self) -> Check_Report_Azure: for subscription, roles in iam_client.custom_roles.items(): for custom_role in roles: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=custom_role + metadata=self.metadata(), resource=custom_role ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/keyvault/keyvault_key_expiration_set_in_non_rbac/keyvault_key_expiration_set_in_non_rbac.py b/prowler/providers/azure/services/keyvault/keyvault_key_expiration_set_in_non_rbac/keyvault_key_expiration_set_in_non_rbac.py index 7f8dcf723f0..783f4e28efb 100644 --- a/prowler/providers/azure/services/keyvault/keyvault_key_expiration_set_in_non_rbac/keyvault_key_expiration_set_in_non_rbac.py +++ b/prowler/providers/azure/services/keyvault/keyvault_key_expiration_set_in_non_rbac/keyvault_key_expiration_set_in_non_rbac.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_Azure: for keyvault in key_vaults: if not keyvault.properties.enable_rbac_authorization and keyvault.keys: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=keyvault + metadata=self.metadata(), resource=keyvault ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/keyvault/keyvault_key_rotation_enabled/keyvault_key_rotation_enabled.py b/prowler/providers/azure/services/keyvault/keyvault_key_rotation_enabled/keyvault_key_rotation_enabled.py index df8c6dabdfc..088a02d827b 100644 --- a/prowler/providers/azure/services/keyvault/keyvault_key_rotation_enabled/keyvault_key_rotation_enabled.py +++ b/prowler/providers/azure/services/keyvault/keyvault_key_rotation_enabled/keyvault_key_rotation_enabled.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_Azure: for keyvault in key_vaults: if keyvault.keys: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=keyvault + metadata=self.metadata(), resource=keyvault ) report.subscription = subscription for key in keyvault.keys: diff --git a/prowler/providers/azure/services/keyvault/keyvault_logging_enabled/keyvault_logging_enabled.py b/prowler/providers/azure/services/keyvault/keyvault_logging_enabled/keyvault_logging_enabled.py index 2316c658e37..2aff55c77dc 100644 --- a/prowler/providers/azure/services/keyvault/keyvault_logging_enabled/keyvault_logging_enabled.py +++ b/prowler/providers/azure/services/keyvault/keyvault_logging_enabled/keyvault_logging_enabled.py @@ -8,9 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription_name, key_vaults in keyvault_client.key_vaults.items(): for keyvault in key_vaults: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=keyvault - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=keyvault) report.subscription = subscription_name if not keyvault.monitor_diagnostic_settings: report.status = "FAIL" diff --git a/prowler/providers/azure/services/keyvault/keyvault_non_rbac_secret_expiration_set/keyvault_non_rbac_secret_expiration_set.py b/prowler/providers/azure/services/keyvault/keyvault_non_rbac_secret_expiration_set/keyvault_non_rbac_secret_expiration_set.py index e6ad55f9bd4..766a797732f 100644 --- a/prowler/providers/azure/services/keyvault/keyvault_non_rbac_secret_expiration_set/keyvault_non_rbac_secret_expiration_set.py +++ b/prowler/providers/azure/services/keyvault/keyvault_non_rbac_secret_expiration_set/keyvault_non_rbac_secret_expiration_set.py @@ -12,7 +12,7 @@ def execute(self) -> Check_Report_Azure: and keyvault.secrets ): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=keyvault + metadata=self.metadata(), resource=keyvault ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/keyvault/keyvault_private_endpoints/keyvault_private_endpoints.py b/prowler/providers/azure/services/keyvault/keyvault_private_endpoints/keyvault_private_endpoints.py index e6100dade32..84c6b17e578 100644 --- a/prowler/providers/azure/services/keyvault/keyvault_private_endpoints/keyvault_private_endpoints.py +++ b/prowler/providers/azure/services/keyvault/keyvault_private_endpoints/keyvault_private_endpoints.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_Azure: findings = [] for subscription, key_vaults in keyvault_client.key_vaults.items(): for keyvault in key_vaults: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=keyvault - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=keyvault) report.subscription = subscription report.status = "FAIL" report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} is not using private endpoints." diff --git a/prowler/providers/azure/services/keyvault/keyvault_rbac_enabled/keyvault_rbac_enabled.py b/prowler/providers/azure/services/keyvault/keyvault_rbac_enabled/keyvault_rbac_enabled.py index 2cdde049df8..e26c5b84f78 100644 --- a/prowler/providers/azure/services/keyvault/keyvault_rbac_enabled/keyvault_rbac_enabled.py +++ b/prowler/providers/azure/services/keyvault/keyvault_rbac_enabled/keyvault_rbac_enabled.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_Azure: findings = [] for subscription, key_vaults in keyvault_client.key_vaults.items(): for keyvault in key_vaults: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=keyvault - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=keyvault) report.subscription = subscription report.status = "FAIL" report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} is not using RBAC for access control." diff --git a/prowler/providers/azure/services/keyvault/keyvault_rbac_key_expiration_set/keyvault_rbac_key_expiration_set.py b/prowler/providers/azure/services/keyvault/keyvault_rbac_key_expiration_set/keyvault_rbac_key_expiration_set.py index 87d40c4c238..f7066764983 100644 --- a/prowler/providers/azure/services/keyvault/keyvault_rbac_key_expiration_set/keyvault_rbac_key_expiration_set.py +++ b/prowler/providers/azure/services/keyvault/keyvault_rbac_key_expiration_set/keyvault_rbac_key_expiration_set.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_Azure: for keyvault in key_vaults: if keyvault.properties.enable_rbac_authorization and keyvault.keys: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=keyvault + metadata=self.metadata(), resource=keyvault ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/keyvault/keyvault_rbac_secret_expiration_set/keyvault_rbac_secret_expiration_set.py b/prowler/providers/azure/services/keyvault/keyvault_rbac_secret_expiration_set/keyvault_rbac_secret_expiration_set.py index cfe00d2f329..f2cc00bd470 100644 --- a/prowler/providers/azure/services/keyvault/keyvault_rbac_secret_expiration_set/keyvault_rbac_secret_expiration_set.py +++ b/prowler/providers/azure/services/keyvault/keyvault_rbac_secret_expiration_set/keyvault_rbac_secret_expiration_set.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_Azure: for keyvault in key_vaults: if keyvault.properties.enable_rbac_authorization and keyvault.secrets: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=keyvault + metadata=self.metadata(), resource=keyvault ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/keyvault/keyvault_recoverable/keyvault_recoverable.py b/prowler/providers/azure/services/keyvault/keyvault_recoverable/keyvault_recoverable.py index 239893d17d2..3ffe1f5b932 100644 --- a/prowler/providers/azure/services/keyvault/keyvault_recoverable/keyvault_recoverable.py +++ b/prowler/providers/azure/services/keyvault/keyvault_recoverable/keyvault_recoverable.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_Azure: findings = [] for subscription, key_vaults in keyvault_client.key_vaults.items(): for keyvault in key_vaults: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=keyvault - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=keyvault) report.subscription = subscription report.status = "FAIL" report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} is not recoverable." diff --git a/prowler/providers/azure/services/monitor/monitor_alert_create_policy_assignment/monitor_alert_create_policy_assignment.py b/prowler/providers/azure/services/monitor/monitor_alert_create_policy_assignment/monitor_alert_create_policy_assignment.py index 112be23cc7b..eeb9da5a24b 100644 --- a/prowler/providers/azure/services/monitor/monitor_alert_create_policy_assignment/monitor_alert_create_policy_assignment.py +++ b/prowler/providers/azure/services/monitor/monitor_alert_create_policy_assignment/monitor_alert_create_policy_assignment.py @@ -16,16 +16,14 @@ def execute(self) -> Check_Report_Azure: alert_rule, "Microsoft.Authorization/policyAssignments/write" ): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=alert_rule + metadata=self.metadata(), resource=alert_rule ) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"There is an alert configured for creating Policy Assignments in subscription {subscription_name}." break else: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription_name report.resource_name = "Monitor" report.resource_id = "Monitor" diff --git a/prowler/providers/azure/services/monitor/monitor_alert_create_update_nsg/monitor_alert_create_update_nsg.py b/prowler/providers/azure/services/monitor/monitor_alert_create_update_nsg/monitor_alert_create_update_nsg.py index be6e3619995..41df8f0c6c5 100644 --- a/prowler/providers/azure/services/monitor/monitor_alert_create_update_nsg/monitor_alert_create_update_nsg.py +++ b/prowler/providers/azure/services/monitor/monitor_alert_create_update_nsg/monitor_alert_create_update_nsg.py @@ -16,16 +16,14 @@ def execute(self) -> Check_Report_Azure: alert_rule, "Microsoft.Network/networkSecurityGroups/write" ): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=alert_rule + metadata=self.metadata(), resource=alert_rule ) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"There is an alert configured for creating/updating Network Security Groups in subscription {subscription_name}." break else: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription_name report.resource_name = "Monitor" report.resource_id = "Monitor" diff --git a/prowler/providers/azure/services/monitor/monitor_alert_create_update_public_ip_address_rule/monitor_alert_create_update_public_ip_address_rule.py b/prowler/providers/azure/services/monitor/monitor_alert_create_update_public_ip_address_rule/monitor_alert_create_update_public_ip_address_rule.py index 07f82099b8d..b8203809669 100644 --- a/prowler/providers/azure/services/monitor/monitor_alert_create_update_public_ip_address_rule/monitor_alert_create_update_public_ip_address_rule.py +++ b/prowler/providers/azure/services/monitor/monitor_alert_create_update_public_ip_address_rule/monitor_alert_create_update_public_ip_address_rule.py @@ -16,16 +16,14 @@ def execute(self) -> Check_Report_Azure: alert_rule, "Microsoft.Network/publicIPAddresses/write" ): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=alert_rule + metadata=self.metadata(), resource=alert_rule ) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"There is an alert configured for creating/updating Public IP address rule in subscription {subscription_name}." break else: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription_name report.resource_name = "Monitor" report.resource_id = "Monitor" diff --git a/prowler/providers/azure/services/monitor/monitor_alert_create_update_security_solution/monitor_alert_create_update_security_solution.py b/prowler/providers/azure/services/monitor/monitor_alert_create_update_security_solution/monitor_alert_create_update_security_solution.py index ba62b5b852f..09a67006d77 100644 --- a/prowler/providers/azure/services/monitor/monitor_alert_create_update_security_solution/monitor_alert_create_update_security_solution.py +++ b/prowler/providers/azure/services/monitor/monitor_alert_create_update_security_solution/monitor_alert_create_update_security_solution.py @@ -16,16 +16,14 @@ def execute(self) -> Check_Report_Azure: alert_rule, "Microsoft.Security/securitySolutions/write" ): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=alert_rule + metadata=self.metadata(), resource=alert_rule ) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"There is an alert configured for creating/updating Security Solution in subscription {subscription_name}." break else: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription_name report.resource_name = "Monitor" report.resource_id = "Monitor" diff --git a/prowler/providers/azure/services/monitor/monitor_alert_create_update_sqlserver_fr/monitor_alert_create_update_sqlserver_fr.py b/prowler/providers/azure/services/monitor/monitor_alert_create_update_sqlserver_fr/monitor_alert_create_update_sqlserver_fr.py index 28602df9121..c020c558ed4 100644 --- a/prowler/providers/azure/services/monitor/monitor_alert_create_update_sqlserver_fr/monitor_alert_create_update_sqlserver_fr.py +++ b/prowler/providers/azure/services/monitor/monitor_alert_create_update_sqlserver_fr/monitor_alert_create_update_sqlserver_fr.py @@ -16,16 +16,14 @@ def execute(self) -> Check_Report_Azure: alert_rule, "Microsoft.Sql/servers/firewallRules/write" ): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=alert_rule + metadata=self.metadata(), resource=alert_rule ) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"There is an alert configured for creating/updating SQL Server firewall rule in subscription {subscription_name}." break else: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription_name report.resource_name = "Monitor" report.resource_id = "Monitor" diff --git a/prowler/providers/azure/services/monitor/monitor_alert_delete_nsg/monitor_alert_delete_nsg.py b/prowler/providers/azure/services/monitor/monitor_alert_delete_nsg/monitor_alert_delete_nsg.py index eecead45c23..6186d2e4cbd 100644 --- a/prowler/providers/azure/services/monitor/monitor_alert_delete_nsg/monitor_alert_delete_nsg.py +++ b/prowler/providers/azure/services/monitor/monitor_alert_delete_nsg/monitor_alert_delete_nsg.py @@ -18,16 +18,14 @@ def execute(self) -> Check_Report_Azure: alert_rule, "Microsoft.ClassicNetwork/networkSecurityGroups/delete" ): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=alert_rule + metadata=self.metadata(), resource=alert_rule ) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"There is an alert configured for deleting Network Security Groups in subscription {subscription_name}." break else: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription_name report.resource_name = "Monitor" report.resource_id = "Monitor" diff --git a/prowler/providers/azure/services/monitor/monitor_alert_delete_policy_assignment/monitor_alert_delete_policy_assignment.py b/prowler/providers/azure/services/monitor/monitor_alert_delete_policy_assignment/monitor_alert_delete_policy_assignment.py index 84fcc91f1b4..10e6e9e5257 100644 --- a/prowler/providers/azure/services/monitor/monitor_alert_delete_policy_assignment/monitor_alert_delete_policy_assignment.py +++ b/prowler/providers/azure/services/monitor/monitor_alert_delete_policy_assignment/monitor_alert_delete_policy_assignment.py @@ -16,16 +16,14 @@ def execute(self) -> Check_Report_Azure: alert_rule, "Microsoft.Authorization/policyAssignments/delete" ): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=alert_rule + metadata=self.metadata(), resource=alert_rule ) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"There is an alert configured for deleting policy assignment in subscription {subscription_name}." break else: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription_name report.resource_name = "Monitor" report.resource_id = "Monitor" diff --git a/prowler/providers/azure/services/monitor/monitor_alert_delete_public_ip_address_rule/monitor_alert_delete_public_ip_address_rule.py b/prowler/providers/azure/services/monitor/monitor_alert_delete_public_ip_address_rule/monitor_alert_delete_public_ip_address_rule.py index f2605677af5..ff9f8de32de 100644 --- a/prowler/providers/azure/services/monitor/monitor_alert_delete_public_ip_address_rule/monitor_alert_delete_public_ip_address_rule.py +++ b/prowler/providers/azure/services/monitor/monitor_alert_delete_public_ip_address_rule/monitor_alert_delete_public_ip_address_rule.py @@ -16,16 +16,14 @@ def execute(self) -> Check_Report_Azure: alert_rule, "Microsoft.Network/publicIPAddresses/delete" ): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=alert_rule + metadata=self.metadata(), resource=alert_rule ) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"There is an alert configured for deleting public IP address rule in subscription {subscription_name}." break else: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription_name report.resource_name = "Monitor" report.resource_id = "Monitor" diff --git a/prowler/providers/azure/services/monitor/monitor_alert_delete_security_solution/monitor_alert_delete_security_solution.py b/prowler/providers/azure/services/monitor/monitor_alert_delete_security_solution/monitor_alert_delete_security_solution.py index cac5a45f27d..a637e761f02 100644 --- a/prowler/providers/azure/services/monitor/monitor_alert_delete_security_solution/monitor_alert_delete_security_solution.py +++ b/prowler/providers/azure/services/monitor/monitor_alert_delete_security_solution/monitor_alert_delete_security_solution.py @@ -16,16 +16,14 @@ def execute(self) -> Check_Report_Azure: alert_rule, "Microsoft.Security/securitySolutions/delete" ): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=alert_rule + metadata=self.metadata(), resource=alert_rule ) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"There is an alert configured for deleting Security Solution in subscription {subscription_name}." break else: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription_name report.resource_name = "Monitor" report.resource_id = "Monitor" diff --git a/prowler/providers/azure/services/monitor/monitor_alert_delete_sqlserver_fr/monitor_alert_delete_sqlserver_fr.py b/prowler/providers/azure/services/monitor/monitor_alert_delete_sqlserver_fr/monitor_alert_delete_sqlserver_fr.py index 0be174bbe62..04ed052887d 100644 --- a/prowler/providers/azure/services/monitor/monitor_alert_delete_sqlserver_fr/monitor_alert_delete_sqlserver_fr.py +++ b/prowler/providers/azure/services/monitor/monitor_alert_delete_sqlserver_fr/monitor_alert_delete_sqlserver_fr.py @@ -16,16 +16,14 @@ def execute(self) -> Check_Report_Azure: alert_rule, "Microsoft.Sql/servers/firewallRules/delete" ): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=alert_rule + metadata=self.metadata(), resource=alert_rule ) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"There is an alert configured for deleting SQL Server firewall rule in subscription {subscription_name}." break else: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata={} - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription_name report.resource_name = "Monitor" report.resource_id = "Monitor" diff --git a/prowler/providers/azure/services/monitor/monitor_diagnostic_setting_with_appropriate_categories/monitor_diagnostic_setting_with_appropriate_categories.py b/prowler/providers/azure/services/monitor/monitor_diagnostic_setting_with_appropriate_categories/monitor_diagnostic_setting_with_appropriate_categories.py index f0ce0494f9d..6bae6ef078d 100644 --- a/prowler/providers/azure/services/monitor/monitor_diagnostic_setting_with_appropriate_categories/monitor_diagnostic_setting_with_appropriate_categories.py +++ b/prowler/providers/azure/services/monitor/monitor_diagnostic_setting_with_appropriate_categories/monitor_diagnostic_setting_with_appropriate_categories.py @@ -11,7 +11,7 @@ def execute(self) -> Check_Report_Azure: diagnostic_settings, ) in monitor_client.diagnostics_settings.items(): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=diagnostic_settings + metadata=self.metadata(), resource=diagnostic_settings ) report.subscription = subscription_name report.resource_name = "Monitor" diff --git a/prowler/providers/azure/services/monitor/monitor_diagnostic_settings_exists/monitor_diagnostic_settings_exists.py b/prowler/providers/azure/services/monitor/monitor_diagnostic_settings_exists/monitor_diagnostic_settings_exists.py index 7e0100d8c26..bec33b44311 100644 --- a/prowler/providers/azure/services/monitor/monitor_diagnostic_settings_exists/monitor_diagnostic_settings_exists.py +++ b/prowler/providers/azure/services/monitor/monitor_diagnostic_settings_exists/monitor_diagnostic_settings_exists.py @@ -11,7 +11,7 @@ def execute(self) -> Check_Report_Azure: diagnostic_settings, ) in monitor_client.diagnostics_settings.items(): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=diagnostic_settings + metadata=self.metadata(), resource=diagnostic_settings ) report.subscription = subscription_name report.resource_name = "Diagnostic Settings" diff --git a/prowler/providers/azure/services/monitor/monitor_storage_account_with_activity_logs_cmk_encrypted/monitor_storage_account_with_activity_logs_cmk_encrypted.py b/prowler/providers/azure/services/monitor/monitor_storage_account_with_activity_logs_cmk_encrypted/monitor_storage_account_with_activity_logs_cmk_encrypted.py index dd616810476..2400fe2206e 100644 --- a/prowler/providers/azure/services/monitor/monitor_storage_account_with_activity_logs_cmk_encrypted/monitor_storage_account_with_activity_logs_cmk_encrypted.py +++ b/prowler/providers/azure/services/monitor/monitor_storage_account_with_activity_logs_cmk_encrypted/monitor_storage_account_with_activity_logs_cmk_encrypted.py @@ -17,7 +17,7 @@ def execute(self) -> Check_Report_Azure: ]: if storage_account.name == diagnostic_setting.storage_account_name: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=storage_account + metadata=self.metadata(), resource=storage_account ) report.subscription = subscription_name if storage_account.encryption_type == "Microsoft.Storage": diff --git a/prowler/providers/azure/services/monitor/monitor_storage_account_with_activity_logs_is_private/monitor_storage_account_with_activity_logs_is_private.py b/prowler/providers/azure/services/monitor/monitor_storage_account_with_activity_logs_is_private/monitor_storage_account_with_activity_logs_is_private.py index 98490a11f47..0fc6b71768f 100644 --- a/prowler/providers/azure/services/monitor/monitor_storage_account_with_activity_logs_is_private/monitor_storage_account_with_activity_logs_is_private.py +++ b/prowler/providers/azure/services/monitor/monitor_storage_account_with_activity_logs_is_private/monitor_storage_account_with_activity_logs_is_private.py @@ -17,7 +17,7 @@ def execute(self) -> Check_Report_Azure: ]: if storage_account.name == diagnostic_setting.storage_account_name: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=storage_account + metadata=self.metadata(), resource=storage_account ) report.subscription = subscription_name if storage_account.allow_blob_public_access: diff --git a/prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_connection_activated/mysql_flexible_server_audit_log_connection_activated.py b/prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_connection_activated/mysql_flexible_server_audit_log_connection_activated.py index 23d82f83d9e..03c94bcfed4 100644 --- a/prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_connection_activated/mysql_flexible_server_audit_log_connection_activated.py +++ b/prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_connection_activated/mysql_flexible_server_audit_log_connection_activated.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: servers, ) in mysql_client.flexible_servers.items(): for server in servers.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=server - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=server) report.subscription = subscription_name report.status = "FAIL" report.status_extended = f"Audit log is disabled for server {server.name} in subscription {subscription_name}." diff --git a/prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_enabled/mysql_flexible_server_audit_log_enabled.py b/prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_enabled/mysql_flexible_server_audit_log_enabled.py index ffb13dab2f8..c8ae94fb31b 100644 --- a/prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_enabled/mysql_flexible_server_audit_log_enabled.py +++ b/prowler/providers/azure/services/mysql/mysql_flexible_server_audit_log_enabled/mysql_flexible_server_audit_log_enabled.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: servers, ) in mysql_client.flexible_servers.items(): for server in servers.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=server - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=server) report.status = "FAIL" report.subscription = subscription_name report.status_extended = f"Audit log is disabled for server {server.name} in subscription {subscription_name}." diff --git a/prowler/providers/azure/services/mysql/mysql_flexible_server_minimum_tls_version_12/mysql_flexible_server_minimum_tls_version_12.py b/prowler/providers/azure/services/mysql/mysql_flexible_server_minimum_tls_version_12/mysql_flexible_server_minimum_tls_version_12.py index db7ed560dd2..dbd12bd344f 100644 --- a/prowler/providers/azure/services/mysql/mysql_flexible_server_minimum_tls_version_12/mysql_flexible_server_minimum_tls_version_12.py +++ b/prowler/providers/azure/services/mysql/mysql_flexible_server_minimum_tls_version_12/mysql_flexible_server_minimum_tls_version_12.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: servers, ) in mysql_client.flexible_servers.items(): for server in servers.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=server - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=server) report.subscription = subscription_name report.status = "FAIL" report.status_extended = f"TLS version is not configured in server {server.name} in subscription {subscription_name}." diff --git a/prowler/providers/azure/services/mysql/mysql_flexible_server_ssl_connection_enabled/mysql_flexible_server_ssl_connection_enabled.py b/prowler/providers/azure/services/mysql/mysql_flexible_server_ssl_connection_enabled/mysql_flexible_server_ssl_connection_enabled.py index 0635343a46f..a18a1aba5e9 100644 --- a/prowler/providers/azure/services/mysql/mysql_flexible_server_ssl_connection_enabled/mysql_flexible_server_ssl_connection_enabled.py +++ b/prowler/providers/azure/services/mysql/mysql_flexible_server_ssl_connection_enabled/mysql_flexible_server_ssl_connection_enabled.py @@ -11,9 +11,7 @@ def execute(self) -> Check_Report_Azure: servers, ) in mysql_client.flexible_servers.items(): for server in servers.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=server - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=server) report.subscription = subscription_name report.status = "FAIL" report.status_extended = f"SSL connection is disabled for server {server.name} in subscription {subscription_name}." diff --git a/prowler/providers/azure/services/network/network_bastion_host_exists/network_bastion_host_exists.py b/prowler/providers/azure/services/network/network_bastion_host_exists/network_bastion_host_exists.py index d6a4ef52a9c..2f6a55575d1 100644 --- a/prowler/providers/azure/services/network/network_bastion_host_exists/network_bastion_host_exists.py +++ b/prowler/providers/azure/services/network/network_bastion_host_exists/network_bastion_host_exists.py @@ -19,7 +19,7 @@ def execute(self) -> Check_Report_Azure: status_extended = f"Bastion Host from subscription {subscription} available are: {bastion_names}" report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=bastion_hosts + metadata=self.metadata(), resource=bastion_hosts ) report.subscription = subscription report.resource_name = "Bastion Host" diff --git a/prowler/providers/azure/services/network/network_flow_log_captured_sent/network_flow_log_captured_sent.py b/prowler/providers/azure/services/network/network_flow_log_captured_sent/network_flow_log_captured_sent.py index 0dec9322e3c..4d8749e2810 100644 --- a/prowler/providers/azure/services/network/network_flow_log_captured_sent/network_flow_log_captured_sent.py +++ b/prowler/providers/azure/services/network/network_flow_log_captured_sent/network_flow_log_captured_sent.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, network_watchers in network_client.network_watchers.items(): for network_watcher in network_watchers: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=network_watcher + metadata=self.metadata(), resource=network_watcher ) report.subscription = subscription report.status = "FAIL" diff --git a/prowler/providers/azure/services/network/network_flow_log_more_than_90_days/network_flow_log_more_than_90_days.py b/prowler/providers/azure/services/network/network_flow_log_more_than_90_days/network_flow_log_more_than_90_days.py index eafd32b0abd..f073bb570db 100644 --- a/prowler/providers/azure/services/network/network_flow_log_more_than_90_days/network_flow_log_more_than_90_days.py +++ b/prowler/providers/azure/services/network/network_flow_log_more_than_90_days/network_flow_log_more_than_90_days.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, network_watchers in network_client.network_watchers.items(): for network_watcher in network_watchers: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=network_watcher + metadata=self.metadata(), resource=network_watcher ) report.subscription = subscription if network_watcher.flow_logs: diff --git a/prowler/providers/azure/services/network/network_http_internet_access_restricted/network_http_internet_access_restricted.py b/prowler/providers/azure/services/network/network_http_internet_access_restricted/network_http_internet_access_restricted.py index c259dad7b36..5fd8d053f43 100644 --- a/prowler/providers/azure/services/network/network_http_internet_access_restricted/network_http_internet_access_restricted.py +++ b/prowler/providers/azure/services/network/network_http_internet_access_restricted/network_http_internet_access_restricted.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, security_groups in network_client.security_groups.items(): for security_group in security_groups: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/network/network_public_ip_shodan/network_public_ip_shodan.py b/prowler/providers/azure/services/network/network_public_ip_shodan/network_public_ip_shodan.py index f3077c8acc0..83340768eb7 100644 --- a/prowler/providers/azure/services/network/network_public_ip_shodan/network_public_ip_shodan.py +++ b/prowler/providers/azure/services/network/network_public_ip_shodan/network_public_ip_shodan.py @@ -13,9 +13,7 @@ def execute(self): api = shodan.Shodan(shodan_api_key) for subscription, public_ips in network_client.public_ip_addresses.items(): for ip in public_ips: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=ip - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=ip) report.subscription = subscription try: shodan_info = api.host(ip.ip_address) diff --git a/prowler/providers/azure/services/network/network_rdp_internet_access_restricted/network_rdp_internet_access_restricted.py b/prowler/providers/azure/services/network/network_rdp_internet_access_restricted/network_rdp_internet_access_restricted.py index 112f63fff4e..8c3d804ccd2 100644 --- a/prowler/providers/azure/services/network/network_rdp_internet_access_restricted/network_rdp_internet_access_restricted.py +++ b/prowler/providers/azure/services/network/network_rdp_internet_access_restricted/network_rdp_internet_access_restricted.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, security_groups in network_client.security_groups.items(): for security_group in security_groups: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/network/network_ssh_internet_access_restricted/network_ssh_internet_access_restricted.py b/prowler/providers/azure/services/network/network_ssh_internet_access_restricted/network_ssh_internet_access_restricted.py index 4aa65103fe4..a24cd10da36 100644 --- a/prowler/providers/azure/services/network/network_ssh_internet_access_restricted/network_ssh_internet_access_restricted.py +++ b/prowler/providers/azure/services/network/network_ssh_internet_access_restricted/network_ssh_internet_access_restricted.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, security_groups in network_client.security_groups.items(): for security_group in security_groups: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/network/network_udp_internet_access_restricted/network_udp_internet_access_restricted.py b/prowler/providers/azure/services/network/network_udp_internet_access_restricted/network_udp_internet_access_restricted.py index 55e465c2300..c465c891f20 100644 --- a/prowler/providers/azure/services/network/network_udp_internet_access_restricted/network_udp_internet_access_restricted.py +++ b/prowler/providers/azure/services/network/network_udp_internet_access_restricted/network_udp_internet_access_restricted.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, security_groups in network_client.security_groups.items(): for security_group in security_groups: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=security_group + metadata=self.metadata(), resource=security_group ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/network/network_watcher_enabled/network_watcher_enabled.py b/prowler/providers/azure/services/network/network_watcher_enabled/network_watcher_enabled.py index aba3c2d3d2a..78ed1f3d1ff 100644 --- a/prowler/providers/azure/services/network/network_watcher_enabled/network_watcher_enabled.py +++ b/prowler/providers/azure/services/network/network_watcher_enabled/network_watcher_enabled.py @@ -7,7 +7,7 @@ def execute(self) -> list[Check_Report_Azure]: findings = [] for subscription, network_watchers in network_client.network_watchers.items(): report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=network_watchers + metadata=self.metadata(), resource=network_watchers ) report.subscription = subscription report.resource_name = "Network Watcher" diff --git a/prowler/providers/azure/services/policy/policy_ensure_asc_enforcement_enabled/policy_ensure_asc_enforcement_enabled.py b/prowler/providers/azure/services/policy/policy_ensure_asc_enforcement_enabled/policy_ensure_asc_enforcement_enabled.py index adde0781732..ba9ccf1eeab 100644 --- a/prowler/providers/azure/services/policy/policy_ensure_asc_enforcement_enabled/policy_ensure_asc_enforcement_enabled.py +++ b/prowler/providers/azure/services/policy/policy_ensure_asc_enforcement_enabled/policy_ensure_asc_enforcement_enabled.py @@ -10,7 +10,7 @@ def execute(self) -> Check_Report_Azure: if "SecurityCenterBuiltIn" in policies: report = Check_Report_Azure( metadata=self.metadata(), - resource_metadata=policies["SecurityCenterBuiltIn"], + resource=policies["SecurityCenterBuiltIn"], ) report.subscription = subscription_name report.status = "PASS" diff --git a/prowler/providers/azure/services/postgresql/postgresql_flexible_server_allow_access_services_disabled/postgresql_flexible_server_allow_access_services_disabled.py b/prowler/providers/azure/services/postgresql/postgresql_flexible_server_allow_access_services_disabled/postgresql_flexible_server_allow_access_services_disabled.py index 2d67b9df445..fc78091b5bb 100644 --- a/prowler/providers/azure/services/postgresql/postgresql_flexible_server_allow_access_services_disabled/postgresql_flexible_server_allow_access_services_disabled.py +++ b/prowler/providers/azure/services/postgresql/postgresql_flexible_server_allow_access_services_disabled/postgresql_flexible_server_allow_access_services_disabled.py @@ -12,9 +12,7 @@ def execute(self) -> Check_Report_Azure: flexible_servers, ) in postgresql_client.flexible_servers.items(): for server in flexible_servers: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=server - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=server) report.subscription = subscription report.status = "FAIL" report.status_extended = f"Flexible Postgresql server {server.name} from subscription {subscription} has allow public access from any Azure service enabled" diff --git a/prowler/providers/azure/services/postgresql/postgresql_flexible_server_connection_throttling_on/postgresql_flexible_server_connection_throttling_on.py b/prowler/providers/azure/services/postgresql/postgresql_flexible_server_connection_throttling_on/postgresql_flexible_server_connection_throttling_on.py index 7505ef58e6d..a395f605b8e 100644 --- a/prowler/providers/azure/services/postgresql/postgresql_flexible_server_connection_throttling_on/postgresql_flexible_server_connection_throttling_on.py +++ b/prowler/providers/azure/services/postgresql/postgresql_flexible_server_connection_throttling_on/postgresql_flexible_server_connection_throttling_on.py @@ -12,9 +12,7 @@ def execute(self) -> Check_Report_Azure: flexible_servers, ) in postgresql_client.flexible_servers.items(): for server in flexible_servers: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=server - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=server) report.subscription = subscription report.status = "FAIL" report.status_extended = f"Flexible Postgresql server {server.name} from subscription {subscription} has connection_throttling disabled" diff --git a/prowler/providers/azure/services/postgresql/postgresql_flexible_server_enforce_ssl_enabled/postgresql_flexible_server_enforce_ssl_enabled.py b/prowler/providers/azure/services/postgresql/postgresql_flexible_server_enforce_ssl_enabled/postgresql_flexible_server_enforce_ssl_enabled.py index 401692886d5..35952cd9a04 100644 --- a/prowler/providers/azure/services/postgresql/postgresql_flexible_server_enforce_ssl_enabled/postgresql_flexible_server_enforce_ssl_enabled.py +++ b/prowler/providers/azure/services/postgresql/postgresql_flexible_server_enforce_ssl_enabled/postgresql_flexible_server_enforce_ssl_enabled.py @@ -12,9 +12,7 @@ def execute(self) -> Check_Report_Azure: flexible_servers, ) in postgresql_client.flexible_servers.items(): for server in flexible_servers: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=server - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=server) report.subscription = subscription report.status = "FAIL" report.status_extended = f"Flexible Postgresql server {server.name} from subscription {subscription} has enforce ssl disabled" diff --git a/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_checkpoints_on/postgresql_flexible_server_log_checkpoints_on.py b/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_checkpoints_on/postgresql_flexible_server_log_checkpoints_on.py index 08e2a4d4ca3..4ff3b90e773 100644 --- a/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_checkpoints_on/postgresql_flexible_server_log_checkpoints_on.py +++ b/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_checkpoints_on/postgresql_flexible_server_log_checkpoints_on.py @@ -12,9 +12,7 @@ def execute(self) -> Check_Report_Azure: flexible_servers, ) in postgresql_client.flexible_servers.items(): for server in flexible_servers: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=server - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=server) report.subscription = subscription report.status = "FAIL" report.status_extended = f"Flexible Postgresql server {server.name} from subscription {subscription} has log_checkpoints disabled" diff --git a/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_connections_on/postgresql_flexible_server_log_connections_on.py b/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_connections_on/postgresql_flexible_server_log_connections_on.py index 51ae56bd22f..ee7bda8fd9d 100644 --- a/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_connections_on/postgresql_flexible_server_log_connections_on.py +++ b/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_connections_on/postgresql_flexible_server_log_connections_on.py @@ -12,9 +12,7 @@ def execute(self) -> Check_Report_Azure: flexible_servers, ) in postgresql_client.flexible_servers.items(): for server in flexible_servers: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=server - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=server) report.subscription = subscription report.status = "FAIL" report.status_extended = f"Flexible Postgresql server {server.name} from subscription {subscription} has log_connections disabled" diff --git a/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_disconnections_on/postgresql_flexible_server_log_disconnections_on.py b/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_disconnections_on/postgresql_flexible_server_log_disconnections_on.py index 822fa6da41b..af185359480 100644 --- a/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_disconnections_on/postgresql_flexible_server_log_disconnections_on.py +++ b/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_disconnections_on/postgresql_flexible_server_log_disconnections_on.py @@ -12,9 +12,7 @@ def execute(self) -> Check_Report_Azure: flexible_servers, ) in postgresql_client.flexible_servers.items(): for server in flexible_servers: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=server - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=server) report.subscription = subscription report.status = "FAIL" report.status_extended = f"Flexible Postgresql server {server.name} from subscription {subscription} has log_disconnections disabled" diff --git a/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_retention_days_greater_3/postgresql_flexible_server_log_retention_days_greater_3.py b/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_retention_days_greater_3/postgresql_flexible_server_log_retention_days_greater_3.py index 9fa5587b630..f1cb0939c88 100644 --- a/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_retention_days_greater_3/postgresql_flexible_server_log_retention_days_greater_3.py +++ b/prowler/providers/azure/services/postgresql/postgresql_flexible_server_log_retention_days_greater_3/postgresql_flexible_server_log_retention_days_greater_3.py @@ -12,9 +12,7 @@ def execute(self) -> Check_Report_Azure: flexible_servers, ) in postgresql_client.flexible_servers.items(): for server in flexible_servers: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=server - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=server) report.subscription = subscription report.status = "FAIL" report.status_extended = f"Flexible Postgresql server {server.name} from subscription {subscription} has log_retention disabled" diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_auditing_enabled/sqlserver_auditing_enabled.py b/prowler/providers/azure/services/sqlserver/sqlserver_auditing_enabled/sqlserver_auditing_enabled.py index e9e4ddf44cd..5461cd45e4d 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_auditing_enabled/sqlserver_auditing_enabled.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_auditing_enabled/sqlserver_auditing_enabled.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, sql_servers in sqlserver_client.sql_servers.items(): for sql_server in sql_servers: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=sql_server + metadata=self.metadata(), resource=sql_server ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.py b/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.py index 61c538ba1f2..5b1120b00e2 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, sql_servers in sqlserver_client.sql_servers.items(): for sql_server in sql_servers: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=sql_server + metadata=self.metadata(), resource=sql_server ) report.subscription = subscription has_failed = False diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_azuread_administrator_enabled/sqlserver_azuread_administrator_enabled.py b/prowler/providers/azure/services/sqlserver/sqlserver_azuread_administrator_enabled/sqlserver_azuread_administrator_enabled.py index a8c93a0bd7d..6d5b1c265dc 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_azuread_administrator_enabled/sqlserver_azuread_administrator_enabled.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_azuread_administrator_enabled/sqlserver_azuread_administrator_enabled.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, sql_servers in sqlserver_client.sql_servers.items(): for sql_server in sql_servers: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=sql_server + metadata=self.metadata(), resource=sql_server ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_microsoft_defender_enabled/sqlserver_microsoft_defender_enabled.py b/prowler/providers/azure/services/sqlserver/sqlserver_microsoft_defender_enabled/sqlserver_microsoft_defender_enabled.py index 88f7e424e3b..de2934bcf95 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_microsoft_defender_enabled/sqlserver_microsoft_defender_enabled.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_microsoft_defender_enabled/sqlserver_microsoft_defender_enabled.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_Azure: for sql_server in sql_servers: if sql_server.security_alert_policies: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=sql_server + metadata=self.metadata(), resource=sql_server ) report.subscription = subscription report.status = "FAIL" diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_recommended_minimal_tls_version/sqlserver_recommended_minimal_tls_version.py b/prowler/providers/azure/services/sqlserver/sqlserver_recommended_minimal_tls_version/sqlserver_recommended_minimal_tls_version.py index f96666c7abd..2f559514369 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_recommended_minimal_tls_version/sqlserver_recommended_minimal_tls_version.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_recommended_minimal_tls_version/sqlserver_recommended_minimal_tls_version.py @@ -13,7 +13,7 @@ def execute(self) -> List[Check_Report_Azure]: for subscription, sql_servers in sqlserver_client.sql_servers.items(): for sql_server in sql_servers: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=sql_server + metadata=self.metadata(), resource=sql_server ) report.subscription = subscription report.status = "FAIL" diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_tde_encrypted_with_cmk/sqlserver_tde_encrypted_with_cmk.py b/prowler/providers/azure/services/sqlserver/sqlserver_tde_encrypted_with_cmk/sqlserver_tde_encrypted_with_cmk.py index cc6fc24f490..2b4cd94d1b0 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_tde_encrypted_with_cmk/sqlserver_tde_encrypted_with_cmk.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_tde_encrypted_with_cmk/sqlserver_tde_encrypted_with_cmk.py @@ -12,7 +12,7 @@ def execute(self) -> Check_Report_Azure: ) if len(databases) > 0: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=sql_server + metadata=self.metadata(), resource=sql_server ) report.subscription = subscription found_disabled = False diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py b/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py index f8378457a59..05de0efc7a0 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py @@ -15,7 +15,7 @@ def execute(self) -> Check_Report_Azure: if database.name.lower() == "master": continue report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=database + metadata=self.metadata(), resource=database ) report.subscription = subscription if database.tde_encryption.status == "Enabled": diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_unrestricted_inbound_access/sqlserver_unrestricted_inbound_access.py b/prowler/providers/azure/services/sqlserver/sqlserver_unrestricted_inbound_access/sqlserver_unrestricted_inbound_access.py index f3091d2b8e6..9936a9a077a 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_unrestricted_inbound_access/sqlserver_unrestricted_inbound_access.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_unrestricted_inbound_access/sqlserver_unrestricted_inbound_access.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, sql_servers in sqlserver_client.sql_servers.items(): for sql_server in sql_servers: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=sql_server + metadata=self.metadata(), resource=sql_server ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_va_emails_notifications_admins_enabled/sqlserver_va_emails_notifications_admins_enabled.py b/prowler/providers/azure/services/sqlserver/sqlserver_va_emails_notifications_admins_enabled/sqlserver_va_emails_notifications_admins_enabled.py index 0f0d8528cd4..62a6a1d458a 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_va_emails_notifications_admins_enabled/sqlserver_va_emails_notifications_admins_enabled.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_va_emails_notifications_admins_enabled/sqlserver_va_emails_notifications_admins_enabled.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, sql_servers in sqlserver_client.sql_servers.items(): for sql_server in sql_servers: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=sql_server + metadata=self.metadata(), resource=sql_server ) report.subscription = subscription report.status = "FAIL" diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_va_periodic_recurring_scans_enabled/sqlserver_va_periodic_recurring_scans_enabled.py b/prowler/providers/azure/services/sqlserver/sqlserver_va_periodic_recurring_scans_enabled/sqlserver_va_periodic_recurring_scans_enabled.py index e43911f3f5d..2aaf40a99a9 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_va_periodic_recurring_scans_enabled/sqlserver_va_periodic_recurring_scans_enabled.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_va_periodic_recurring_scans_enabled/sqlserver_va_periodic_recurring_scans_enabled.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, sql_servers in sqlserver_client.sql_servers.items(): for sql_server in sql_servers: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=sql_server + metadata=self.metadata(), resource=sql_server ) report.subscription = subscription report.status = "FAIL" diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_va_scan_reports_configured/sqlserver_va_scan_reports_configured.py b/prowler/providers/azure/services/sqlserver/sqlserver_va_scan_reports_configured/sqlserver_va_scan_reports_configured.py index de6a75f6d27..727696225c1 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_va_scan_reports_configured/sqlserver_va_scan_reports_configured.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_va_scan_reports_configured/sqlserver_va_scan_reports_configured.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, sql_servers in sqlserver_client.sql_servers.items(): for sql_server in sql_servers: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=sql_server + metadata=self.metadata(), resource=sql_server ) report.subscription = subscription report.status = "FAIL" diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_vulnerability_assessment_enabled/sqlserver_vulnerability_assessment_enabled.py b/prowler/providers/azure/services/sqlserver/sqlserver_vulnerability_assessment_enabled/sqlserver_vulnerability_assessment_enabled.py index 5ada5e0fb4e..caf0ee00811 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_vulnerability_assessment_enabled/sqlserver_vulnerability_assessment_enabled.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_vulnerability_assessment_enabled/sqlserver_vulnerability_assessment_enabled.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, sql_servers in sqlserver_client.sql_servers.items(): for sql_server in sql_servers: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=sql_server + metadata=self.metadata(), resource=sql_server ) report.subscription = subscription report.status = "FAIL" diff --git a/prowler/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled.py b/prowler/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled.py index 81ce442ae6e..38759f05695 100644 --- a/prowler/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled.py +++ b/prowler/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, storage_accounts in storage_client.storage_accounts.items(): for storage_account in storage_accounts: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=storage_account + metadata=self.metadata(), resource=storage_account ) report.subscription = subscription report.status = "FAIL" diff --git a/prowler/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied.py b/prowler/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied.py index dcb79d1e673..4b9210eef5f 100644 --- a/prowler/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied.py +++ b/prowler/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, storage_accounts in storage_client.storage_accounts.items(): for storage_account in storage_accounts: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=storage_account + metadata=self.metadata(), resource=storage_account ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled.py b/prowler/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled.py index 9a136052e65..a8109d90f14 100644 --- a/prowler/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled.py +++ b/prowler/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, storage_accounts in storage_client.storage_accounts.items(): for storage_account in storage_accounts: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=storage_account + metadata=self.metadata(), resource=storage_account ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys.py b/prowler/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys.py index 370bb3bd6c6..f58fd33702a 100644 --- a/prowler/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys.py +++ b/prowler/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, storage_accounts in storage_client.storage_accounts.items(): for storage_account in storage_accounts: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=storage_account + metadata=self.metadata(), resource=storage_account ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12.py b/prowler/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12.py index 2f8f049b12a..d63b3bfc9ce 100644 --- a/prowler/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12.py +++ b/prowler/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, storage_accounts in storage_client.storage_accounts.items(): for storage_account in storage_accounts: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=storage_account + metadata=self.metadata(), resource=storage_account ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/storage/storage_ensure_private_endpoints_in_storage_accounts/storage_ensure_private_endpoints_in_storage_accounts.py b/prowler/providers/azure/services/storage/storage_ensure_private_endpoints_in_storage_accounts/storage_ensure_private_endpoints_in_storage_accounts.py index 78058755311..7b73759922b 100644 --- a/prowler/providers/azure/services/storage/storage_ensure_private_endpoints_in_storage_accounts/storage_ensure_private_endpoints_in_storage_accounts.py +++ b/prowler/providers/azure/services/storage/storage_ensure_private_endpoints_in_storage_accounts/storage_ensure_private_endpoints_in_storage_accounts.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, storage_accounts in storage_client.storage_accounts.items(): for storage_account in storage_accounts: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=storage_account + metadata=self.metadata(), resource=storage_account ) report.subscription = subscription if storage_account.private_endpoint_connections: diff --git a/prowler/providers/azure/services/storage/storage_ensure_soft_delete_is_enabled/storage_ensure_soft_delete_is_enabled.py b/prowler/providers/azure/services/storage/storage_ensure_soft_delete_is_enabled/storage_ensure_soft_delete_is_enabled.py index 2b16f23941d..7f8d3b39f47 100644 --- a/prowler/providers/azure/services/storage/storage_ensure_soft_delete_is_enabled/storage_ensure_soft_delete_is_enabled.py +++ b/prowler/providers/azure/services/storage/storage_ensure_soft_delete_is_enabled/storage_ensure_soft_delete_is_enabled.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_Azure: for storage_account in storage_accounts: if storage_account.blob_properties: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=storage_account + metadata=self.metadata(), resource=storage_account ) report.subscription = subscription if getattr( diff --git a/prowler/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled.py b/prowler/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled.py index 7113bfca440..cb969975c27 100644 --- a/prowler/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled.py +++ b/prowler/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, storage_accounts in storage_client.storage_accounts.items(): for storage_account in storage_accounts: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=storage_account + metadata=self.metadata(), resource=storage_account ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/storage/storage_key_rotation_90_days/storage_key_rotation_90_days.py b/prowler/providers/azure/services/storage/storage_key_rotation_90_days/storage_key_rotation_90_days.py index caf4f173e76..0007b51e6b6 100644 --- a/prowler/providers/azure/services/storage/storage_key_rotation_90_days/storage_key_rotation_90_days.py +++ b/prowler/providers/azure/services/storage/storage_key_rotation_90_days/storage_key_rotation_90_days.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, storage_accounts in storage_client.storage_accounts.items(): for storage_account in storage_accounts: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=storage_account + metadata=self.metadata(), resource=storage_account ) report.subscription = subscription if not storage_account.key_expiration_period_in_days: diff --git a/prowler/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled.py b/prowler/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled.py index 893906d1b80..0711ab39912 100644 --- a/prowler/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled.py +++ b/prowler/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription, storage_accounts in storage_client.storage_accounts.items(): for storage_account in storage_accounts: report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=storage_account + metadata=self.metadata(), resource=storage_account ) report.subscription = subscription report.status = "PASS" diff --git a/prowler/providers/azure/services/vm/vm_ensure_attached_disks_encrypted_with_cmk/vm_ensure_attached_disks_encrypted_with_cmk.py b/prowler/providers/azure/services/vm/vm_ensure_attached_disks_encrypted_with_cmk/vm_ensure_attached_disks_encrypted_with_cmk.py index b9909d13537..e803110a9cf 100644 --- a/prowler/providers/azure/services/vm/vm_ensure_attached_disks_encrypted_with_cmk/vm_ensure_attached_disks_encrypted_with_cmk.py +++ b/prowler/providers/azure/services/vm/vm_ensure_attached_disks_encrypted_with_cmk/vm_ensure_attached_disks_encrypted_with_cmk.py @@ -9,9 +9,7 @@ def execute(self) -> Check_Report_Azure: for subscription_name, disks in vm_client.disks.items(): for disk_id, disk in disks.items(): if disk.vms_attached: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=disk - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=disk) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"Disk '{disk_id}' is encrypted with a customer-managed key in subscription {subscription_name}." diff --git a/prowler/providers/azure/services/vm/vm_ensure_unattached_disks_encrypted_with_cmk/vm_ensure_unattached_disks_encrypted_with_cmk.py b/prowler/providers/azure/services/vm/vm_ensure_unattached_disks_encrypted_with_cmk/vm_ensure_unattached_disks_encrypted_with_cmk.py index 71a9874cdcf..ecf9cd0f87c 100644 --- a/prowler/providers/azure/services/vm/vm_ensure_unattached_disks_encrypted_with_cmk/vm_ensure_unattached_disks_encrypted_with_cmk.py +++ b/prowler/providers/azure/services/vm/vm_ensure_unattached_disks_encrypted_with_cmk/vm_ensure_unattached_disks_encrypted_with_cmk.py @@ -9,9 +9,7 @@ def execute(self) -> Check_Report_Azure: for subscription_name, disks in vm_client.disks.items(): for disk_id, disk in disks.items(): if not disk.vms_attached: - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=disk - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=disk) report.subscription = subscription_name report.status = "PASS" report.status_extended = f"Disk '{disk_id}' is encrypted with a customer-managed key in subscription {subscription_name}." diff --git a/prowler/providers/azure/services/vm/vm_ensure_using_managed_disks/vm_ensure_using_managed_disks.py b/prowler/providers/azure/services/vm/vm_ensure_using_managed_disks/vm_ensure_using_managed_disks.py index f428db473b4..22735fa9b75 100644 --- a/prowler/providers/azure/services/vm/vm_ensure_using_managed_disks/vm_ensure_using_managed_disks.py +++ b/prowler/providers/azure/services/vm/vm_ensure_using_managed_disks/vm_ensure_using_managed_disks.py @@ -8,9 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription_name, vms in vm_client.virtual_machines.items(): for vm in vms.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=vm - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=vm) report.status = "PASS" report.subscription = subscription_name report.status_extended = f"VM {vm.resource_name} is using managed disks in subscription {subscription_name}" diff --git a/prowler/providers/azure/services/vm/vm_trusted_launch_enabled/vm_trusted_launch_enabled.py b/prowler/providers/azure/services/vm/vm_trusted_launch_enabled/vm_trusted_launch_enabled.py index c680f2d60c1..e4a4d9d0825 100644 --- a/prowler/providers/azure/services/vm/vm_trusted_launch_enabled/vm_trusted_launch_enabled.py +++ b/prowler/providers/azure/services/vm/vm_trusted_launch_enabled/vm_trusted_launch_enabled.py @@ -8,9 +8,7 @@ def execute(self) -> Check_Report_Azure: for subscription_name, vms in vm_client.virtual_machines.items(): for vm in vms.values(): - report = Check_Report_Azure( - metadata=self.metadata(), resource_metadata=vm - ) + report = Check_Report_Azure(metadata=self.metadata(), resource=vm) report.subscription = subscription_name report.status = "FAIL" report.status_extended = f"VM {vm.resource_name} has trusted launch disabled in subscription {subscription_name}" diff --git a/prowler/providers/gcp/services/apikeys/apikeys_api_restrictions_configured/apikeys_api_restrictions_configured.py b/prowler/providers/gcp/services/apikeys/apikeys_api_restrictions_configured/apikeys_api_restrictions_configured.py index 5ce0b008144..5cfef92078f 100644 --- a/prowler/providers/gcp/services/apikeys/apikeys_api_restrictions_configured/apikeys_api_restrictions_configured.py +++ b/prowler/providers/gcp/services/apikeys/apikeys_api_restrictions_configured/apikeys_api_restrictions_configured.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_GCP: for key in apikeys_client.keys: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=key, + resource=key, location=apikeys_client.region, ) report.status = "PASS" diff --git a/prowler/providers/gcp/services/apikeys/apikeys_key_exists/apikeys_key_exists.py b/prowler/providers/gcp/services/apikeys/apikeys_key_exists/apikeys_key_exists.py index 3f18cf68132..4ec5c8c67d4 100644 --- a/prowler/providers/gcp/services/apikeys/apikeys_key_exists/apikeys_key_exists.py +++ b/prowler/providers/gcp/services/apikeys/apikeys_key_exists/apikeys_key_exists.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_GCP: for project in apikeys_client.project_ids: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=apikeys_client.projects[project], + resource=apikeys_client.projects[project], project_id=project, location=apikeys_client.region, ) diff --git a/prowler/providers/gcp/services/apikeys/apikeys_key_rotated_in_90_days/apikeys_key_rotated_in_90_days.py b/prowler/providers/gcp/services/apikeys/apikeys_key_rotated_in_90_days/apikeys_key_rotated_in_90_days.py index 6c97dd28542..752f6443427 100644 --- a/prowler/providers/gcp/services/apikeys/apikeys_key_rotated_in_90_days/apikeys_key_rotated_in_90_days.py +++ b/prowler/providers/gcp/services/apikeys/apikeys_key_rotated_in_90_days/apikeys_key_rotated_in_90_days.py @@ -10,7 +10,7 @@ def execute(self) -> Check_Report_GCP: for key in apikeys_client.keys: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=key, + resource=key, location=apikeys_client.region, ) report.status = "PASS" diff --git a/prowler/providers/gcp/services/artifacts/artifacts_container_analysis_enabled/artifacts_container_analysis_enabled.py b/prowler/providers/gcp/services/artifacts/artifacts_container_analysis_enabled/artifacts_container_analysis_enabled.py index 8ef35e37177..90f4a35490c 100644 --- a/prowler/providers/gcp/services/artifacts/artifacts_container_analysis_enabled/artifacts_container_analysis_enabled.py +++ b/prowler/providers/gcp/services/artifacts/artifacts_container_analysis_enabled/artifacts_container_analysis_enabled.py @@ -10,7 +10,7 @@ def execute(self) -> Check_Report_GCP: for project_id in serviceusage_client.project_ids: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=serviceusage_client.projects[project_id], + resource=serviceusage_client.projects[project_id], resource_id="containeranalysis.googleapis.com", resource_name="AR Container Analysis", project_id=project_id, diff --git a/prowler/providers/gcp/services/bigquery/bigquery_dataset_cmk_encryption/bigquery_dataset_cmk_encryption.py b/prowler/providers/gcp/services/bigquery/bigquery_dataset_cmk_encryption/bigquery_dataset_cmk_encryption.py index c6a0cb6bae2..d54b9218265 100644 --- a/prowler/providers/gcp/services/bigquery/bigquery_dataset_cmk_encryption/bigquery_dataset_cmk_encryption.py +++ b/prowler/providers/gcp/services/bigquery/bigquery_dataset_cmk_encryption/bigquery_dataset_cmk_encryption.py @@ -6,9 +6,7 @@ class bigquery_dataset_cmk_encryption(Check): def execute(self) -> Check_Report_GCP: findings = [] for dataset in bigquery_client.datasets: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=dataset - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=dataset) report.status = "PASS" report.status_extended = f"Dataset {dataset.name} is encrypted with Customer-Managed Keys (CMKs)." if not dataset.cmk_encryption: diff --git a/prowler/providers/gcp/services/bigquery/bigquery_dataset_public_access/bigquery_dataset_public_access.py b/prowler/providers/gcp/services/bigquery/bigquery_dataset_public_access/bigquery_dataset_public_access.py index f7f6d2b39b4..62185fa65f6 100644 --- a/prowler/providers/gcp/services/bigquery/bigquery_dataset_public_access/bigquery_dataset_public_access.py +++ b/prowler/providers/gcp/services/bigquery/bigquery_dataset_public_access/bigquery_dataset_public_access.py @@ -6,9 +6,7 @@ class bigquery_dataset_public_access(Check): def execute(self) -> Check_Report_GCP: findings = [] for dataset in bigquery_client.datasets: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=dataset - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=dataset) report.status = "PASS" report.status_extended = ( f"Dataset {dataset.name} is not publicly accessible." diff --git a/prowler/providers/gcp/services/bigquery/bigquery_table_cmk_encryption/bigquery_table_cmk_encryption.py b/prowler/providers/gcp/services/bigquery/bigquery_table_cmk_encryption/bigquery_table_cmk_encryption.py index 86643e76deb..6ab81994772 100644 --- a/prowler/providers/gcp/services/bigquery/bigquery_table_cmk_encryption/bigquery_table_cmk_encryption.py +++ b/prowler/providers/gcp/services/bigquery/bigquery_table_cmk_encryption/bigquery_table_cmk_encryption.py @@ -6,7 +6,7 @@ class bigquery_table_cmk_encryption(Check): def execute(self) -> Check_Report_GCP: findings = [] for table in bigquery_client.tables: - report = Check_Report_GCP(metadata=self.metadata(), resource_metadata=table) + report = Check_Report_GCP(metadata=self.metadata(), resource=table) report.status = "PASS" report.status_extended = ( f"Table {table.name} is encrypted with Customer-Managed Keys (CMKs)." diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_automated_backups/cloudsql_instance_automated_backups.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_automated_backups/cloudsql_instance_automated_backups.py index d524e150774..371e77440bf 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_automated_backups/cloudsql_instance_automated_backups.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_automated_backups/cloudsql_instance_automated_backups.py @@ -6,9 +6,7 @@ class cloudsql_instance_automated_backups(Check): def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = ( f"Database Instance {instance.name} has automated backups configured." diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_mysql_local_infile_flag/cloudsql_instance_mysql_local_infile_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_mysql_local_infile_flag/cloudsql_instance_mysql_local_infile_flag.py index 069f844c82b..5ca98619baf 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_mysql_local_infile_flag/cloudsql_instance_mysql_local_infile_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_mysql_local_infile_flag/cloudsql_instance_mysql_local_infile_flag.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "MYSQL" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = f"MySQL Instance {instance.name} does not have 'local_infile' flag set to 'off'." for flag in instance.flags: diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_mysql_skip_show_database_flag/cloudsql_instance_mysql_skip_show_database_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_mysql_skip_show_database_flag/cloudsql_instance_mysql_skip_show_database_flag.py index 5a641385dc8..3b2e05d97e5 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_mysql_skip_show_database_flag/cloudsql_instance_mysql_skip_show_database_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_mysql_skip_show_database_flag/cloudsql_instance_mysql_skip_show_database_flag.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "MYSQL" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = f"MySQL Instance {instance.name} does not have 'skip_show_database' flag set to 'on'." for flag in instance.flags: diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_enable_pgaudit_flag/cloudsql_instance_postgres_enable_pgaudit_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_enable_pgaudit_flag/cloudsql_instance_postgres_enable_pgaudit_flag.py index 25f5e25095e..22256c3ed65 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_enable_pgaudit_flag/cloudsql_instance_postgres_enable_pgaudit_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_enable_pgaudit_flag/cloudsql_instance_postgres_enable_pgaudit_flag.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "POSTGRES" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = f"PostgreSQL Instance {instance.name} does not have 'cloudsql.enable_pgaudit' flag set to 'on'." for flag in instance.flags: diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_connections_flag/cloudsql_instance_postgres_log_connections_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_connections_flag/cloudsql_instance_postgres_log_connections_flag.py index e75b0bc278f..1cd635c5e6a 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_connections_flag/cloudsql_instance_postgres_log_connections_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_connections_flag/cloudsql_instance_postgres_log_connections_flag.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "POSTGRES" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = f"PostgreSQL Instance {instance.name} does not have 'log_connections' flag set to 'on'." for flag in instance.flags: diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_disconnections_flag/cloudsql_instance_postgres_log_disconnections_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_disconnections_flag/cloudsql_instance_postgres_log_disconnections_flag.py index 2c2fc433332..cfb70be528a 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_disconnections_flag/cloudsql_instance_postgres_log_disconnections_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_disconnections_flag/cloudsql_instance_postgres_log_disconnections_flag.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "POSTGRES" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = f"PostgreSQL Instance {instance.name} does not have 'log_disconnections' flag set to 'on'." for flag in instance.flags: diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_error_verbosity_flag/cloudsql_instance_postgres_log_error_verbosity_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_error_verbosity_flag/cloudsql_instance_postgres_log_error_verbosity_flag.py index 44505557e36..905090c295f 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_error_verbosity_flag/cloudsql_instance_postgres_log_error_verbosity_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_error_verbosity_flag/cloudsql_instance_postgres_log_error_verbosity_flag.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "POSTGRES" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_error_verbosity' flag set to 'default'." for flag in instance.flags: diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_duration_statement_flag/cloudsql_instance_postgres_log_min_duration_statement_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_duration_statement_flag/cloudsql_instance_postgres_log_min_duration_statement_flag.py index f1e966d4916..f117e30d674 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_duration_statement_flag/cloudsql_instance_postgres_log_min_duration_statement_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_duration_statement_flag/cloudsql_instance_postgres_log_min_duration_statement_flag.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "POSTGRES" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_min_duration_statement' flag set to '-1'." for flag in instance.flags: diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_error_statement_flag/cloudsql_instance_postgres_log_min_error_statement_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_error_statement_flag/cloudsql_instance_postgres_log_min_error_statement_flag.py index b45f003c0af..16127d2bcd7 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_error_statement_flag/cloudsql_instance_postgres_log_min_error_statement_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_error_statement_flag/cloudsql_instance_postgres_log_min_error_statement_flag.py @@ -8,9 +8,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "POSTGRES" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"PostgreSQL Instance {instance.name} has 'log_min_error_statement' flag set minimum to '{desired_log_min_error_statement}'." diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_messages_flag/cloudsql_instance_postgres_log_min_messages_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_messages_flag/cloudsql_instance_postgres_log_min_messages_flag.py index 5f08c45240c..143e51779e3 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_messages_flag/cloudsql_instance_postgres_log_min_messages_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_messages_flag/cloudsql_instance_postgres_log_min_messages_flag.py @@ -17,9 +17,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "POSTGRES" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = f"PostgreSQL Instance {instance.name} does not have 'log_min_messages' flag set." diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_statement_flag/cloudsql_instance_postgres_log_statement_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_statement_flag/cloudsql_instance_postgres_log_statement_flag.py index 0aa86ec9e60..7740e5b2eee 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_statement_flag/cloudsql_instance_postgres_log_statement_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_statement_flag/cloudsql_instance_postgres_log_statement_flag.py @@ -8,9 +8,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "POSTGRES" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = f"PostgreSQL Instance {instance.name} does not have 'log_statement' flag set to '{desired_log_statement}'." for flag in instance.flags: diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_private_ip_assignment/cloudsql_instance_private_ip_assignment.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_private_ip_assignment/cloudsql_instance_private_ip_assignment.py index 3ca4fcc4767..a6bd2e1c23b 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_private_ip_assignment/cloudsql_instance_private_ip_assignment.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_private_ip_assignment/cloudsql_instance_private_ip_assignment.py @@ -6,9 +6,7 @@ class cloudsql_instance_private_ip_assignment(Check): def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Database Instance {instance.name} does not have private IP assignments." for address in instance.ip_addresses: diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_public_access/cloudsql_instance_public_access.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_public_access/cloudsql_instance_public_access.py index c25f7516662..2327f00305d 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_public_access/cloudsql_instance_public_access.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_public_access/cloudsql_instance_public_access.py @@ -6,9 +6,7 @@ class cloudsql_instance_public_access(Check): def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"Database Instance {instance.name} does not whitelist all Public IP Addresses." for network in instance.authorized_networks: diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_public_ip/cloudsql_instance_public_ip.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_public_ip/cloudsql_instance_public_ip.py index a7d8b123c1d..f440ce32c51 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_public_ip/cloudsql_instance_public_ip.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_public_ip/cloudsql_instance_public_ip.py @@ -6,9 +6,7 @@ class cloudsql_instance_public_ip(Check): def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = ( f"Database Instance {instance.name} does not have a public IP." diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_contained_database_authentication_flag/cloudsql_instance_sqlserver_contained_database_authentication_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_contained_database_authentication_flag/cloudsql_instance_sqlserver_contained_database_authentication_flag.py index 016e78e7be8..8ee9d37622b 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_contained_database_authentication_flag/cloudsql_instance_sqlserver_contained_database_authentication_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_contained_database_authentication_flag/cloudsql_instance_sqlserver_contained_database_authentication_flag.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "SQLSERVER" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"SQL Server Instance {instance.name} has 'contained database authentication' flag set to 'off'." for flag in instance.flags: diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag.py index 10369a318cc..512b9b154fd 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "SQLSERVER" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"SQL Server Instance {instance.name} has 'cross db ownership chaining' flag set to 'off'." for flag in instance.flags: diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_external_scripts_enabled_flag/cloudsql_instance_sqlserver_external_scripts_enabled_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_external_scripts_enabled_flag/cloudsql_instance_sqlserver_external_scripts_enabled_flag.py index ca1b59acfe6..b6c065135d7 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_external_scripts_enabled_flag/cloudsql_instance_sqlserver_external_scripts_enabled_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_external_scripts_enabled_flag/cloudsql_instance_sqlserver_external_scripts_enabled_flag.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "SQLSERVER" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"SQL Server Instance {instance.name} has 'external scripts enabled' flag set to 'off'." for flag in instance.flags: diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_remote_access_flag/cloudsql_instance_sqlserver_remote_access_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_remote_access_flag/cloudsql_instance_sqlserver_remote_access_flag.py index 0396084b956..a8fd90309e5 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_remote_access_flag/cloudsql_instance_sqlserver_remote_access_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_remote_access_flag/cloudsql_instance_sqlserver_remote_access_flag.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "SQLSERVER" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = f"SQL Server Instance {instance.name} has 'remote access' flag set to 'on'." for flag in instance.flags: diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_trace_flag/cloudsql_instance_sqlserver_trace_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_trace_flag/cloudsql_instance_sqlserver_trace_flag.py index 73721346b58..56318c2d675 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_trace_flag/cloudsql_instance_sqlserver_trace_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_trace_flag/cloudsql_instance_sqlserver_trace_flag.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "SQLSERVER" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = f"SQL Server Instance {instance.name} has '3625 (trace flag)' flag set to 'off'." diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_connections_flag/cloudsql_instance_sqlserver_user_connections_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_connections_flag/cloudsql_instance_sqlserver_user_connections_flag.py index 04c259dbbf8..257bcc3af70 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_connections_flag/cloudsql_instance_sqlserver_user_connections_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_connections_flag/cloudsql_instance_sqlserver_user_connections_flag.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "SQLSERVER" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"SQL Server Instance {instance.name} has 'user connections' flag set to '0'." diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_options_flag/cloudsql_instance_sqlserver_user_options_flag.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_options_flag/cloudsql_instance_sqlserver_user_options_flag.py index 8261d9b014e..3187c372ca4 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_options_flag/cloudsql_instance_sqlserver_user_options_flag.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_options_flag/cloudsql_instance_sqlserver_user_options_flag.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: if "SQLSERVER" in instance.version: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"SQL Server Instance {instance.name} does not have 'user options' flag set." for flag in instance.flags: diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections.py index 26cdb9ec477..2fa33fbdd83 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections.py @@ -6,9 +6,7 @@ class cloudsql_instance_ssl_connections(Check): def execute(self) -> Check_Report_GCP: findings = [] for instance in cloudsql_client.instances: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = ( f"Database Instance {instance.name} requires SSL connections." diff --git a/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.py b/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.py index a60b827e45b..c712ac0e0a0 100644 --- a/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.py +++ b/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_log_retention_policy_lock/cloudstorage_bucket_log_retention_policy_lock.py @@ -15,9 +15,7 @@ def execute(self) -> Check_Report_GCP: log_buckets.append(sink.destination.split("/")[-1]) for bucket in cloudstorage_client.buckets: if bucket.name in log_buckets: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=bucket) report.status = "FAIL" report.status_extended = ( f"Log Sink Bucket {bucket.name} has no Retention Policy." diff --git a/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_public_access/cloudstorage_bucket_public_access.py b/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_public_access/cloudstorage_bucket_public_access.py index b97359f8711..5b7fb276e8b 100644 --- a/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_public_access/cloudstorage_bucket_public_access.py +++ b/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_public_access/cloudstorage_bucket_public_access.py @@ -8,9 +8,7 @@ class cloudstorage_bucket_public_access(Check): def execute(self) -> Check_Report_GCP: findings = [] for bucket in cloudstorage_client.buckets: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=bucket) report.status = "PASS" report.status_extended = f"Bucket {bucket.name} is not publicly accessible." if bucket.public: diff --git a/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_uniform_bucket_level_access/cloudstorage_bucket_uniform_bucket_level_access.py b/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_uniform_bucket_level_access/cloudstorage_bucket_uniform_bucket_level_access.py index ada41297be9..20f6d436cea 100644 --- a/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_uniform_bucket_level_access/cloudstorage_bucket_uniform_bucket_level_access.py +++ b/prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_uniform_bucket_level_access/cloudstorage_bucket_uniform_bucket_level_access.py @@ -8,9 +8,7 @@ class cloudstorage_bucket_uniform_bucket_level_access(Check): def execute(self) -> Check_Report_GCP: findings = [] for bucket in cloudstorage_client.buckets: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=bucket - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=bucket) report.status = "PASS" report.status_extended = ( f"Bucket {bucket.name} has uniform Bucket Level Access enabled." diff --git a/prowler/providers/gcp/services/compute/compute_firewall_rdp_access_from_the_internet_allowed/compute_firewall_rdp_access_from_the_internet_allowed.py b/prowler/providers/gcp/services/compute/compute_firewall_rdp_access_from_the_internet_allowed/compute_firewall_rdp_access_from_the_internet_allowed.py index a51c1949cd3..af99daeec55 100644 --- a/prowler/providers/gcp/services/compute/compute_firewall_rdp_access_from_the_internet_allowed/compute_firewall_rdp_access_from_the_internet_allowed.py +++ b/prowler/providers/gcp/services/compute/compute_firewall_rdp_access_from_the_internet_allowed/compute_firewall_rdp_access_from_the_internet_allowed.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_GCP: for firewall in compute_client.firewalls: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=firewall, + resource=firewall, location=compute_client.region, ) report.status = "PASS" diff --git a/prowler/providers/gcp/services/compute/compute_firewall_ssh_access_from_the_internet_allowed/compute_firewall_ssh_access_from_the_internet_allowed.py b/prowler/providers/gcp/services/compute/compute_firewall_ssh_access_from_the_internet_allowed/compute_firewall_ssh_access_from_the_internet_allowed.py index d2e0efa6c11..e4881568cf6 100644 --- a/prowler/providers/gcp/services/compute/compute_firewall_ssh_access_from_the_internet_allowed/compute_firewall_ssh_access_from_the_internet_allowed.py +++ b/prowler/providers/gcp/services/compute/compute_firewall_ssh_access_from_the_internet_allowed/compute_firewall_ssh_access_from_the_internet_allowed.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_GCP: for firewall in compute_client.firewalls: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=firewall, + resource=firewall, location=compute_client.region, ) report.status = "PASS" diff --git a/prowler/providers/gcp/services/compute/compute_instance_block_project_wide_ssh_keys_disabled/compute_instance_block_project_wide_ssh_keys_disabled.py b/prowler/providers/gcp/services/compute/compute_instance_block_project_wide_ssh_keys_disabled/compute_instance_block_project_wide_ssh_keys_disabled.py index 17ef798e977..4ee3c9f0294 100644 --- a/prowler/providers/gcp/services/compute/compute_instance_block_project_wide_ssh_keys_disabled/compute_instance_block_project_wide_ssh_keys_disabled.py +++ b/prowler/providers/gcp/services/compute/compute_instance_block_project_wide_ssh_keys_disabled/compute_instance_block_project_wide_ssh_keys_disabled.py @@ -6,9 +6,7 @@ class compute_instance_block_project_wide_ssh_keys_disabled(Check): def execute(self) -> Check_Report_GCP: findings = [] for instance in compute_client.instances: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = f"The VM Instance {instance.name} is making use of common/shared project-wide SSH key(s)." if instance.metadata.get("items"): diff --git a/prowler/providers/gcp/services/compute/compute_instance_confidential_computing_enabled/compute_instance_confidential_computing_enabled.py b/prowler/providers/gcp/services/compute/compute_instance_confidential_computing_enabled/compute_instance_confidential_computing_enabled.py index 66211d59446..9ffecfd7dea 100644 --- a/prowler/providers/gcp/services/compute/compute_instance_confidential_computing_enabled/compute_instance_confidential_computing_enabled.py +++ b/prowler/providers/gcp/services/compute/compute_instance_confidential_computing_enabled/compute_instance_confidential_computing_enabled.py @@ -6,9 +6,7 @@ class compute_instance_confidential_computing_enabled(Check): def execute(self) -> Check_Report_GCP: findings = [] for instance in compute_client.instances: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = ( f"VM Instance {instance.name} has Confidential Computing enabled." diff --git a/prowler/providers/gcp/services/compute/compute_instance_default_service_account_in_use/compute_instance_default_service_account_in_use.py b/prowler/providers/gcp/services/compute/compute_instance_default_service_account_in_use/compute_instance_default_service_account_in_use.py index 78be391a4d4..e4e9f388dc1 100644 --- a/prowler/providers/gcp/services/compute/compute_instance_default_service_account_in_use/compute_instance_default_service_account_in_use.py +++ b/prowler/providers/gcp/services/compute/compute_instance_default_service_account_in_use/compute_instance_default_service_account_in_use.py @@ -6,9 +6,7 @@ class compute_instance_default_service_account_in_use(Check): def execute(self) -> Check_Report_GCP: findings = [] for instance in compute_client.instances: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"The default service account is not configured to be used with VM Instance {instance.name}." if ( diff --git a/prowler/providers/gcp/services/compute/compute_instance_default_service_account_in_use_with_full_api_access/compute_instance_default_service_account_in_use_with_full_api_access.py b/prowler/providers/gcp/services/compute/compute_instance_default_service_account_in_use_with_full_api_access/compute_instance_default_service_account_in_use_with_full_api_access.py index d98e5b82c51..901bede1554 100644 --- a/prowler/providers/gcp/services/compute/compute_instance_default_service_account_in_use_with_full_api_access/compute_instance_default_service_account_in_use_with_full_api_access.py +++ b/prowler/providers/gcp/services/compute/compute_instance_default_service_account_in_use_with_full_api_access/compute_instance_default_service_account_in_use_with_full_api_access.py @@ -6,9 +6,7 @@ class compute_instance_default_service_account_in_use_with_full_api_access(Check def execute(self) -> Check_Report_GCP: findings = [] for instance in compute_client.instances: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"The VM Instance {instance.name} is not configured to use the default service account with full access to all cloud APIs." for service_account in instance.service_accounts: diff --git a/prowler/providers/gcp/services/compute/compute_instance_encryption_with_csek_enabled/compute_instance_encryption_with_csek_enabled.py b/prowler/providers/gcp/services/compute/compute_instance_encryption_with_csek_enabled/compute_instance_encryption_with_csek_enabled.py index 7230af43d09..724a54cf6d3 100644 --- a/prowler/providers/gcp/services/compute/compute_instance_encryption_with_csek_enabled/compute_instance_encryption_with_csek_enabled.py +++ b/prowler/providers/gcp/services/compute/compute_instance_encryption_with_csek_enabled/compute_instance_encryption_with_csek_enabled.py @@ -6,9 +6,7 @@ class compute_instance_encryption_with_csek_enabled(Check): def execute(self) -> Check_Report_GCP: findings = [] for instance in compute_client.instances: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "FAIL" report.status_extended = f"The VM Instance {instance.name} has the following unencrypted disks: '{', '.join([i[0] for i in instance.disks_encryption if not i[1]])}'." if all([i[1] for i in instance.disks_encryption]): diff --git a/prowler/providers/gcp/services/compute/compute_instance_ip_forwarding_is_enabled/compute_instance_ip_forwarding_is_enabled.py b/prowler/providers/gcp/services/compute/compute_instance_ip_forwarding_is_enabled/compute_instance_ip_forwarding_is_enabled.py index b060bf68d79..275aa2eeac9 100644 --- a/prowler/providers/gcp/services/compute/compute_instance_ip_forwarding_is_enabled/compute_instance_ip_forwarding_is_enabled.py +++ b/prowler/providers/gcp/services/compute/compute_instance_ip_forwarding_is_enabled/compute_instance_ip_forwarding_is_enabled.py @@ -6,9 +6,7 @@ class compute_instance_ip_forwarding_is_enabled(Check): def execute(self) -> Check_Report_GCP: findings = [] for instance in compute_client.instances: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = ( f"The IP Forwarding of VM Instance {instance.name} is not enabled." diff --git a/prowler/providers/gcp/services/compute/compute_instance_public_ip/compute_instance_public_ip.py b/prowler/providers/gcp/services/compute/compute_instance_public_ip/compute_instance_public_ip.py index 6e263f2777d..c14af74faa3 100644 --- a/prowler/providers/gcp/services/compute/compute_instance_public_ip/compute_instance_public_ip.py +++ b/prowler/providers/gcp/services/compute/compute_instance_public_ip/compute_instance_public_ip.py @@ -6,9 +6,7 @@ class compute_instance_public_ip(Check): def execute(self) -> Check_Report_GCP: findings = [] for instance in compute_client.instances: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = ( f"VM Instance {instance.name} does not have a public IP." diff --git a/prowler/providers/gcp/services/compute/compute_instance_serial_ports_in_use/compute_instance_serial_ports_in_use.py b/prowler/providers/gcp/services/compute/compute_instance_serial_ports_in_use/compute_instance_serial_ports_in_use.py index 45919614ee7..81f7163ae9d 100644 --- a/prowler/providers/gcp/services/compute/compute_instance_serial_ports_in_use/compute_instance_serial_ports_in_use.py +++ b/prowler/providers/gcp/services/compute/compute_instance_serial_ports_in_use/compute_instance_serial_ports_in_use.py @@ -6,9 +6,7 @@ class compute_instance_serial_ports_in_use(Check): def execute(self) -> Check_Report_GCP: findings = [] for instance in compute_client.instances: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"VM Instance {instance.name} has Enable Connecting to Serial Ports off." if instance.metadata.get("items"): diff --git a/prowler/providers/gcp/services/compute/compute_instance_shielded_vm_enabled/compute_instance_shielded_vm_enabled.py b/prowler/providers/gcp/services/compute/compute_instance_shielded_vm_enabled/compute_instance_shielded_vm_enabled.py index 99df3ad72f4..15c5d43fd25 100644 --- a/prowler/providers/gcp/services/compute/compute_instance_shielded_vm_enabled/compute_instance_shielded_vm_enabled.py +++ b/prowler/providers/gcp/services/compute/compute_instance_shielded_vm_enabled/compute_instance_shielded_vm_enabled.py @@ -6,9 +6,7 @@ class compute_instance_shielded_vm_enabled(Check): def execute(self) -> Check_Report_GCP: findings = [] for instance in compute_client.instances: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=instance - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=instance) report.status = "PASS" report.status_extended = f"VM Instance {instance.name} has vTPM or Integrity Monitoring set to on." if ( diff --git a/prowler/providers/gcp/services/compute/compute_loadbalancer_logging_enabled/compute_loadbalancer_logging_enabled.py b/prowler/providers/gcp/services/compute/compute_loadbalancer_logging_enabled/compute_loadbalancer_logging_enabled.py index a27fc048740..c77ef48140c 100644 --- a/prowler/providers/gcp/services/compute/compute_loadbalancer_logging_enabled/compute_loadbalancer_logging_enabled.py +++ b/prowler/providers/gcp/services/compute/compute_loadbalancer_logging_enabled/compute_loadbalancer_logging_enabled.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_GCP: for lb in compute_client.load_balancers: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=lb, + resource=lb, location=compute_client.region, ) report.status = "PASS" diff --git a/prowler/providers/gcp/services/compute/compute_network_default_in_use/compute_network_default_in_use.py b/prowler/providers/gcp/services/compute/compute_network_default_in_use/compute_network_default_in_use.py index 899db3bca2a..8a37f2f7a0f 100644 --- a/prowler/providers/gcp/services/compute/compute_network_default_in_use/compute_network_default_in_use.py +++ b/prowler/providers/gcp/services/compute/compute_network_default_in_use/compute_network_default_in_use.py @@ -16,7 +16,7 @@ def execute(self) -> Check_Report_GCP: for project in compute_client.project_ids: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=compute_client.projects[project], + resource=compute_client.projects[project], project_id=project, resource_id="default", resource_name="default", @@ -27,7 +27,7 @@ def execute(self) -> Check_Report_GCP: report.status_extended = ( f"Default network is in use in project {project}." ) - report.resource_metadata = projects_with_default_network[project] + report.resource = projects_with_default_network[project] else: report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/gcp/services/compute/compute_network_dns_logging_enabled/compute_network_dns_logging_enabled.py b/prowler/providers/gcp/services/compute/compute_network_dns_logging_enabled/compute_network_dns_logging_enabled.py index ef580ba1bad..ff02894f9b1 100644 --- a/prowler/providers/gcp/services/compute/compute_network_dns_logging_enabled/compute_network_dns_logging_enabled.py +++ b/prowler/providers/gcp/services/compute/compute_network_dns_logging_enabled/compute_network_dns_logging_enabled.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_GCP: for network in compute_client.networks: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=network, + resource=network, location=compute_client.region, ) report.status = "FAIL" diff --git a/prowler/providers/gcp/services/compute/compute_network_not_legacy/compute_network_not_legacy.py b/prowler/providers/gcp/services/compute/compute_network_not_legacy/compute_network_not_legacy.py index 1673066bd3f..c22a5ddf312 100644 --- a/prowler/providers/gcp/services/compute/compute_network_not_legacy/compute_network_not_legacy.py +++ b/prowler/providers/gcp/services/compute/compute_network_not_legacy/compute_network_not_legacy.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_GCP: for network in compute_client.networks: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=network, + resource=network, location=compute_client.region, ) report.status = "PASS" diff --git a/prowler/providers/gcp/services/compute/compute_project_os_login_enabled/compute_project_os_login_enabled.py b/prowler/providers/gcp/services/compute/compute_project_os_login_enabled/compute_project_os_login_enabled.py index bebc30136e1..436fef35d84 100644 --- a/prowler/providers/gcp/services/compute/compute_project_os_login_enabled/compute_project_os_login_enabled.py +++ b/prowler/providers/gcp/services/compute/compute_project_os_login_enabled/compute_project_os_login_enabled.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_GCP: for project in compute_client.compute_projects: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=project, + resource=project, project_id=project.id, location=compute_client.region, ) diff --git a/prowler/providers/gcp/services/compute/compute_public_address_shodan/compute_public_address_shodan.py b/prowler/providers/gcp/services/compute/compute_public_address_shodan/compute_public_address_shodan.py index 4330b70be3c..932197e0112 100644 --- a/prowler/providers/gcp/services/compute/compute_public_address_shodan/compute_public_address_shodan.py +++ b/prowler/providers/gcp/services/compute/compute_public_address_shodan/compute_public_address_shodan.py @@ -14,7 +14,7 @@ def execute(self): for address in compute_client.addresses: if address.type == "EXTERNAL": report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=address + metadata=self.metadata(), resource=address ) try: shodan_info = api.host(address.ip) diff --git a/prowler/providers/gcp/services/compute/compute_subnet_flow_logs_enabled/compute_subnet_flow_logs_enabled.py b/prowler/providers/gcp/services/compute/compute_subnet_flow_logs_enabled/compute_subnet_flow_logs_enabled.py index ee0a38fde95..e3f5b7eddea 100644 --- a/prowler/providers/gcp/services/compute/compute_subnet_flow_logs_enabled/compute_subnet_flow_logs_enabled.py +++ b/prowler/providers/gcp/services/compute/compute_subnet_flow_logs_enabled/compute_subnet_flow_logs_enabled.py @@ -6,9 +6,7 @@ class compute_subnet_flow_logs_enabled(Check): def execute(self) -> Check_Report_GCP: findings = [] for subnet in compute_client.subnets: - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=subnet - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=subnet) report.status = "PASS" report.status_extended = f"Subnet {subnet.name} in network {subnet.network} has flow logs enabled." if not subnet.flow_logs: diff --git a/prowler/providers/gcp/services/dataproc/dataproc_encrypted_with_cmks_disabled/dataproc_encrypted_with_cmks_disabled.py b/prowler/providers/gcp/services/dataproc/dataproc_encrypted_with_cmks_disabled/dataproc_encrypted_with_cmks_disabled.py index ca2a27491da..b06c64da50a 100644 --- a/prowler/providers/gcp/services/dataproc/dataproc_encrypted_with_cmks_disabled/dataproc_encrypted_with_cmks_disabled.py +++ b/prowler/providers/gcp/services/dataproc/dataproc_encrypted_with_cmks_disabled/dataproc_encrypted_with_cmks_disabled.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_GCP: for cluster in dataproc_client.clusters: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=cluster, + resource=cluster, location=dataproc_client.region, ) report.status = "PASS" diff --git a/prowler/providers/gcp/services/dns/dns_dnssec_disabled/dns_dnssec_disabled.py b/prowler/providers/gcp/services/dns/dns_dnssec_disabled/dns_dnssec_disabled.py index de2b3aa67e0..cfe3def193e 100644 --- a/prowler/providers/gcp/services/dns/dns_dnssec_disabled/dns_dnssec_disabled.py +++ b/prowler/providers/gcp/services/dns/dns_dnssec_disabled/dns_dnssec_disabled.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_GCP: for managed_zone in dns_client.managed_zones: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=managed_zone, + resource=managed_zone, location=dns_client.region, ) report.status = "PASS" diff --git a/prowler/providers/gcp/services/dns/dns_rsasha1_in_use_to_key_sign_in_dnssec/dns_rsasha1_in_use_to_key_sign_in_dnssec.py b/prowler/providers/gcp/services/dns/dns_rsasha1_in_use_to_key_sign_in_dnssec/dns_rsasha1_in_use_to_key_sign_in_dnssec.py index 7353e5073f0..4820d88f476 100644 --- a/prowler/providers/gcp/services/dns/dns_rsasha1_in_use_to_key_sign_in_dnssec/dns_rsasha1_in_use_to_key_sign_in_dnssec.py +++ b/prowler/providers/gcp/services/dns/dns_rsasha1_in_use_to_key_sign_in_dnssec/dns_rsasha1_in_use_to_key_sign_in_dnssec.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_GCP: for managed_zone in dns_client.managed_zones: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=managed_zone, + resource=managed_zone, location=dns_client.region, ) report.status = "PASS" diff --git a/prowler/providers/gcp/services/dns/dns_rsasha1_in_use_to_zone_sign_in_dnssec/dns_rsasha1_in_use_to_zone_sign_in_dnssec.py b/prowler/providers/gcp/services/dns/dns_rsasha1_in_use_to_zone_sign_in_dnssec/dns_rsasha1_in_use_to_zone_sign_in_dnssec.py index 86ccf243d3b..a42afedabb8 100644 --- a/prowler/providers/gcp/services/dns/dns_rsasha1_in_use_to_zone_sign_in_dnssec/dns_rsasha1_in_use_to_zone_sign_in_dnssec.py +++ b/prowler/providers/gcp/services/dns/dns_rsasha1_in_use_to_zone_sign_in_dnssec/dns_rsasha1_in_use_to_zone_sign_in_dnssec.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_GCP: for managed_zone in dns_client.managed_zones: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=managed_zone, + resource=managed_zone, location=dns_client.region, ) report.status = "PASS" diff --git a/prowler/providers/gcp/services/gcr/gcr_container_scanning_enabled/gcr_container_scanning_enabled.py b/prowler/providers/gcp/services/gcr/gcr_container_scanning_enabled/gcr_container_scanning_enabled.py index 9182802f40c..cbb7d4339ec 100644 --- a/prowler/providers/gcp/services/gcr/gcr_container_scanning_enabled/gcr_container_scanning_enabled.py +++ b/prowler/providers/gcp/services/gcr/gcr_container_scanning_enabled/gcr_container_scanning_enabled.py @@ -10,7 +10,7 @@ def execute(self) -> Check_Report_GCP: for project_id in serviceusage_client.project_ids: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=serviceusage_client.projects[project_id], + resource=serviceusage_client.projects[project_id], resource_id="containerscanning.googleapis.com", resource_name="GCR Container Scanning", project_id=project_id, diff --git a/prowler/providers/gcp/services/gke/gke_cluster_no_default_service_account/gke_cluster_no_default_service_account.py b/prowler/providers/gcp/services/gke/gke_cluster_no_default_service_account/gke_cluster_no_default_service_account.py index 02685b1e58a..4704d023a13 100644 --- a/prowler/providers/gcp/services/gke/gke_cluster_no_default_service_account/gke_cluster_no_default_service_account.py +++ b/prowler/providers/gcp/services/gke/gke_cluster_no_default_service_account/gke_cluster_no_default_service_account.py @@ -6,9 +6,7 @@ class gke_cluster_no_default_service_account(Check): def execute(self) -> Check_Report_GCP: findings = [] for cluster in gke_client.clusters.values(): - report = Check_Report_GCP( - metadata=self.metadata(), resource_metadata=cluster - ) + report = Check_Report_GCP(metadata=self.metadata(), resource=cluster) report.status = "PASS" report.status_extended = f"GKE cluster {cluster.name} is not using the Compute Engine default service account." if not cluster.node_pools and cluster.service_account == "default": diff --git a/prowler/providers/gcp/services/iam/iam_account_access_approval_enabled/iam_account_access_approval_enabled.py b/prowler/providers/gcp/services/iam/iam_account_access_approval_enabled/iam_account_access_approval_enabled.py index 277068f4cbb..16d01c37393 100644 --- a/prowler/providers/gcp/services/iam/iam_account_access_approval_enabled/iam_account_access_approval_enabled.py +++ b/prowler/providers/gcp/services/iam/iam_account_access_approval_enabled/iam_account_access_approval_enabled.py @@ -10,7 +10,7 @@ def execute(self) -> Check_Report_GCP: for project_id in accessapproval_client.project_ids: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=accessapproval_client.projects[project_id], + resource=accessapproval_client.projects[project_id], project_id=project_id, location=accessapproval_client.region, ) diff --git a/prowler/providers/gcp/services/iam/iam_audit_logs_enabled/iam_audit_logs_enabled.py b/prowler/providers/gcp/services/iam/iam_audit_logs_enabled/iam_audit_logs_enabled.py index 69c41a495b0..e6451181ecf 100644 --- a/prowler/providers/gcp/services/iam/iam_audit_logs_enabled/iam_audit_logs_enabled.py +++ b/prowler/providers/gcp/services/iam/iam_audit_logs_enabled/iam_audit_logs_enabled.py @@ -10,7 +10,7 @@ def execute(self) -> Check_Report_GCP: for project in cloudresourcemanager_client.cloud_resource_manager_projects: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=project, + resource=project, project_id=project.id, location=cloudresourcemanager_client.region, ) diff --git a/prowler/providers/gcp/services/iam/iam_cloud_asset_inventory_enabled/iam_cloud_asset_inventory_enabled.py b/prowler/providers/gcp/services/iam/iam_cloud_asset_inventory_enabled/iam_cloud_asset_inventory_enabled.py index db5220481f3..d99c6955fe1 100644 --- a/prowler/providers/gcp/services/iam/iam_cloud_asset_inventory_enabled/iam_cloud_asset_inventory_enabled.py +++ b/prowler/providers/gcp/services/iam/iam_cloud_asset_inventory_enabled/iam_cloud_asset_inventory_enabled.py @@ -10,7 +10,7 @@ def execute(self) -> Check_Report_GCP: for project_id in serviceusage_client.project_ids: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=serviceusage_client.projects[project_id], + resource=serviceusage_client.projects[project_id], resource_id="cloudasset.googleapis.com", resource_name="Cloud Asset Inventory", project_id=project_id, diff --git a/prowler/providers/gcp/services/iam/iam_no_service_roles_at_project_level/iam_no_service_roles_at_project_level.py b/prowler/providers/gcp/services/iam/iam_no_service_roles_at_project_level/iam_no_service_roles_at_project_level.py index c1f8e47706e..c10c5e10884 100644 --- a/prowler/providers/gcp/services/iam/iam_no_service_roles_at_project_level/iam_no_service_roles_at_project_level.py +++ b/prowler/providers/gcp/services/iam/iam_no_service_roles_at_project_level/iam_no_service_roles_at_project_level.py @@ -11,7 +11,7 @@ def execute(self) -> Check_Report_GCP: for binding in cloudresourcemanager_client.bindings: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=binding, + resource=binding, resource_id=binding.role, resource_name=binding.role, location=cloudresourcemanager_client.region, @@ -29,7 +29,7 @@ def execute(self) -> Check_Report_GCP: if project not in failed_projects: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=cloudresourcemanager_client.projects[project], + resource=cloudresourcemanager_client.projects[project], project_id=project, resource_name=project, location=cloudresourcemanager_client.region, diff --git a/prowler/providers/gcp/services/iam/iam_organization_essential_contacts_configured/iam_organization_essential_contacts_configured.py b/prowler/providers/gcp/services/iam/iam_organization_essential_contacts_configured/iam_organization_essential_contacts_configured.py index bed4f9dde08..c4cac8183a1 100644 --- a/prowler/providers/gcp/services/iam/iam_organization_essential_contacts_configured/iam_organization_essential_contacts_configured.py +++ b/prowler/providers/gcp/services/iam/iam_organization_essential_contacts_configured/iam_organization_essential_contacts_configured.py @@ -10,7 +10,7 @@ def execute(self) -> Check_Report_GCP: for org in essentialcontacts_client.organizations: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=org, + resource=org, project_id=essentialcontacts_client.default_project_id, location=essentialcontacts_client.region, ) diff --git a/prowler/providers/gcp/services/iam/iam_role_kms_enforce_separation_of_duties/iam_role_kms_enforce_separation_of_duties.py b/prowler/providers/gcp/services/iam/iam_role_kms_enforce_separation_of_duties/iam_role_kms_enforce_separation_of_duties.py index af3a5583d5c..7450b4b9336 100644 --- a/prowler/providers/gcp/services/iam/iam_role_kms_enforce_separation_of_duties/iam_role_kms_enforce_separation_of_duties.py +++ b/prowler/providers/gcp/services/iam/iam_role_kms_enforce_separation_of_duties/iam_role_kms_enforce_separation_of_duties.py @@ -12,7 +12,7 @@ def execute(self) -> Check_Report_GCP: kms_admin_members = [] report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=cloudresourcemanager_client.projects[project], + resource=cloudresourcemanager_client.projects[project], project_id=project, location=cloudresourcemanager_client.region, ) diff --git a/prowler/providers/gcp/services/iam/iam_role_sa_enforce_separation_of_duties/iam_role_sa_enforce_separation_of_duties.py b/prowler/providers/gcp/services/iam/iam_role_sa_enforce_separation_of_duties/iam_role_sa_enforce_separation_of_duties.py index ce7fc757234..dac81192b94 100644 --- a/prowler/providers/gcp/services/iam/iam_role_sa_enforce_separation_of_duties/iam_role_sa_enforce_separation_of_duties.py +++ b/prowler/providers/gcp/services/iam/iam_role_sa_enforce_separation_of_duties/iam_role_sa_enforce_separation_of_duties.py @@ -11,7 +11,7 @@ def execute(self) -> Check_Report_GCP: non_compliant_members = [] report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=cloudresourcemanager_client.projects[project], + resource=cloudresourcemanager_client.projects[project], location=cloudresourcemanager_client.region, project_id=project, ) diff --git a/prowler/providers/gcp/services/iam/iam_sa_no_administrative_privileges/iam_sa_no_administrative_privileges.py b/prowler/providers/gcp/services/iam/iam_sa_no_administrative_privileges/iam_sa_no_administrative_privileges.py index ffc98c90d39..50d5a0b060f 100644 --- a/prowler/providers/gcp/services/iam/iam_sa_no_administrative_privileges/iam_sa_no_administrative_privileges.py +++ b/prowler/providers/gcp/services/iam/iam_sa_no_administrative_privileges/iam_sa_no_administrative_privileges.py @@ -11,7 +11,7 @@ def execute(self) -> Check_Report_GCP: for account in iam_client.service_accounts: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=account, + resource=account, resource_id=account.email, location=iam_client.region, ) @@ -24,7 +24,6 @@ def execute(self) -> Check_Report_GCP: "admin" in binding.role.lower() or binding.role.lower() in ["roles/editor", "roles/owner"] ): - report.status = "FAIL" report.status_extended = f"Account {account.email} has administrative privileges with {binding.role}." findings.append(report) diff --git a/prowler/providers/gcp/services/iam/iam_sa_no_user_managed_keys/iam_sa_no_user_managed_keys.py b/prowler/providers/gcp/services/iam/iam_sa_no_user_managed_keys/iam_sa_no_user_managed_keys.py index d9031c5ed3f..ae7b1742640 100644 --- a/prowler/providers/gcp/services/iam/iam_sa_no_user_managed_keys/iam_sa_no_user_managed_keys.py +++ b/prowler/providers/gcp/services/iam/iam_sa_no_user_managed_keys/iam_sa_no_user_managed_keys.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_GCP: for account in iam_client.service_accounts: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=account, + resource=account, resource_id=account.email, location=iam_client.region, ) diff --git a/prowler/providers/gcp/services/iam/iam_sa_user_managed_key_rotate_90_days/iam_sa_user_managed_key_rotate_90_days.py b/prowler/providers/gcp/services/iam/iam_sa_user_managed_key_rotate_90_days/iam_sa_user_managed_key_rotate_90_days.py index 8939572f555..a75a34b37d7 100644 --- a/prowler/providers/gcp/services/iam/iam_sa_user_managed_key_rotate_90_days/iam_sa_user_managed_key_rotate_90_days.py +++ b/prowler/providers/gcp/services/iam/iam_sa_user_managed_key_rotate_90_days/iam_sa_user_managed_key_rotate_90_days.py @@ -13,7 +13,7 @@ def execute(self) -> Check_Report_GCP: last_rotated = (datetime.now() - key.valid_after).days report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=account, + resource=account, resource_id=key.name, resource_name=account.email, location=iam_client.region, diff --git a/prowler/providers/gcp/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible.py b/prowler/providers/gcp/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible.py index 2482eb24f1d..9637820e7db 100644 --- a/prowler/providers/gcp/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible.py +++ b/prowler/providers/gcp/services/kms/kms_key_not_publicly_accessible/kms_key_not_publicly_accessible.py @@ -6,7 +6,7 @@ class kms_key_not_publicly_accessible(Check): def execute(self) -> Check_Report_GCP: findings = [] for key in kms_client.crypto_keys: - report = Check_Report_GCP(metadata=self.metadata(), resource_metadata=key) + report = Check_Report_GCP(metadata=self.metadata(), resource=key) report.status = "PASS" report.status_extended = f"Key {key.name} is not exposed to Public." for member in key.members: diff --git a/prowler/providers/gcp/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.py b/prowler/providers/gcp/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.py index 86a28073922..577a7c9f99a 100644 --- a/prowler/providers/gcp/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.py +++ b/prowler/providers/gcp/services/kms/kms_key_rotation_enabled/kms_key_rotation_enabled.py @@ -8,7 +8,7 @@ class kms_key_rotation_enabled(Check): def execute(self) -> Check_Report_GCP: findings = [] for key in kms_client.crypto_keys: - report = Check_Report_GCP(metadata=self.metadata(), resource_metadata=key) + report = Check_Report_GCP(metadata=self.metadata(), resource=key) now = datetime.datetime.now() condition_next_rotation_time = False if key.next_rotation_time: diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled.py b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled.py index cf298578a8e..394f6db170e 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled.py +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled.py @@ -18,7 +18,7 @@ def execute(self) -> Check_Report_GCP: ): report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=metric, + resource=metric, location=logging_client.region, ) projects_with_metric.add(metric.project_id) @@ -36,7 +36,7 @@ def execute(self) -> Check_Report_GCP: if project not in projects_with_metric: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=logging_client.projects[project], + resource=logging_client.projects[project], project_id=project, location=logging_client.region, ) diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.py b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.py index ecfc8c0bda0..ee854778f1a 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.py +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.py @@ -16,7 +16,7 @@ def execute(self) -> Check_Report_GCP: ): report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=metric, + resource=metric, location=logging_client.region, ) projects_with_metric.add(metric.project_id) @@ -34,7 +34,7 @@ def execute(self) -> Check_Report_GCP: if project not in projects_with_metric: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=logging_client.projects[project], + resource=logging_client.projects[project], project_id=project, location=logging_client.region, ) diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled.py b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled.py index 8606e36d361..b579a776d95 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled.py +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled.py @@ -16,7 +16,7 @@ def execute(self) -> Check_Report_GCP: ): report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=metric, + resource=metric, location=logging_client.region, ) projects_with_metric.add(metric.project_id) @@ -34,7 +34,7 @@ def execute(self) -> Check_Report_GCP: if project not in projects_with_metric: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=logging_client.projects[project], + resource=logging_client.projects[project], project_id=project, location=logging_client.region, ) diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.py b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.py index 37573cb6049..840f8f0af55 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.py +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.py @@ -16,7 +16,7 @@ def execute(self) -> Check_Report_GCP: ): report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=metric, + resource=metric, location=logging_client.region, ) projects_with_metric.add(metric.project_id) @@ -34,7 +34,7 @@ def execute(self) -> Check_Report_GCP: if project not in projects_with_metric: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=logging_client.projects[project], + resource=logging_client.projects[project], project_id=project, location=logging_client.region, ) diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled.py b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled.py index f86ae4a59f6..1d9b84f2c6d 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled.py +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled.py @@ -15,7 +15,7 @@ def execute(self) -> Check_Report_GCP: if 'protoPayload.methodName="cloudsql.instances.update"' in metric.filter: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=metric, + resource=metric, location=logging_client.region, ) projects_with_metric.add(metric.project_id) @@ -33,7 +33,7 @@ def execute(self) -> Check_Report_GCP: if project not in projects_with_metric: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=logging_client.projects[project], + resource=logging_client.projects[project], project_id=project, location=logging_client.region, ) diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled.py b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled.py index 98d437b1b35..d05b7558388 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled.py +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled.py @@ -16,7 +16,7 @@ def execute(self) -> Check_Report_GCP: ): report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=metric, + resource=metric, location=logging_client.region, ) projects_with_metric.add(metric.project_id) @@ -34,7 +34,7 @@ def execute(self) -> Check_Report_GCP: if project not in projects_with_metric: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=logging_client.projects[project], + resource=logging_client.projects[project], project_id=project, location=logging_client.region, ) diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled.py b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled.py index 75bce35488b..1985e73103e 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled.py +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled.py @@ -16,7 +16,7 @@ def execute(self) -> Check_Report_GCP: ): report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=metric, + resource=metric, location=logging_client.region, ) projects_with_metric.add(metric.project_id) @@ -34,7 +34,7 @@ def execute(self) -> Check_Report_GCP: if project not in projects_with_metric: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=logging_client.projects[project], + resource=logging_client.projects[project], project_id=project, location=logging_client.region, ) diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled.py b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled.py index e183a31a8b4..aa518eb0778 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled.py +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled.py @@ -16,7 +16,7 @@ def execute(self) -> Check_Report_GCP: ): report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=metric, + resource=metric, location=logging_client.region, ) projects_with_metric.add(metric.project_id) @@ -34,7 +34,7 @@ def execute(self) -> Check_Report_GCP: if project not in projects_with_metric: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=logging_client.projects[project], + resource=logging_client.projects[project], project_id=project, location=logging_client.region, ) diff --git a/prowler/providers/gcp/services/logging/logging_sink_created/logging_sink_created.py b/prowler/providers/gcp/services/logging/logging_sink_created/logging_sink_created.py index db39f982db7..3905332e96b 100644 --- a/prowler/providers/gcp/services/logging/logging_sink_created/logging_sink_created.py +++ b/prowler/providers/gcp/services/logging/logging_sink_created/logging_sink_created.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_GCP: for sink in logging_client.sinks: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=sink, + resource=sink, location=logging_client.region, ) projects_with_sink.add(sink.project_id) @@ -24,7 +24,7 @@ def execute(self) -> Check_Report_GCP: if project not in projects_with_sink: report = Check_Report_GCP( metadata=self.metadata(), - resource_metadata=logging_client.projects[project], + resource=logging_client.projects[project], project_id=project, location=logging_client.region, ) diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_always_pull_images_plugin/apiserver_always_pull_images_plugin.py b/prowler/providers/kubernetes/services/apiserver/apiserver_always_pull_images_plugin/apiserver_always_pull_images_plugin.py index 567ae7a317b..9e930c54995 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_always_pull_images_plugin/apiserver_always_pull_images_plugin.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_always_pull_images_plugin/apiserver_always_pull_images_plugin.py @@ -8,9 +8,7 @@ class apiserver_always_pull_images_plugin(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"AlwaysPullImages admission control plugin is set in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_anonymous_requests/apiserver_anonymous_requests.py b/prowler/providers/kubernetes/services/apiserver/apiserver_anonymous_requests/apiserver_anonymous_requests.py index 66db3ddc91b..8831abd7b10 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_anonymous_requests/apiserver_anonymous_requests.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_anonymous_requests/apiserver_anonymous_requests.py @@ -8,9 +8,7 @@ class apiserver_anonymous_requests(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"API Server does not have anonymous-auth enabled in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxage_set/apiserver_audit_log_maxage_set.py b/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxage_set/apiserver_audit_log_maxage_set.py index c4061b93fa4..08ff4272856 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxage_set/apiserver_audit_log_maxage_set.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxage_set/apiserver_audit_log_maxage_set.py @@ -8,9 +8,7 @@ class apiserver_audit_log_maxage_set(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Audit log max age is set appropriately in the API server in pod {pod.name}." audit_log_maxage_set = False diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxbackup_set/apiserver_audit_log_maxbackup_set.py b/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxbackup_set/apiserver_audit_log_maxbackup_set.py index 46e9ad99f70..235cd8a7166 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxbackup_set/apiserver_audit_log_maxbackup_set.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxbackup_set/apiserver_audit_log_maxbackup_set.py @@ -8,9 +8,7 @@ class apiserver_audit_log_maxbackup_set(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Audit log max backup is set appropriately in the API server in pod {pod.name}." audit_log_maxbackup_set = False diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxsize_set/apiserver_audit_log_maxsize_set.py b/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxsize_set/apiserver_audit_log_maxsize_set.py index f7f14f9b6fb..9c6b1cd5646 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxsize_set/apiserver_audit_log_maxsize_set.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxsize_set/apiserver_audit_log_maxsize_set.py @@ -8,9 +8,7 @@ class apiserver_audit_log_maxsize_set(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Audit log max size is set appropriately in the API server in pod {pod.name}." audit_log_maxsize_set = False diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_path_set/apiserver_audit_log_path_set.py b/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_path_set/apiserver_audit_log_path_set.py index 3f7cbb93bd5..95fef869041 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_path_set/apiserver_audit_log_path_set.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_path_set/apiserver_audit_log_path_set.py @@ -8,9 +8,7 @@ class apiserver_audit_log_path_set(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"Audit log path is set in the API server in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_include_node/apiserver_auth_mode_include_node.py b/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_include_node/apiserver_auth_mode_include_node.py index 84e60f10ba9..e13a11308e8 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_include_node/apiserver_auth_mode_include_node.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_include_node/apiserver_auth_mode_include_node.py @@ -8,9 +8,7 @@ class apiserver_auth_mode_include_node(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"API Server authorization mode includes Node in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_include_rbac/apiserver_auth_mode_include_rbac.py b/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_include_rbac/apiserver_auth_mode_include_rbac.py index 442051a71d5..22ba2c6efc8 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_include_rbac/apiserver_auth_mode_include_rbac.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_include_rbac/apiserver_auth_mode_include_rbac.py @@ -8,9 +8,7 @@ class apiserver_auth_mode_include_rbac(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"API Server authorization mode includes RBAC in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_not_always_allow/apiserver_auth_mode_not_always_allow.py b/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_not_always_allow/apiserver_auth_mode_not_always_allow.py index 8a8f53b8ccd..d6a0ad6ceec 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_not_always_allow/apiserver_auth_mode_not_always_allow.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_not_always_allow/apiserver_auth_mode_not_always_allow.py @@ -8,9 +8,7 @@ class apiserver_auth_mode_not_always_allow(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"API Server authorization mode is not set to AlwaysAllow in pod {pod.name}." always_allow_in_auth_mode = True diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_client_ca_file_set/apiserver_client_ca_file_set.py b/prowler/providers/kubernetes/services/apiserver/apiserver_client_ca_file_set/apiserver_client_ca_file_set.py index a90ae83e614..bac8baf23fc 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_client_ca_file_set/apiserver_client_ca_file_set.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_client_ca_file_set/apiserver_client_ca_file_set.py @@ -8,9 +8,7 @@ class apiserver_client_ca_file_set(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Client CA file is set appropriately in the API server in pod {pod.name}." client_ca_file_set = False diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_deny_service_external_ips/apiserver_deny_service_external_ips.py b/prowler/providers/kubernetes/services/apiserver/apiserver_deny_service_external_ips/apiserver_deny_service_external_ips.py index 7abd2ff5c54..da058272eaa 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_deny_service_external_ips/apiserver_deny_service_external_ips.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_deny_service_external_ips/apiserver_deny_service_external_ips.py @@ -8,9 +8,7 @@ class apiserver_deny_service_external_ips(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"API Server has DenyServiceExternalIPs admission controller enabled in pod {pod.name}." deny_service_external_ips = False diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_disable_profiling/apiserver_disable_profiling.py b/prowler/providers/kubernetes/services/apiserver/apiserver_disable_profiling/apiserver_disable_profiling.py index 0942003752d..584421bccbf 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_disable_profiling/apiserver_disable_profiling.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_disable_profiling/apiserver_disable_profiling.py @@ -8,9 +8,7 @@ class apiserver_disable_profiling(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Profiling is disabled in pod {pod.name}." profiling_enabled = False diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_encryption_provider_config_set/apiserver_encryption_provider_config_set.py b/prowler/providers/kubernetes/services/apiserver/apiserver_encryption_provider_config_set/apiserver_encryption_provider_config_set.py index 04621ad838f..2697f6cf9a8 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_encryption_provider_config_set/apiserver_encryption_provider_config_set.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_encryption_provider_config_set/apiserver_encryption_provider_config_set.py @@ -8,9 +8,7 @@ class apiserver_encryption_provider_config_set(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"Encryption provider config is set appropriately in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_etcd_cafile_set/apiserver_etcd_cafile_set.py b/prowler/providers/kubernetes/services/apiserver/apiserver_etcd_cafile_set/apiserver_etcd_cafile_set.py index 76035bfda33..e7eafb4e733 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_etcd_cafile_set/apiserver_etcd_cafile_set.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_etcd_cafile_set/apiserver_etcd_cafile_set.py @@ -8,9 +8,7 @@ class apiserver_etcd_cafile_set(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"etcd CA file is set appropriately in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_etcd_tls_config/apiserver_etcd_tls_config.py b/prowler/providers/kubernetes/services/apiserver/apiserver_etcd_tls_config/apiserver_etcd_tls_config.py index 7a2479e3073..4ab6b36b11d 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_etcd_tls_config/apiserver_etcd_tls_config.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_etcd_tls_config/apiserver_etcd_tls_config.py @@ -8,9 +8,7 @@ class apiserver_etcd_tls_config(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"TLS configuration for etcd is set appropriately in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_event_rate_limit/apiserver_event_rate_limit.py b/prowler/providers/kubernetes/services/apiserver/apiserver_event_rate_limit/apiserver_event_rate_limit.py index 0e8a1de81ac..61e2042da65 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_event_rate_limit/apiserver_event_rate_limit.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_event_rate_limit/apiserver_event_rate_limit.py @@ -8,9 +8,7 @@ class apiserver_event_rate_limit(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"EventRateLimit admission control plugin is set in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_kubelet_cert_auth/apiserver_kubelet_cert_auth.py b/prowler/providers/kubernetes/services/apiserver/apiserver_kubelet_cert_auth/apiserver_kubelet_cert_auth.py index b7259711995..117bb6a8532 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_kubelet_cert_auth/apiserver_kubelet_cert_auth.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_kubelet_cert_auth/apiserver_kubelet_cert_auth.py @@ -8,9 +8,7 @@ class apiserver_kubelet_cert_auth(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"API Server has appropriate kubelet certificate authority configured in pod {pod.name}." for container in pod.containers.values(): diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_kubelet_tls_auth/apiserver_kubelet_tls_auth.py b/prowler/providers/kubernetes/services/apiserver/apiserver_kubelet_tls_auth/apiserver_kubelet_tls_auth.py index 7baeb5946e3..076434be977 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_kubelet_tls_auth/apiserver_kubelet_tls_auth.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_kubelet_tls_auth/apiserver_kubelet_tls_auth.py @@ -8,9 +8,7 @@ class apiserver_kubelet_tls_auth(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"API Server has appropriate kubelet TLS authentication configured in pod {pod.name}." for container in pod.containers.values(): diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_namespace_lifecycle_plugin/apiserver_namespace_lifecycle_plugin.py b/prowler/providers/kubernetes/services/apiserver/apiserver_namespace_lifecycle_plugin/apiserver_namespace_lifecycle_plugin.py index 10e94278409..04211678d7c 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_namespace_lifecycle_plugin/apiserver_namespace_lifecycle_plugin.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_namespace_lifecycle_plugin/apiserver_namespace_lifecycle_plugin.py @@ -8,9 +8,7 @@ class apiserver_namespace_lifecycle_plugin(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"NamespaceLifecycle admission control plugin is set in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_no_always_admit_plugin/apiserver_no_always_admit_plugin.py b/prowler/providers/kubernetes/services/apiserver/apiserver_no_always_admit_plugin/apiserver_no_always_admit_plugin.py index 987f900704e..bde7437781e 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_no_always_admit_plugin/apiserver_no_always_admit_plugin.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_no_always_admit_plugin/apiserver_no_always_admit_plugin.py @@ -8,9 +8,7 @@ class apiserver_no_always_admit_plugin(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"AlwaysAdmit admission control plugin is not set in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_no_token_auth_file/apiserver_no_token_auth_file.py b/prowler/providers/kubernetes/services/apiserver/apiserver_no_token_auth_file/apiserver_no_token_auth_file.py index 25a9f6d2921..5ee324d183f 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_no_token_auth_file/apiserver_no_token_auth_file.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_no_token_auth_file/apiserver_no_token_auth_file.py @@ -8,9 +8,7 @@ class apiserver_no_token_auth_file(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"API Server does not have token-auth-file enabled in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_node_restriction_plugin/apiserver_node_restriction_plugin.py b/prowler/providers/kubernetes/services/apiserver/apiserver_node_restriction_plugin/apiserver_node_restriction_plugin.py index 7529d677af7..d39d218e5bc 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_node_restriction_plugin/apiserver_node_restriction_plugin.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_node_restriction_plugin/apiserver_node_restriction_plugin.py @@ -8,9 +8,7 @@ class apiserver_node_restriction_plugin(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"NodeRestriction admission control plugin is set in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_request_timeout_set/apiserver_request_timeout_set.py b/prowler/providers/kubernetes/services/apiserver/apiserver_request_timeout_set/apiserver_request_timeout_set.py index 8bf93d12b35..d512b60207a 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_request_timeout_set/apiserver_request_timeout_set.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_request_timeout_set/apiserver_request_timeout_set.py @@ -8,9 +8,7 @@ class apiserver_request_timeout_set(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"Request timeout is set appropriately in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_security_context_deny_plugin/apiserver_security_context_deny_plugin.py b/prowler/providers/kubernetes/services/apiserver/apiserver_security_context_deny_plugin/apiserver_security_context_deny_plugin.py index 5abad9d71ed..a8f4190f32f 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_security_context_deny_plugin/apiserver_security_context_deny_plugin.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_security_context_deny_plugin/apiserver_security_context_deny_plugin.py @@ -8,9 +8,7 @@ class apiserver_security_context_deny_plugin(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) security_context_deny_set = False pod_security_policy_set = False for container in pod.containers.values(): diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_key_file_set/apiserver_service_account_key_file_set.py b/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_key_file_set/apiserver_service_account_key_file_set.py index d84c1c90fee..601ff6d3825 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_key_file_set/apiserver_service_account_key_file_set.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_key_file_set/apiserver_service_account_key_file_set.py @@ -8,9 +8,7 @@ class apiserver_service_account_key_file_set(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"Service account key file is set appropriately in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_lookup_true/apiserver_service_account_lookup_true.py b/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_lookup_true/apiserver_service_account_lookup_true.py index 8b64d77be46..57f1c35c5f7 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_lookup_true/apiserver_service_account_lookup_true.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_lookup_true/apiserver_service_account_lookup_true.py @@ -8,9 +8,7 @@ class apiserver_service_account_lookup_true(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"Service account lookup is set to true in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_plugin/apiserver_service_account_plugin.py b/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_plugin/apiserver_service_account_plugin.py index 978da66e773..6c80bca8c74 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_plugin/apiserver_service_account_plugin.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_plugin/apiserver_service_account_plugin.py @@ -8,9 +8,7 @@ class apiserver_service_account_plugin(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"ServiceAccount admission control plugin is set in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_strong_ciphers_only/apiserver_strong_ciphers_only.py b/prowler/providers/kubernetes/services/apiserver/apiserver_strong_ciphers_only/apiserver_strong_ciphers_only.py index 5140d4ff87f..afe2420ce2c 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_strong_ciphers_only/apiserver_strong_ciphers_only.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_strong_ciphers_only/apiserver_strong_ciphers_only.py @@ -14,9 +14,7 @@ class apiserver_strong_ciphers_only(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"API Server is configured with strong cryptographic ciphers in pod {pod.name}." strong_ciphers_set = False diff --git a/prowler/providers/kubernetes/services/apiserver/apiserver_tls_config/apiserver_tls_config.py b/prowler/providers/kubernetes/services/apiserver/apiserver_tls_config/apiserver_tls_config.py index 2457d8f4e19..7a7f5c0f821 100644 --- a/prowler/providers/kubernetes/services/apiserver/apiserver_tls_config/apiserver_tls_config.py +++ b/prowler/providers/kubernetes/services/apiserver/apiserver_tls_config/apiserver_tls_config.py @@ -8,9 +8,7 @@ class apiserver_tls_config(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in apiserver_client.apiserver_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"TLS certificate and key are set appropriately in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/controllermanager/controllermanager_bind_address/controllermanager_bind_address.py b/prowler/providers/kubernetes/services/controllermanager/controllermanager_bind_address/controllermanager_bind_address.py index a129c0c4804..edc00150320 100644 --- a/prowler/providers/kubernetes/services/controllermanager/controllermanager_bind_address/controllermanager_bind_address.py +++ b/prowler/providers/kubernetes/services/controllermanager/controllermanager_bind_address/controllermanager_bind_address.py @@ -8,9 +8,7 @@ class controllermanager_bind_address(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in controllermanager_client.controllermanager_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Controller Manager is bound to the loopback address in pod {pod.name}." for container in pod.containers.values(): diff --git a/prowler/providers/kubernetes/services/controllermanager/controllermanager_disable_profiling/controllermanager_disable_profiling.py b/prowler/providers/kubernetes/services/controllermanager/controllermanager_disable_profiling/controllermanager_disable_profiling.py index 39c98259228..275fc1c0e31 100644 --- a/prowler/providers/kubernetes/services/controllermanager/controllermanager_disable_profiling/controllermanager_disable_profiling.py +++ b/prowler/providers/kubernetes/services/controllermanager/controllermanager_disable_profiling/controllermanager_disable_profiling.py @@ -8,9 +8,7 @@ class controllermanager_disable_profiling(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in controllermanager_client.controllermanager_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"Controller Manager does not have profiling enabled in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/controllermanager/controllermanager_garbage_collection/controllermanager_garbage_collection.py b/prowler/providers/kubernetes/services/controllermanager/controllermanager_garbage_collection/controllermanager_garbage_collection.py index 4f03e174815..1f78b126132 100644 --- a/prowler/providers/kubernetes/services/controllermanager/controllermanager_garbage_collection/controllermanager_garbage_collection.py +++ b/prowler/providers/kubernetes/services/controllermanager/controllermanager_garbage_collection/controllermanager_garbage_collection.py @@ -8,9 +8,7 @@ class controllermanager_garbage_collection(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in controllermanager_client.controllermanager_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Controller Manager has an appropriate garbage collection threshold in pod {pod.name}." for container in pod.containers.values(): diff --git a/prowler/providers/kubernetes/services/controllermanager/controllermanager_root_ca_file_set/controllermanager_root_ca_file_set.py b/prowler/providers/kubernetes/services/controllermanager/controllermanager_root_ca_file_set/controllermanager_root_ca_file_set.py index 27577a5ec75..b006131a4e8 100644 --- a/prowler/providers/kubernetes/services/controllermanager/controllermanager_root_ca_file_set/controllermanager_root_ca_file_set.py +++ b/prowler/providers/kubernetes/services/controllermanager/controllermanager_root_ca_file_set/controllermanager_root_ca_file_set.py @@ -8,9 +8,7 @@ class controllermanager_root_ca_file_set(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in controllermanager_client.controllermanager_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Controller Manager does not have the root CA file set in pod {pod.name}." for container in pod.containers.values(): diff --git a/prowler/providers/kubernetes/services/controllermanager/controllermanager_rotate_kubelet_server_cert/controllermanager_rotate_kubelet_server_cert.py b/prowler/providers/kubernetes/services/controllermanager/controllermanager_rotate_kubelet_server_cert/controllermanager_rotate_kubelet_server_cert.py index ff1c97f300c..ce9dbaab346 100644 --- a/prowler/providers/kubernetes/services/controllermanager/controllermanager_rotate_kubelet_server_cert/controllermanager_rotate_kubelet_server_cert.py +++ b/prowler/providers/kubernetes/services/controllermanager/controllermanager_rotate_kubelet_server_cert/controllermanager_rotate_kubelet_server_cert.py @@ -8,9 +8,7 @@ class controllermanager_rotate_kubelet_server_cert(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in controllermanager_client.controllermanager_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Controller Manager has RotateKubeletServerCertificate set to true in pod {pod.name}." kubelete_server_cert = True diff --git a/prowler/providers/kubernetes/services/controllermanager/controllermanager_service_account_credentials/controllermanager_service_account_credentials.py b/prowler/providers/kubernetes/services/controllermanager/controllermanager_service_account_credentials/controllermanager_service_account_credentials.py index 5513a8e439e..5d14168b5de 100644 --- a/prowler/providers/kubernetes/services/controllermanager/controllermanager_service_account_credentials/controllermanager_service_account_credentials.py +++ b/prowler/providers/kubernetes/services/controllermanager/controllermanager_service_account_credentials/controllermanager_service_account_credentials.py @@ -8,9 +8,7 @@ class controllermanager_service_account_credentials(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in controllermanager_client.controllermanager_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Controller Manager is not using service account credentials in pod {pod.name}." for container in pod.containers.values(): diff --git a/prowler/providers/kubernetes/services/controllermanager/controllermanager_service_account_private_key_file/controllermanager_service_account_private_key_file.py b/prowler/providers/kubernetes/services/controllermanager/controllermanager_service_account_private_key_file/controllermanager_service_account_private_key_file.py index 550d533c0e8..d6339deaf07 100644 --- a/prowler/providers/kubernetes/services/controllermanager/controllermanager_service_account_private_key_file/controllermanager_service_account_private_key_file.py +++ b/prowler/providers/kubernetes/services/controllermanager/controllermanager_service_account_private_key_file/controllermanager_service_account_private_key_file.py @@ -8,9 +8,7 @@ class controllermanager_service_account_private_key_file(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in controllermanager_client.controllermanager_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Controller Manager does not have the service account private key file set in pod {pod.name}." for container in pod.containers.values(): diff --git a/prowler/providers/kubernetes/services/core/core_minimize_admission_hostport_containers/core_minimize_admission_hostport_containers.py b/prowler/providers/kubernetes/services/core/core_minimize_admission_hostport_containers/core_minimize_admission_hostport_containers.py index ff15f26c4ee..469958a8e22 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_admission_hostport_containers/core_minimize_admission_hostport_containers.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_admission_hostport_containers/core_minimize_admission_hostport_containers.py @@ -6,9 +6,7 @@ class core_minimize_admission_hostport_containers(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in core_client.pods.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Pod {pod.name} does not use HostPorts." diff --git a/prowler/providers/kubernetes/services/core/core_minimize_admission_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.py b/prowler/providers/kubernetes/services/core/core_minimize_admission_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.py index 95c9502db0d..a1ed4b88a22 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_admission_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_admission_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.py @@ -6,9 +6,7 @@ class core_minimize_admission_windows_hostprocess_containers(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in core_client.pods.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Pod {pod.name} does not have the ability to run a Windows HostProcess." diff --git a/prowler/providers/kubernetes/services/core/core_minimize_allowPrivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.py b/prowler/providers/kubernetes/services/core/core_minimize_allowPrivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.py index d0ef8658812..951a09fd332 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_allowPrivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_allowPrivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.py @@ -6,9 +6,7 @@ class core_minimize_allowPrivilegeEscalation_containers(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in core_client.pods.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"Pod {pod.name} does not allow for privilege escalation." diff --git a/prowler/providers/kubernetes/services/core/core_minimize_containers_added_capabilities/core_minimize_containers_added_capabilities.py b/prowler/providers/kubernetes/services/core/core_minimize_containers_added_capabilities/core_minimize_containers_added_capabilities.py index a802d9a5c30..d3bb2f51ec2 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_containers_added_capabilities/core_minimize_containers_added_capabilities.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_containers_added_capabilities/core_minimize_containers_added_capabilities.py @@ -6,9 +6,7 @@ class core_minimize_containers_added_capabilities(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in core_client.pods.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Pod {pod.name} does not have added capabilities." diff --git a/prowler/providers/kubernetes/services/core/core_minimize_containers_capabilities_assigned/core_minimize_containers_capabilities_assigned.py b/prowler/providers/kubernetes/services/core/core_minimize_containers_capabilities_assigned/core_minimize_containers_capabilities_assigned.py index d20689641f5..551ecde56fb 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_containers_capabilities_assigned/core_minimize_containers_capabilities_assigned.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_containers_capabilities_assigned/core_minimize_containers_capabilities_assigned.py @@ -6,9 +6,7 @@ class core_minimize_containers_capabilities_assigned(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in core_client.pods.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"Pod {pod.name} without capabilities issues found." diff --git a/prowler/providers/kubernetes/services/core/core_minimize_hostIPC_containers/core_minimize_hostIPC_containers.py b/prowler/providers/kubernetes/services/core/core_minimize_hostIPC_containers/core_minimize_hostIPC_containers.py index c811f3e2895..09781573684 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_hostIPC_containers/core_minimize_hostIPC_containers.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_hostIPC_containers/core_minimize_hostIPC_containers.py @@ -6,9 +6,7 @@ class core_minimize_hostIPC_containers(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in core_client.pods.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) if pod.host_ipc: report.status = "FAIL" report.status_extended = f"Pod {pod.name} is using hostIPC." diff --git a/prowler/providers/kubernetes/services/core/core_minimize_hostNetwork_containers/core_minimize_hostNetwork_containers.py b/prowler/providers/kubernetes/services/core/core_minimize_hostNetwork_containers/core_minimize_hostNetwork_containers.py index 4ca76676d08..6c201970988 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_hostNetwork_containers/core_minimize_hostNetwork_containers.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_hostNetwork_containers/core_minimize_hostNetwork_containers.py @@ -6,9 +6,7 @@ class core_minimize_hostNetwork_containers(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in core_client.pods.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) if pod.host_network: report.status = "FAIL" report.status_extended = f"Pod {pod.name} is using hostNetwork." diff --git a/prowler/providers/kubernetes/services/core/core_minimize_hostPID_containers/core_minimize_hostPID_containers.py b/prowler/providers/kubernetes/services/core/core_minimize_hostPID_containers/core_minimize_hostPID_containers.py index 1ed74361d6d..18a90be1ac3 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_hostPID_containers/core_minimize_hostPID_containers.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_hostPID_containers/core_minimize_hostPID_containers.py @@ -6,9 +6,7 @@ class core_minimize_hostPID_containers(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in core_client.pods.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) if pod.host_pid: report.status = "FAIL" report.status_extended = f"Pod {pod.name} is using hostPID." diff --git a/prowler/providers/kubernetes/services/core/core_minimize_net_raw_capability_admission/core_minimize_net_raw_capability_admission.py b/prowler/providers/kubernetes/services/core/core_minimize_net_raw_capability_admission/core_minimize_net_raw_capability_admission.py index 4ef8cbe5293..700fe4e6a7a 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_net_raw_capability_admission/core_minimize_net_raw_capability_admission.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_net_raw_capability_admission/core_minimize_net_raw_capability_admission.py @@ -6,9 +6,7 @@ class core_minimize_net_raw_capability_admission(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in core_client.pods.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Pod {pod.name} does not have NET_RAW capability." for container in pod.containers.values(): diff --git a/prowler/providers/kubernetes/services/core/core_minimize_privileged_containers/core_minimize_privileged_containers.py b/prowler/providers/kubernetes/services/core/core_minimize_privileged_containers/core_minimize_privileged_containers.py index 616b14cf29a..bd6f5d0e793 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_privileged_containers/core_minimize_privileged_containers.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_privileged_containers/core_minimize_privileged_containers.py @@ -6,9 +6,7 @@ class core_minimize_privileged_containers(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in core_client.pods.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"Pod {pod.name} does not contain a privileged container." diff --git a/prowler/providers/kubernetes/services/core/core_minimize_root_containers_admission/core_minimize_root_containers_admission.py b/prowler/providers/kubernetes/services/core/core_minimize_root_containers_admission/core_minimize_root_containers_admission.py index b973f938685..37a2e46249a 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_root_containers_admission/core_minimize_root_containers_admission.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_root_containers_admission/core_minimize_root_containers_admission.py @@ -6,9 +6,7 @@ class core_minimize_root_containers_admission(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in core_client.pods.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Pod {pod.name} is not running as root user." diff --git a/prowler/providers/kubernetes/services/core/core_no_secrets_envs/core_no_secrets_envs.py b/prowler/providers/kubernetes/services/core/core_no_secrets_envs/core_no_secrets_envs.py index 23af6400839..37575c1b2c9 100644 --- a/prowler/providers/kubernetes/services/core/core_no_secrets_envs/core_no_secrets_envs.py +++ b/prowler/providers/kubernetes/services/core/core_no_secrets_envs/core_no_secrets_envs.py @@ -6,9 +6,7 @@ class core_no_secrets_envs(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in core_client.pods.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"Pod {pod.name} does not contain any secret environment variables." diff --git a/prowler/providers/kubernetes/services/core/core_seccomp_profile_docker_default/core_seccomp_profile_docker_default.py b/prowler/providers/kubernetes/services/core/core_seccomp_profile_docker_default/core_seccomp_profile_docker_default.py index 2e54f415118..a155925dabb 100644 --- a/prowler/providers/kubernetes/services/core/core_seccomp_profile_docker_default/core_seccomp_profile_docker_default.py +++ b/prowler/providers/kubernetes/services/core/core_seccomp_profile_docker_default/core_seccomp_profile_docker_default.py @@ -6,9 +6,7 @@ class core_seccomp_profile_docker_default(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in core_client.pods.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) pod_seccomp_correct = ( pod.security_context diff --git a/prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.py b/prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.py index 7a41da8fab6..b4f6566e949 100644 --- a/prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.py +++ b/prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.py @@ -6,9 +6,7 @@ class etcd_client_cert_auth(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in etcd_client.etcd_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"Etcd has client certificate authentication enabled in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.py b/prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.py index 9c671510a2d..3bb4b3288b8 100644 --- a/prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.py +++ b/prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.py @@ -6,9 +6,7 @@ class etcd_no_auto_tls(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in etcd_client.etcd_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Etcd is not configured to use self-signed certificates for TLS in pod {pod.name}." for container in pod.containers.values(): diff --git a/prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.py b/prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.py index b6cab8fea96..6ef863d0d76 100644 --- a/prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.py +++ b/prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.py @@ -6,9 +6,7 @@ class etcd_no_peer_auto_tls(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in etcd_client.etcd_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Etcd is not using automatically generated self-signed certificates for peer TLS connections in pod {pod.name}." for container in pod.containers.values(): diff --git a/prowler/providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.py b/prowler/providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.py index f416fba189a..2d5276e3cc3 100644 --- a/prowler/providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.py +++ b/prowler/providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.py @@ -6,9 +6,7 @@ class etcd_peer_client_cert_auth(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in etcd_client.etcd_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = f"Etcd is configured for peer client certificate authentication in pod {pod.name}." for container in pod.containers.values(): diff --git a/prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.py b/prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.py index 1c2f5bd4217..855c09f6d2b 100644 --- a/prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.py +++ b/prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.py @@ -6,9 +6,7 @@ class etcd_peer_tls_config(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in etcd_client.etcd_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"Etcd is configured with TLS for peer connections in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/etcd/etcd_tls_encryption/etcd_tls_encryption.py b/prowler/providers/kubernetes/services/etcd/etcd_tls_encryption/etcd_tls_encryption.py index 6686366dde6..f312178c658 100644 --- a/prowler/providers/kubernetes/services/etcd/etcd_tls_encryption/etcd_tls_encryption.py +++ b/prowler/providers/kubernetes/services/etcd/etcd_tls_encryption/etcd_tls_encryption.py @@ -6,9 +6,7 @@ class etcd_tls_encryption(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in etcd_client.etcd_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "FAIL" report.status_extended = ( f"Etcd does not have TLS encryption configured in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/etcd/etcd_unique_ca/etcd_unique_ca.py b/prowler/providers/kubernetes/services/etcd/etcd_unique_ca/etcd_unique_ca.py index 3d058032595..4cde051c3f6 100644 --- a/prowler/providers/kubernetes/services/etcd/etcd_unique_ca/etcd_unique_ca.py +++ b/prowler/providers/kubernetes/services/etcd/etcd_unique_ca/etcd_unique_ca.py @@ -17,9 +17,7 @@ def execute(self) -> Check_Report_Kubernetes: apiserver_ca_files.append(command.split("=")[1]) for pod in etcd_client.etcd_pods: etcd_ca_files = [] - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "MANUAL" report.status_extended = f"Etcd uses a different CA file from the Kubernetes cluster CA in pod {pod.name}, but verify if the content is the same." for container in pod.containers.values(): diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_authorization_mode/kubelet_authorization_mode.py b/prowler/providers/kubernetes/services/kubelet/kubelet_authorization_mode/kubelet_authorization_mode.py index 517102f026b..f7dca0e8aef 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_authorization_mode/kubelet_authorization_mode.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_authorization_mode/kubelet_authorization_mode.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_Kubernetes: findings = [] for cm in kubelet_client.kubelet_config_maps: authorization = cm.kubelet_args.get("authorization") - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=cm - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=cm) if not authorization: report.status = "MANUAL" report.status_extended = f"Kubelet does not have the argument `readOnlyPort` in config file {cm.name}, verify it in the node's arguments." diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_client_ca_file_set/kubelet_client_ca_file_set.py b/prowler/providers/kubernetes/services/kubelet/kubelet_client_ca_file_set/kubelet_client_ca_file_set.py index e777f8779f8..a2974ef78e2 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_client_ca_file_set/kubelet_client_ca_file_set.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_client_ca_file_set/kubelet_client_ca_file_set.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_Kubernetes: findings = [] for cm in kubelet_client.kubelet_config_maps: authentication = cm.kubelet_args.get("authentication") - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=cm - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=cm) if not authentication: report.status = "MANUAL" report.status_extended = f"Kubelet does not have the argument `readOnlyPort` in config file {cm.name}, verify it in the node's arguments." diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_ownership/kubelet_conf_file_ownership.py b/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_ownership/kubelet_conf_file_ownership.py index 5fbc0f33cbb..c0f7475daa6 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_ownership/kubelet_conf_file_ownership.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_ownership/kubelet_conf_file_ownership.py @@ -7,9 +7,7 @@ class kubelet_conf_file_ownership(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for node in core_client.nodes.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=node - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=node) # It can only be checked if Prowler is being executed inside a worker node or if the file is the default one if node.inside: if is_owned_by_root("/etc/kubernetes/kubelet.conf") is None: diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_permissions/kubelet_conf_file_permissions.py b/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_permissions/kubelet_conf_file_permissions.py index f8dbe72c4d4..44333b5adb2 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_permissions/kubelet_conf_file_permissions.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_permissions/kubelet_conf_file_permissions.py @@ -7,9 +7,7 @@ class kubelet_conf_file_permissions(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for node in core_client.nodes.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=node - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=node) # It can only be checked if Prowler is being executed inside a worker node or if the file is the default one if node.inside: if not get_file_permissions("/etc/kubernetes/kubelet.conf"): diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_ownership/kubelet_config_yaml_ownership.py b/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_ownership/kubelet_config_yaml_ownership.py index 79b30dd6fe8..2259c9d6b16 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_ownership/kubelet_config_yaml_ownership.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_ownership/kubelet_config_yaml_ownership.py @@ -7,9 +7,7 @@ class kubelet_config_yaml_ownership(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for node in core_client.nodes.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=node - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=node) # It can only be checked if Prowler is being executed inside a worker node or if the file is the default one if node.inside: if is_owned_by_root("/var/lib/kubelet/config.yaml") is None: diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_permissions/kubelet_config_yaml_permissions.py b/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_permissions/kubelet_config_yaml_permissions.py index fde060027c0..538243beb1d 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_permissions/kubelet_config_yaml_permissions.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_permissions/kubelet_config_yaml_permissions.py @@ -7,9 +7,7 @@ class kubelet_config_yaml_permissions(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for node in core_client.nodes.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=node - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=node) # It can only be checked if Prowler is being executed inside a worker node or if the file is the default one if node.inside: if not get_file_permissions("/var/lib/kubelet/config.yaml"): diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_disable_anonymous_auth/kubelet_disable_anonymous_auth.py b/prowler/providers/kubernetes/services/kubelet/kubelet_disable_anonymous_auth/kubelet_disable_anonymous_auth.py index 9c32953f1ad..cb8659aef29 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_disable_anonymous_auth/kubelet_disable_anonymous_auth.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_disable_anonymous_auth/kubelet_disable_anonymous_auth.py @@ -7,9 +7,7 @@ def execute(self) -> Check_Report_Kubernetes: findings = [] for cm in kubelet_client.kubelet_config_maps: authentication = cm.kubelet_args.get("authentication", {}) - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=cm - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=cm) report.status = "FAIL" report.status_extended = ( f"Kubelet has anonymous access enabled in config file {cm.name}." diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_disable_read_only_port/kubelet_disable_read_only_port.py b/prowler/providers/kubernetes/services/kubelet/kubelet_disable_read_only_port/kubelet_disable_read_only_port.py index f135c2ec797..a49be659f2b 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_disable_read_only_port/kubelet_disable_read_only_port.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_disable_read_only_port/kubelet_disable_read_only_port.py @@ -6,9 +6,7 @@ class kubelet_disable_read_only_port(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for cm in kubelet_client.kubelet_config_maps: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=cm - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=cm) if "readOnlyPort" not in cm.kubelet_args: report.status = "MANUAL" report.status_extended = f"Kubelet does not have the argument `readOnlyPort` in config file {cm.name}, verify it in the node's arguments." diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_event_record_qps/kubelet_event_record_qps.py b/prowler/providers/kubernetes/services/kubelet/kubelet_event_record_qps/kubelet_event_record_qps.py index f7083964818..352737df346 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_event_record_qps/kubelet_event_record_qps.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_event_record_qps/kubelet_event_record_qps.py @@ -6,9 +6,7 @@ class kubelet_event_record_qps(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for cm in kubelet_client.kubelet_config_maps: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=cm - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=cm) if "eventRecordQPS" not in cm.kubelet_args: report.status = "MANUAL" report.status_extended = f"Kubelet does not have the argument `eventRecordQPS` in config file {cm.name}, verify it in the node's arguments." diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_manage_iptables/kubelet_manage_iptables.py b/prowler/providers/kubernetes/services/kubelet/kubelet_manage_iptables/kubelet_manage_iptables.py index efb07f6a98c..824da0c7a43 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_manage_iptables/kubelet_manage_iptables.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_manage_iptables/kubelet_manage_iptables.py @@ -6,9 +6,7 @@ class kubelet_manage_iptables(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for cm in kubelet_client.kubelet_config_maps: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=cm - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=cm) if "makeIPTablesUtilChains" not in cm.kubelet_args: report.status = "MANUAL" report.status_extended = f"Kubelet does not have the argument `makeIPTablesUtilChains` in config file {cm.name}, verify it in the node's arguments." diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_rotate_certificates/kubelet_rotate_certificates.py b/prowler/providers/kubernetes/services/kubelet/kubelet_rotate_certificates/kubelet_rotate_certificates.py index fa535157e58..81b7650682d 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_rotate_certificates/kubelet_rotate_certificates.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_rotate_certificates/kubelet_rotate_certificates.py @@ -6,9 +6,7 @@ class kubelet_rotate_certificates(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for cm in kubelet_client.kubelet_config_maps: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=cm - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=cm) if "rotateCertificates" not in cm.kubelet_args: report.status = "MANUAL" report.status_extended = f"Kubelet does not have the argument `streamingConnectionIdleTimeout` in config file {cm.name}, verify it in the node's arguments." diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_ownership_root/kubelet_service_file_ownership_root.py b/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_ownership_root/kubelet_service_file_ownership_root.py index 2a7e207c8f3..066471d9204 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_ownership_root/kubelet_service_file_ownership_root.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_ownership_root/kubelet_service_file_ownership_root.py @@ -7,9 +7,7 @@ class kubelet_service_file_ownership_root(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for node in core_client.nodes.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=node - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=node) # It can only be checked if Prowler is being executed inside a worker node or if the file is the default one if node.inside: if ( diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_permissions/kubelet_service_file_permissions.py b/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_permissions/kubelet_service_file_permissions.py index c16cab458bf..c221448fd2c 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_permissions/kubelet_service_file_permissions.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_permissions/kubelet_service_file_permissions.py @@ -7,9 +7,7 @@ class kubelet_service_file_permissions(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for node in core_client.nodes.values(): - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=node - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=node) # It can only be checked if Prowler is being executed inside a worker node or if the file is the default one if node.inside: if not get_file_permissions( diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_streaming_connection_timeout/kubelet_streaming_connection_timeout.py b/prowler/providers/kubernetes/services/kubelet/kubelet_streaming_connection_timeout/kubelet_streaming_connection_timeout.py index cad73d2286e..30eea57a7a3 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_streaming_connection_timeout/kubelet_streaming_connection_timeout.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_streaming_connection_timeout/kubelet_streaming_connection_timeout.py @@ -6,9 +6,7 @@ class kubelet_streaming_connection_timeout(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for cm in kubelet_client.kubelet_config_maps: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=cm - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=cm) if "streamingConnectionIdleTimeout" not in cm.kubelet_args: report.status = "MANUAL" report.status_extended = f"Kubelet does not have the argument `streamingConnectionIdleTimeout` in config file {cm.name}, verify it in the node's arguments." diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_strong_ciphers_only/kubelet_strong_ciphers_only.py b/prowler/providers/kubernetes/services/kubelet/kubelet_strong_ciphers_only/kubelet_strong_ciphers_only.py index cc2c3a3a56c..46f214b37e0 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_strong_ciphers_only/kubelet_strong_ciphers_only.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_strong_ciphers_only/kubelet_strong_ciphers_only.py @@ -17,9 +17,7 @@ class kubelet_strong_ciphers_only(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for cm in kubelet_client.kubelet_config_maps: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=cm - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=cm) if "tlsCipherSuites" not in cm.kubelet_args: report.status = "MANUAL" report.status_extended = f"Kubelet does not have the argument `tlsCipherSuites` in config file {cm.name}, verify it in the node's arguments." diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_tls_cert_and_key/kubelet_tls_cert_and_key.py b/prowler/providers/kubernetes/services/kubelet/kubelet_tls_cert_and_key/kubelet_tls_cert_and_key.py index bf421181c30..412d7ad35ad 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_tls_cert_and_key/kubelet_tls_cert_and_key.py +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_tls_cert_and_key/kubelet_tls_cert_and_key.py @@ -6,9 +6,7 @@ class kubelet_tls_cert_and_key(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for cm in kubelet_client.kubelet_config_maps: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=cm - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=cm) if ( "tlsCertFile" not in cm.kubelet_args or "tlsPrivateKeyFile" not in cm.kubelet_args diff --git a/prowler/providers/kubernetes/services/rbac/rbac_cluster_admin_usage/rbac_cluster_admin_usage.py b/prowler/providers/kubernetes/services/rbac/rbac_cluster_admin_usage/rbac_cluster_admin_usage.py index 49d42dfdd8d..fd1a4a1b9aa 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_cluster_admin_usage/rbac_cluster_admin_usage.py +++ b/prowler/providers/kubernetes/services/rbac/rbac_cluster_admin_usage/rbac_cluster_admin_usage.py @@ -10,7 +10,7 @@ def execute(self) -> Check_Report_Kubernetes: # Check if the binding refers to the cluster-admin role if binding.roleRef.name == "cluster-admin": report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=binding.metadata + metadata=self.metadata(), resource=binding.metadata ) report.namespace = ( "cluster-wide" diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py index ab531292dc4..f2527b46062 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.py @@ -15,7 +15,7 @@ def execute(self) -> Check_Report_Kubernetes: for subject in crb.subjects: if subject.kind in ["User", "Group"]: report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=subject + metadata=self.metadata(), resource=subject ) report.status = "PASS" report.status_extended = f"User or group '{subject.name}' does not have access to update the CSR approval sub-resource." diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.py index f1a5b0285ea..913d968f317 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.py +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.py @@ -15,7 +15,7 @@ def execute(self) -> Check_Report_Kubernetes: for subject in crb.subjects: if subject.kind in ["User", "Group"]: report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=subject + metadata=self.metadata(), resource=subject ) report.status = "PASS" report.status_extended = f"User or group '{subject.name}' does not have access to the node proxy sub-resource." diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pod_creation_access/rbac_minimize_pod_creation_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pod_creation_access/rbac_minimize_pod_creation_access.py index e7e96cfee97..68e63a6294b 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pod_creation_access/rbac_minimize_pod_creation_access.py +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pod_creation_access/rbac_minimize_pod_creation_access.py @@ -14,7 +14,7 @@ def execute(self) -> Check_Report_Kubernetes: # Check ClusterRoleBindings for pod create access for cr in rbac_client.cluster_roles.values(): report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=cr.metadata + metadata=self.metadata(), resource=cr.metadata ) report.status = "PASS" report.status_extended = ( @@ -30,7 +30,7 @@ def execute(self) -> Check_Report_Kubernetes: # Check RoleBindings for pod create access for role in rbac_client.roles.values(): report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=role.metadata + metadata=self.metadata(), resource=role.metadata ) report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.py index 622983e8cc2..204942c57e4 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.py +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.py @@ -16,7 +16,7 @@ def execute(self) -> Check_Report_Kubernetes: for subject in crb.subjects: if subject.kind in ["User", "Group"]: report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=subject + metadata=self.metadata(), resource=subject ) report.status = "PASS" report.status_extended = f"User or group '{subject.name}' does not have access to create PersistentVolumes." diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_secret_access/rbac_minimize_secret_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_secret_access/rbac_minimize_secret_access.py index f847a3378dd..828b19c2361 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_secret_access/rbac_minimize_secret_access.py +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_secret_access/rbac_minimize_secret_access.py @@ -14,7 +14,7 @@ def execute(self) -> Check_Report_Kubernetes: # Check ClusterRoleBindings for seceret access for cr in rbac_client.cluster_roles.values(): report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=cr.metadata + metadata=self.metadata(), resource=cr.metadata ) report.status = "PASS" report.status_extended = ( @@ -30,7 +30,7 @@ def execute(self) -> Check_Report_Kubernetes: # Check RoleBindings for secret access for role in rbac_client.roles.values(): report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=role.metadata + metadata=self.metadata(), resource=role.metadata ) report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.py index eb26d00f2d0..9b1318c92fe 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.py +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.py @@ -15,7 +15,7 @@ def execute(self) -> Check_Report_Kubernetes: for subject in crb.subjects: if subject.kind in ["User", "Group"]: report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=subject + metadata=self.metadata(), resource=subject ) report.status = "PASS" report.status_extended = f"User or group '{subject.name}' does not have access to create service account tokens." diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py index 572846021c1..2da9893dab5 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.py @@ -18,7 +18,7 @@ def execute(self) -> Check_Report_Kubernetes: for subject in crb.subjects: if subject.kind in ["User", "Group"]: report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=subject + metadata=self.metadata(), resource=subject ) report.status = "PASS" report.status_extended = f"User or group '{subject.name}' does not have access to create, update, or delete webhook configurations." diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_wildcard_use_roles/rbac_minimize_wildcard_use_roles.py b/prowler/providers/kubernetes/services/rbac/rbac_minimize_wildcard_use_roles/rbac_minimize_wildcard_use_roles.py index 05894e90c68..a00ec51de63 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_wildcard_use_roles/rbac_minimize_wildcard_use_roles.py +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_wildcard_use_roles/rbac_minimize_wildcard_use_roles.py @@ -8,7 +8,7 @@ def execute(self) -> Check_Report_Kubernetes: # Check ClusterRoles for wildcards for cr in rbac_client.cluster_roles.values(): report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=cr.metadata + metadata=self.metadata(), resource=cr.metadata ) report.status = "PASS" report.status_extended = ( @@ -28,7 +28,7 @@ def execute(self) -> Check_Report_Kubernetes: # Check Roles for wildcards for role in rbac_client.roles.values(): report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=role.metadata + metadata=self.metadata(), resource=role.metadata ) report.status = "PASS" report.status_extended = ( diff --git a/prowler/providers/kubernetes/services/scheduler/scheduler_bind_address/scheduler_bind_address.py b/prowler/providers/kubernetes/services/scheduler/scheduler_bind_address/scheduler_bind_address.py index be8097832a0..9611413dc44 100644 --- a/prowler/providers/kubernetes/services/scheduler/scheduler_bind_address/scheduler_bind_address.py +++ b/prowler/providers/kubernetes/services/scheduler/scheduler_bind_address/scheduler_bind_address.py @@ -8,9 +8,7 @@ class scheduler_bind_address(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in scheduler_client.scheduler_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "PASS" report.status_extended = ( f"Scheduler is bound to the loopback address in pod {pod.name}." diff --git a/prowler/providers/kubernetes/services/scheduler/scheduler_profiling/scheduler_profiling.py b/prowler/providers/kubernetes/services/scheduler/scheduler_profiling/scheduler_profiling.py index 53dbfd4a257..0bfc999652b 100644 --- a/prowler/providers/kubernetes/services/scheduler/scheduler_profiling/scheduler_profiling.py +++ b/prowler/providers/kubernetes/services/scheduler/scheduler_profiling/scheduler_profiling.py @@ -8,9 +8,7 @@ class scheduler_profiling(Check): def execute(self) -> Check_Report_Kubernetes: findings = [] for pod in scheduler_client.scheduler_pods: - report = Check_Report_Kubernetes( - metadata=self.metadata(), resource_metadata=pod - ) + report = Check_Report_Kubernetes(metadata=self.metadata(), resource=pod) report.status = "FAIL" report.status_extended = ( f"Scheduler has profiling enabled in pod {pod.name}." From be1a59d0d168980f885c690159371309b07f836e Mon Sep 17 00:00:00 2001 From: MrCloudSec Date: Fri, 17 Jan 2025 09:44:52 -0500 Subject: [PATCH 03/12] fix: make kubernetes objects serializable --- ...admission_windows_hostprocess_containers.py | 4 ++-- ...mize_allowPrivilegeEscalation_containers.py | 2 +- ...e_minimize_containers_added_capabilities.py | 4 ++-- ...inimize_containers_capabilities_assigned.py | 6 +++--- .../core_minimize_privileged_containers.py | 5 ++++- .../core_minimize_root_containers_admission.py | 2 +- .../core_seccomp_profile_docker_default.py | 8 ++++---- .../kubernetes/services/core/core_service.py | 18 +++++++++++++----- 8 files changed, 30 insertions(+), 19 deletions(-) diff --git a/prowler/providers/kubernetes/services/core/core_minimize_admission_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.py b/prowler/providers/kubernetes/services/core/core_minimize_admission_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.py index a1ed4b88a22..0e8f822c342 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_admission_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_admission_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.py @@ -13,8 +13,8 @@ def execute(self) -> Check_Report_Kubernetes: for container in pod.containers.values(): if ( container.security_context - and container.security_context.windows_options - and container.security_context.windows_options.host_process + and container.security_context["windows_options"] + and container.security_context["windows_options"]["host_process"] ): report.status = "FAIL" report.status_extended = f"Pod {pod.name} has the ability to run a Windows HostProcess in container {container.name}." diff --git a/prowler/providers/kubernetes/services/core/core_minimize_allowPrivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.py b/prowler/providers/kubernetes/services/core/core_minimize_allowPrivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.py index 951a09fd332..5b9d983636a 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_allowPrivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_allowPrivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.py @@ -15,7 +15,7 @@ def execute(self) -> Check_Report_Kubernetes: for container in pod.containers.values(): if ( container.security_context - and container.security_context.allow_privilege_escalation + and container.security_context["allow_privilege_escalation"] ): report.status = "FAIL" report.status_extended = f"Pod {pod.name} allows privilege escalation in container {container.name}." diff --git a/prowler/providers/kubernetes/services/core/core_minimize_containers_added_capabilities/core_minimize_containers_added_capabilities.py b/prowler/providers/kubernetes/services/core/core_minimize_containers_added_capabilities/core_minimize_containers_added_capabilities.py index d3bb2f51ec2..89939ad9e8e 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_containers_added_capabilities/core_minimize_containers_added_capabilities.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_containers_added_capabilities/core_minimize_containers_added_capabilities.py @@ -13,8 +13,8 @@ def execute(self) -> Check_Report_Kubernetes: for container in pod.containers.values(): if ( container.security_context - and container.security_context.capabilities - and container.security_context.capabilities.add + and container.security_context["capabilities"] + and container.security_context["capabilities"]["add"] ): report.status = "FAIL" report.status_extended = f"Pod {pod.name} has added capabilities in container {container.name}." diff --git a/prowler/providers/kubernetes/services/core/core_minimize_containers_capabilities_assigned/core_minimize_containers_capabilities_assigned.py b/prowler/providers/kubernetes/services/core/core_minimize_containers_capabilities_assigned/core_minimize_containers_capabilities_assigned.py index 551ecde56fb..80adea7c56d 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_containers_capabilities_assigned/core_minimize_containers_capabilities_assigned.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_containers_capabilities_assigned/core_minimize_containers_capabilities_assigned.py @@ -15,11 +15,11 @@ def execute(self) -> Check_Report_Kubernetes: for container in pod.containers.values(): if ( container.security_context - and container.security_context.capabilities + and container.security_context["capabilities"] ): if ( - container.security_context.capabilities.add - or not container.security_context.capabilities.drop + container.security_context["capabilities"]["add"] + or not container.security_context["capabilities"]["drop"] ): report.status = "FAIL" report.status_extended = f"Pod {pod.name} has capabilities assigned or not all dropped in container {container.name}." diff --git a/prowler/providers/kubernetes/services/core/core_minimize_privileged_containers/core_minimize_privileged_containers.py b/prowler/providers/kubernetes/services/core/core_minimize_privileged_containers/core_minimize_privileged_containers.py index bd6f5d0e793..9e36606971e 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_privileged_containers/core_minimize_privileged_containers.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_privileged_containers/core_minimize_privileged_containers.py @@ -13,7 +13,10 @@ def execute(self) -> Check_Report_Kubernetes: ) for container in pod.containers.values(): - if container.security_context and container.security_context.privileged: + if ( + container.security_context + and container.security_context["privileged"] + ): report.status = "FAIL" report.status_extended = f"Pod {pod.name} contains a privileged container {container.name}." break diff --git a/prowler/providers/kubernetes/services/core/core_minimize_root_containers_admission/core_minimize_root_containers_admission.py b/prowler/providers/kubernetes/services/core/core_minimize_root_containers_admission/core_minimize_root_containers_admission.py index 37a2e46249a..c032b6a1940 100644 --- a/prowler/providers/kubernetes/services/core/core_minimize_root_containers_admission/core_minimize_root_containers_admission.py +++ b/prowler/providers/kubernetes/services/core/core_minimize_root_containers_admission/core_minimize_root_containers_admission.py @@ -13,7 +13,7 @@ def execute(self) -> Check_Report_Kubernetes: for container in pod.containers.values(): if ( container.security_context - and container.security_context.run_as_user == 0 + and container.security_context["run_as_user"] == 0 ): report.status = "FAIL" report.status_extended = f"Pod {pod.name} is running as root user in container {container.name}." diff --git a/prowler/providers/kubernetes/services/core/core_seccomp_profile_docker_default/core_seccomp_profile_docker_default.py b/prowler/providers/kubernetes/services/core/core_seccomp_profile_docker_default/core_seccomp_profile_docker_default.py index a155925dabb..ace9006e571 100644 --- a/prowler/providers/kubernetes/services/core/core_seccomp_profile_docker_default/core_seccomp_profile_docker_default.py +++ b/prowler/providers/kubernetes/services/core/core_seccomp_profile_docker_default/core_seccomp_profile_docker_default.py @@ -10,8 +10,8 @@ def execute(self) -> Check_Report_Kubernetes: pod_seccomp_correct = ( pod.security_context - and pod.security_context.seccomp_profile - and pod.security_context.seccomp_profile.type == "RuntimeDefault" + and pod.security_context["seccomp_profile"] + and pod.security_context["seccomp_profile"]["type"] == "RuntimeDefault" ) containers_seccomp_correct = True @@ -19,8 +19,8 @@ def execute(self) -> Check_Report_Kubernetes: for container in pod.containers.values(): if not ( container.security_context - and container.security_context.seccomp_profile - and container.security_context.seccomp_profile.type + and container.security_context["seccomp_profile"] + and container.security_context["seccomp_profile"]["type"] == "RuntimeDefault" ): containers_seccomp_correct = False diff --git a/prowler/providers/kubernetes/services/core/core_service.py b/prowler/providers/kubernetes/services/core/core_service.py index 3d100fb739c..ec6fb48ca80 100644 --- a/prowler/providers/kubernetes/services/core/core_service.py +++ b/prowler/providers/kubernetes/services/core/core_service.py @@ -1,5 +1,5 @@ import socket -from typing import Any, List, Optional +from typing import List, Optional from pydantic import BaseModel @@ -60,7 +60,11 @@ def _get_pods(self): if container.env else None ), - security_context=container.security_context, + security_context=( + container.security_context.to_dict() + if container.security_context + else {} + ), ) self.pods[pod.metadata.uid] = Pod( name=pod.metadata.name, @@ -76,7 +80,11 @@ def _get_pods(self): host_pid=pod.spec.host_pid, host_ipc=pod.spec.host_ipc, host_network=pod.spec.host_network, - security_context=pod.spec.security_context, + security_context=( + pod.spec.security_context.to_dict() + if pod.spec.security_context + else {} + ), containers=pod_containers, ) except Exception as error: @@ -147,7 +155,7 @@ class Container(BaseModel): command: Optional[List[str]] ports: Optional[List[dict]] env: Optional[List[dict]] - security_context: Any + security_context: dict class Pod(BaseModel): @@ -164,7 +172,7 @@ class Pod(BaseModel): host_pid: Optional[str] host_ipc: Optional[str] host_network: Optional[str] - security_context: Any + security_context: Optional[dict] containers: Optional[dict] From eb80db0b32f2390624f51d9c56bb1b1de2d4846c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= Date: Fri, 17 Jan 2025 16:12:47 +0100 Subject: [PATCH 04/12] fix(entra): change AuthMethod to be a custom model --- .../azure/services/entra/entra_service.py | 25 +++++++++++++------ 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/prowler/providers/azure/services/entra/entra_service.py b/prowler/providers/azure/services/entra/entra_service.py index 97e84c07773..9876e5d822e 100644 --- a/prowler/providers/azure/services/entra/entra_service.py +++ b/prowler/providers/azure/services/entra/entra_service.py @@ -1,6 +1,6 @@ from asyncio import gather, get_event_loop from dataclasses import dataclass -from typing import Any, List, Optional +from typing import List, Optional from uuid import UUID from msgraph import GraphServiceClient @@ -56,11 +56,17 @@ async def _get_users(self): user.user_principal_name: User( id=user.id, name=user.display_name, - authentication_methods=( - await client.users.by_user_id( - user.id - ).authentication.methods.get() - ).value, + authentication_methods=[ + AuthMethod( + id=auth_method.id, + type=getattr(auth_method, "odata_type", None), + ) + for auth_method in ( + await client.users.by_user_id( + user.id + ).authentication.methods.get() + ).value + ], ) } ) @@ -309,10 +315,15 @@ async def _get_conditional_access_policy(self): return conditional_access_policy +class AuthMethod(BaseModel): + id: str + type: str + + class User(BaseModel): id: str name: str - authentication_methods: List[Any] = [] + authentication_methods: List[AuthMethod] = [] @dataclass From 3a44d7f6e055115e31eaf592701fdedf7c30927a Mon Sep 17 00:00:00 2001 From: MrCloudSec Date: Fri, 17 Jan 2025 11:27:41 -0500 Subject: [PATCH 05/12] fix: lib tests --- .../lib/outputs/compliance/compliance_test.py | 21 +++++++++++-------- tests/lib/outputs/ocsf/ocsf_test.py | 6 +++--- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/tests/lib/outputs/compliance/compliance_test.py b/tests/lib/outputs/compliance/compliance_test.py index 85090869370..d9458bc6b07 100644 --- a/tests/lib/outputs/compliance/compliance_test.py +++ b/tests/lib/outputs/compliance/compliance_test.py @@ -70,9 +70,10 @@ def test_get_check_compliance_aws(self): ] finding = Check_Report( - load_check_metadata( + metadata=load_check_metadata( f"{path.dirname(path.realpath(__file__))}/../fixtures/metadata.json" - ).json() + ).json(), + resource={}, ) finding.resource_details = "Test resource details" finding.resource_id = "test-resource" @@ -149,9 +150,10 @@ def test_get_check_compliance_gcp(self): ] finding = Check_Report( - load_check_metadata( + metadata=load_check_metadata( f"{path.dirname(path.realpath(__file__))}/../fixtures/metadata.json" - ).json() + ).json(), + resource={}, ) finding.resource_details = "Test resource details" finding.resource_id = "test-resource" @@ -228,9 +230,10 @@ def test_get_check_compliance_azure(self): ] finding = Check_Report( - load_check_metadata( + metadata=load_check_metadata( f"{path.dirname(path.realpath(__file__))}/../fixtures/metadata.json" - ).json() + ).json(), + resource={}, ) finding.resource_details = "Test resource details" finding.resource_id = "test-resource" @@ -307,11 +310,11 @@ def test_get_check_compliance_kubernetes(self): ] finding = Check_Report( - load_check_metadata( + metadata=load_check_metadata( f"{path.dirname(path.realpath(__file__))}/../fixtures/metadata.json" - ).json() + ).json(), + resource={}, ) - print(finding) finding.resource_details = "Test resource details" finding.resource_id = "test-resource" finding.resource_arn = "test-arn" diff --git a/tests/lib/outputs/ocsf/ocsf_test.py b/tests/lib/outputs/ocsf/ocsf_test.py index 9eee49c86a8..6c9bf38001b 100644 --- a/tests/lib/outputs/ocsf/ocsf_test.py +++ b/tests/lib/outputs/ocsf/ocsf_test.py @@ -78,7 +78,7 @@ def test_transform(self): assert output_data.resources[0].region == findings[0].region assert output_data.resources[0].data == { "details": findings[0].resource_details, - # "metadata": {}, TODO: add metadata to the resource details + "metadata": {}, } assert output_data.metadata.profiles == ["cloud", "datetime"] assert output_data.metadata.tenant_uid == "test-organization-id" @@ -194,7 +194,7 @@ def test_batch_write_data_to_file(self): "region": "eu-west-1", "data": { "details": "resource_details", - # "metadata": {} TODO: add metadata to the resource details + "metadata": {}, }, "group": {"name": "test-service"}, "labels": [], @@ -321,7 +321,7 @@ def test_finding_output_cloud_pass_low_muted(self): assert resource_details[0].region == finding_output.region assert resource_details[0].data == { "details": finding_output.resource_details, - # "metadata": {}, TODO: add metadata to the resource details + "metadata": {}, } resource_details_group = resource_details[0].group From bfb10cb55dc14a1101b25828026ef4b653695d68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= Date: Fri, 17 Jan 2025 17:51:09 +0100 Subject: [PATCH 06/12] fix: add proper authmethod class in tests --- ...ra_global_admin_in_less_than_five_users.py | 2 +- ...obal_admin_in_less_than_five_users_test.py | 2 +- .../entra_non_privileged_user_has_mfa_test.py | 124 +++++++++----- .../entra_privileged_user_has_mfa_test.py | 124 +++++++++----- .../entra_user_with_vm_access_has_mfa_test.py | 160 +++++++++++------- 5 files changed, 272 insertions(+), 140 deletions(-) diff --git a/prowler/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users.py b/prowler/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users.py index 05ca5082791..cfcb3c85141 100644 --- a/prowler/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users.py +++ b/prowler/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users.py @@ -9,7 +9,7 @@ def execute(self) -> Check_Report_Azure: for tenant_domain, directory_roles in entra_client.directory_roles.items(): report = Check_Report_Azure( metadata=self.metadata(), - resource=directory_roles["Global Administrator"], + resource=directory_roles.get("Global Administrator", {}), ) report.status = "FAIL" report.subscription = f"Tenant: {tenant_domain}" diff --git a/tests/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users_test.py b/tests/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users_test.py index 470983995f2..4820f13ad96 100644 --- a/tests/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users_test.py +++ b/tests/providers/azure/services/entra/entra_global_admin_in_less_than_five_users/entra_global_admin_in_less_than_five_users_test.py @@ -24,7 +24,7 @@ def test_entra_no_tenants(self): entra_client.directory_roles = {} - entra_client.uses = {} + entra_client.users = {} check = entra_global_admin_in_less_than_five_users() result = check.execute() diff --git a/tests/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa_test.py b/tests/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa_test.py index 5b05a04ff59..84dab8985bd 100644 --- a/tests/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa_test.py +++ b/tests/providers/azure/services/entra/entra_non_privileged_user_has_mfa/entra_non_privileged_user_has_mfa_test.py @@ -8,12 +8,15 @@ class Test_entra_non_privileged_user_has_mfa: def test_entra_no_tenants(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa import ( entra_non_privileged_user_has_mfa, @@ -28,12 +31,15 @@ def test_entra_no_tenants(self): def test_entra_tenant_no_users(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa import ( entra_non_privileged_user_has_mfa, @@ -49,22 +55,30 @@ def test_entra_user_no_privileged_no_mfa(self): entra_client = mock.MagicMock user_id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa import ( entra_non_privileged_user_has_mfa, ) from prowler.providers.azure.services.entra.entra_service import ( + AuthMethod, DirectoryRole, User, ) - user = User(id=user_id, name="foo", authentication_methods=["foo"]) + user = User( + id=user_id, + name="foo", + authentication_methods=[AuthMethod(id=str(uuid4()), type="foo")], + ) entra_client.users = {DOMAIN: {f"foo@{DOMAIN}": user}} entra_client.directory_roles = { @@ -89,22 +103,33 @@ def test_entra_user_no_privileged_mfa(self): entra_client = mock.MagicMock user_id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa import ( entra_non_privileged_user_has_mfa, ) from prowler.providers.azure.services.entra.entra_service import ( + AuthMethod, DirectoryRole, User, ) - user = User(id=user_id, name="foo", authentication_methods=["foo", "bar"]) + user = User( + id=user_id, + name="foo", + authentication_methods=[ + AuthMethod(id=str(uuid4()), type="foo"), + AuthMethod(id=str(uuid4()), type="bar"), + ], + ) entra_client.users = {DOMAIN: {f"foo@{DOMAIN}": user}} entra_client.directory_roles = { @@ -126,22 +151,30 @@ def test_entra_user_privileged_no_mfa(self): entra_client = mock.MagicMock user_id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa import ( entra_non_privileged_user_has_mfa, ) from prowler.providers.azure.services.entra.entra_service import ( + AuthMethod, DirectoryRole, User, ) - user = User(id=user_id, name="foo", authentication_methods=["foo"]) + user = User( + id=user_id, + name="foo", + authentication_methods=[AuthMethod(id=str(uuid4()), type="foo")], + ) entra_client.users = {DOMAIN: {f"foo@{DOMAIN}": user}} entra_client.directory_roles = { @@ -160,22 +193,33 @@ def test_entra_user_privileged_mfa(self): entra_client = mock.MagicMock user_id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_non_privileged_user_has_mfa.entra_non_privileged_user_has_mfa import ( entra_non_privileged_user_has_mfa, ) from prowler.providers.azure.services.entra.entra_service import ( + AuthMethod, DirectoryRole, User, ) - user = User(id=user_id, name="foo", authentication_methods=["foo", "bar"]) + user = User( + id=user_id, + name="foo", + authentication_methods=[ + AuthMethod(id=str(uuid4()), type="foo"), + AuthMethod(id=str(uuid4()), type="bar"), + ], + ) entra_client.users = {DOMAIN: {f"foo@{DOMAIN}": user}} entra_client.directory_roles = { diff --git a/tests/providers/azure/services/entra/entra_privileged_user_has_mfa/entra_privileged_user_has_mfa_test.py b/tests/providers/azure/services/entra/entra_privileged_user_has_mfa/entra_privileged_user_has_mfa_test.py index d3b4863c19b..51ffba58da5 100644 --- a/tests/providers/azure/services/entra/entra_privileged_user_has_mfa/entra_privileged_user_has_mfa_test.py +++ b/tests/providers/azure/services/entra/entra_privileged_user_has_mfa/entra_privileged_user_has_mfa_test.py @@ -8,12 +8,15 @@ class Test_entra_privileged_user_has_mfa: def test_entra_no_tenants(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa import ( entra_privileged_user_has_mfa, @@ -28,12 +31,15 @@ def test_entra_no_tenants(self): def test_entra_tenant_no_users(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa import ( entra_privileged_user_has_mfa, @@ -49,22 +55,30 @@ def test_entra_user_no_privileged_no_mfa(self): entra_client = mock.MagicMock user_id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa import ( entra_privileged_user_has_mfa, ) from prowler.providers.azure.services.entra.entra_service import ( + AuthMethod, DirectoryRole, User, ) - user = User(id=user_id, name="foo", authentication_methods=["foo"]) + user = User( + id=user_id, + name="foo", + authentication_methods=[AuthMethod(id=str(uuid4()), type="foo")], + ) entra_client.users = {DOMAIN: {f"foo@{DOMAIN}": user}} entra_client.directory_roles = { @@ -81,22 +95,33 @@ def test_entra_user_no_privileged_mfa(self): entra_client = mock.MagicMock user_id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa import ( entra_privileged_user_has_mfa, ) from prowler.providers.azure.services.entra.entra_service import ( + AuthMethod, DirectoryRole, User, ) - user = User(id=user_id, name="foo", authentication_methods=["foo", "bar"]) + user = User( + id=user_id, + name="foo", + authentication_methods=[ + AuthMethod(id=str(uuid4()), type="foo"), + AuthMethod(id=str(uuid4()), type="bar"), + ], + ) entra_client.users = {DOMAIN: {f"foo@{DOMAIN}": user}} entra_client.directory_roles = { @@ -113,22 +138,30 @@ def test_entra_user_privileged_no_mfa(self): entra_client = mock.MagicMock user_id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa import ( entra_privileged_user_has_mfa, ) from prowler.providers.azure.services.entra.entra_service import ( + AuthMethod, DirectoryRole, User, ) - user = User(id=user_id, name="foo", authentication_methods=["foo"]) + user = User( + id=user_id, + name="foo", + authentication_methods=[AuthMethod(id=str(uuid4()), type="foo")], + ) entra_client.users = {DOMAIN: {f"foo@{DOMAIN}": user}} entra_client.directory_roles = { @@ -152,22 +185,33 @@ def test_entra_user_privileged_mfa(self): entra_client = mock.MagicMock user_id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_privileged_user_has_mfa.entra_privileged_user_has_mfa import ( entra_privileged_user_has_mfa, ) from prowler.providers.azure.services.entra.entra_service import ( + AuthMethod, DirectoryRole, User, ) - user = User(id=user_id, name="foo", authentication_methods=["foo", "bar"]) + user = User( + id=user_id, + name="foo", + authentication_methods=[ + AuthMethod(id=str(uuid4()), type="foo"), + AuthMethod(id=str(uuid4()), type="bar"), + ], + ) entra_client.users = {DOMAIN: {f"foo@{DOMAIN}": user}} entra_client.directory_roles = { diff --git a/tests/providers/azure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa_test.py b/tests/providers/azure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa_test.py index 6c603796993..53ab5d8b3e1 100644 --- a/tests/providers/azure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa_test.py +++ b/tests/providers/azure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa_test.py @@ -14,12 +14,15 @@ def test_iam_no_roles(self): iam_client = mock.MagicMock entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.iam_client", - new=iam_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.iam_client", + new=iam_client, + ), ): from prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa import ( entra_user_with_vm_access_has_mfa, @@ -38,21 +41,30 @@ def test_entra_user_with_vm_access_has_mfa(self): entra_client = mock.MagicMock user_id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.iam_client", - new=iam_client, - ): - with mock.patch( + with ( + mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.entra_client", - new=entra_client, + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.iam_client", + new=iam_client, + ), + ): + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.entra_client", + new=entra_client, + ), ): - from prowler.providers.azure.services.entra.entra_service import User + from prowler.providers.azure.services.entra.entra_service import ( + AuthMethod, + User, + ) from prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa import ( entra_user_with_vm_access_has_mfa, ) @@ -76,8 +88,10 @@ def test_entra_user_with_vm_access_has_mfa(self): id=user_id, name="test", authentication_methods=[ - "Password", - "MicrosoftAuthenticator", + AuthMethod(id=str(uuid4()), type="Password"), + AuthMethod( + id=str(uuid4()), type="MicrosoftAuthenticator" + ), ], ) } @@ -101,21 +115,30 @@ def test_entra_user_with_vm_access_has_mfa_no_mfa(self): entra_client = mock.MagicMock user_id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.iam_client", - new=iam_client, - ): - with mock.patch( + with ( + mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.entra_client", - new=entra_client, + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.iam_client", + new=iam_client, + ), + ): + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.entra_client", + new=entra_client, + ), ): - from prowler.providers.azure.services.entra.entra_service import User + from prowler.providers.azure.services.entra.entra_service import ( + AuthMethod, + User, + ) from prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa import ( entra_user_with_vm_access_has_mfa, ) @@ -136,7 +159,11 @@ def test_entra_user_with_vm_access_has_mfa_no_mfa(self): entra_client.users = { DOMAIN: { f"test@{DOMAIN}": User( - id=user_id, name="test", authentication_methods=["Password"] + id=user_id, + name="test", + authentication_methods=[ + AuthMethod(id=str(uuid4()), type="Password"), + ], ) } } @@ -159,19 +186,25 @@ def test_entra_user_with_vm_access_has_mfa_no_user(self): entra_client = mock.MagicMock user_id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.iam_client", - new=iam_client, - ): - with mock.patch( + with ( + mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.entra_client", - new=entra_client, + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.iam_client", + new=iam_client, + ), + ): + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa import ( entra_user_with_vm_access_has_mfa, @@ -202,21 +235,30 @@ def test_entra_user_with_vm_access_has_mfa_no_role(self): entra_client = mock.MagicMock user_id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.iam_client", - new=iam_client, - ): - with mock.patch( + with ( + mock.patch( "prowler.providers.common.provider.Provider.get_global_provider", return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.entra_client", - new=entra_client, + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.iam_client", + new=iam_client, + ), + ): + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa.entra_client", + new=entra_client, + ), ): - from prowler.providers.azure.services.entra.entra_service import User + from prowler.providers.azure.services.entra.entra_service import ( + AuthMethod, + User, + ) from prowler.providers.azure.services.entra.entra_user_with_vm_access_has_mfa.entra_user_with_vm_access_has_mfa import ( entra_user_with_vm_access_has_mfa, ) @@ -240,8 +282,10 @@ def test_entra_user_with_vm_access_has_mfa_no_role(self): id=user_id, name="test", authentication_methods=[ - "Password", - "MicrosoftAuthenticator", + AuthMethod(id=str(uuid4()), type="Password"), + AuthMethod( + id=str(uuid4()), type="MicrosoftAuthenticator" + ), ], ) } From e90b43e5687d95211a731bf4a50f08aa1d9b6d1a Mon Sep 17 00:00:00 2001 From: MrCloudSec Date: Fri, 17 Jan 2025 14:24:46 -0500 Subject: [PATCH 07/12] fix: tests --- tests/lib/outputs/finding_test.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/lib/outputs/finding_test.py b/tests/lib/outputs/finding_test.py index 627d7df9051..98af2989068 100644 --- a/tests/lib/outputs/finding_test.py +++ b/tests/lib/outputs/finding_test.py @@ -82,6 +82,7 @@ def test_generate_output_aws(self): check_output.status_extended = "mock_status_extended" check_output.muted = False check_output.check_metadata = mock_check_metadata(provider="aws") + check_output.resource = {} # Mock output options output_options = MagicMock() @@ -178,6 +179,7 @@ def test_generate_output_azure(self): check_output.status_extended = "mock_status_extended" check_output.muted = False check_output.check_metadata = mock_check_metadata(provider="azure") + check_output.resource = {} # Mock output options output_options = MagicMock() @@ -266,6 +268,7 @@ def test_generate_output_gcp(self): check_output.status_extended = "mock_status_extended" check_output.muted = False check_output.check_metadata = mock_check_metadata(provider="gcp") + check_output.resource = {} # Mock output options output_options = MagicMock() @@ -344,6 +347,7 @@ def test_generate_output_kubernetes(self): check_output.muted = False check_output.check_metadata = mock_check_metadata(provider="kubernetes") check_output.timestamp = datetime.now() + check_output.resource = {} # Mock Output Options output_options = MagicMock() From 60242edbde003a4bae49da9506d8e67c164be169 Mon Sep 17 00:00:00 2001 From: MrCloudSec Date: Mon, 20 Jan 2025 16:37:10 -0500 Subject: [PATCH 08/12] solve comment --- prowler/lib/outputs/finding.py | 2 +- prowler/lib/outputs/ocsf/ocsf.py | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/prowler/lib/outputs/finding.py b/prowler/lib/outputs/finding.py index e8b72b3f847..c9ad89bacbc 100644 --- a/prowler/lib/outputs/finding.py +++ b/prowler/lib/outputs/finding.py @@ -35,7 +35,7 @@ class Finding(BaseModel): status_extended: str muted: bool = False resource_uid: str - resource: dict = Field(default_factory=dict) + resource_metadata: dict = Field(default_factory=dict) resource_name: str resource_details: str resource_tags: dict = Field(default_factory=dict) diff --git a/prowler/lib/outputs/ocsf/ocsf.py b/prowler/lib/outputs/ocsf/ocsf.py index 89442d20a3a..5d3ee887a3b 100644 --- a/prowler/lib/outputs/ocsf/ocsf.py +++ b/prowler/lib/outputs/ocsf/ocsf.py @@ -113,7 +113,7 @@ def transform(self, findings: List[Finding]) -> None: region=finding.region, data={ "details": finding.resource_details, - "metadata": finding.resource, + "metadata": finding.resource_metadata, }, ) ] @@ -127,7 +127,7 @@ def transform(self, findings: List[Finding]) -> None: type=finding.metadata.ResourceType, data={ "details": finding.resource_details, - "metadata": finding.resource, + "metadata": finding.resource_metadata, }, namespace=finding.region.replace("namespace: ", ""), ) @@ -206,7 +206,6 @@ def batch_write_data_to_file(self) -> None: self._file_descriptor.write("]") self._file_descriptor.close() except Exception as error: - print(finding) logger.error( f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" ) From a2b320dd2c13440935a802313747270a6eba07ef Mon Sep 17 00:00:00 2001 From: MrCloudSec Date: Tue, 21 Jan 2025 14:09:17 -0500 Subject: [PATCH 09/12] chore: do not add lists to check report --- prowler/lib/check/models.py | 4 +-- prowler/lib/outputs/finding.py | 1 + .../backup_vaults_exist.py | 4 +-- ...oudwatch_cross_account_sharing_disabled.py | 4 +-- .../iam_securityaudit_role_created.py | 29 +++++++++++++------ .../iam_support_role_created.py | 23 +++++++++------ .../resourceexplorer2_indexes_found.py | 2 +- .../ssmincidents_enabled_with_plans.py | 9 +++++- .../trustedadvisor_errors_and_warnings.py | 2 +- ...tic_setting_with_appropriate_categories.py | 4 +-- .../monitor_diagnostic_settings_exists.py | 4 +-- .../network_bastion_host_exists.py | 4 +-- .../network_watcher_enabled.py | 4 +-- 13 files changed, 52 insertions(+), 42 deletions(-) diff --git a/prowler/lib/check/models.py b/prowler/lib/check/models.py index e649bbc3790..cdcdd2dd39c 100644 --- a/prowler/lib/check/models.py +++ b/prowler/lib/check/models.py @@ -422,8 +422,6 @@ def __init__(self, metadata: Dict, resource: Any) -> None: self.check_metadata = CheckMetadata.parse_raw(metadata) if isinstance(resource, dict): self.resource = resource - elif isinstance(resource, list): - self.resource = dict(enumerate(resource)) elif hasattr(resource, "dict"): self.resource = resource.dict() elif hasattr(resource, "to_dict"): @@ -432,7 +430,7 @@ def __init__(self, metadata: Dict, resource: Any) -> None: self.resource = resource.__dict__ else: logger.error( - f"Resource metadata {type(resource)} could not be converted to dict" + f"Resource metadata {type(resource)} in {self.check_metadata.CheckID} could not be converted to dict" ) self.resource = {} self.status_extended = "" diff --git a/prowler/lib/outputs/finding.py b/prowler/lib/outputs/finding.py index c9ad89bacbc..7977fe77ced 100644 --- a/prowler/lib/outputs/finding.py +++ b/prowler/lib/outputs/finding.py @@ -121,6 +121,7 @@ def generate_output( ) try: output_data["provider"] = provider.type + output_data["resource_metadata"] = check_output.resource if provider.type == "aws": output_data["account_uid"] = get_nested_attribute( diff --git a/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py b/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py index 4f861a96bc6..0cf292960d8 100644 --- a/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py +++ b/prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py @@ -6,9 +6,7 @@ class backup_vaults_exist(Check): def execute(self): findings = [] if backup_client.backup_vaults is not None: - report = Check_Report_AWS( - metadata=self.metadata(), resource=backup_client.backup_vaults - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.resource_arn = backup_client.backup_vault_arn_template report.resource_id = backup_client.audited_account report.region = backup_client.region diff --git a/prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py b/prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py index e986f91debe..e08c764715b 100644 --- a/prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py +++ b/prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py @@ -6,9 +6,7 @@ class cloudwatch_cross_account_sharing_disabled(Check): def execute(self): findings = [] if iam_client.roles is not None: - report = Check_Report_AWS( - metadata=self.metadata(), resource=iam_client.roles - ) + report = Check_Report_AWS(metadata=self.metadata(), resource={}) report.status = "PASS" report.status_extended = "CloudWatch doesn't allow cross-account sharing." report.region = iam_client.region diff --git a/prowler/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created.py b/prowler/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created.py index 123ee98cc84..bbda72671c9 100644 --- a/prowler/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created.py +++ b/prowler/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created.py @@ -6,19 +6,30 @@ class iam_securityaudit_role_created(Check): def execute(self) -> Check_Report_AWS: findings = [] if iam_client.entities_role_attached_to_securityaudit_policy is not None: - report = Check_Report_AWS( - metadata=self.metadata(), - resource=iam_client.entities_role_attached_to_securityaudit_policy, - ) - report.region = iam_client.region - report.resource_id = "SecurityAudit" - report.resource_arn = ( - f"arn:{iam_client.audited_partition}:iam::aws:policy/SecurityAudit" - ) if iam_client.entities_role_attached_to_securityaudit_policy: + report = Check_Report_AWS( + metadata=self.metadata(), + resource=iam_client.entities_role_attached_to_securityaudit_policy[ + 0 + ], + ) + report.region = iam_client.region + report.resource_id = "SecurityAudit" + report.resource_arn = ( + f"arn:{iam_client.audited_partition}:iam::aws:policy/SecurityAudit" + ) report.status = "PASS" report.status_extended = f"SecurityAudit policy attached to role {iam_client.entities_role_attached_to_securityaudit_policy[0]['RoleName']}." else: + report = Check_Report_AWS( + metadata=self.metadata(), + resource={}, + ) + report.region = iam_client.region + report.resource_id = "SecurityAudit" + report.resource_arn = ( + f"arn:{iam_client.audited_partition}:iam::aws:policy/SecurityAudit" + ) report.status = "FAIL" report.status_extended = ( "SecurityAudit policy is not attached to any role." diff --git a/prowler/providers/aws/services/iam/iam_support_role_created/iam_support_role_created.py b/prowler/providers/aws/services/iam/iam_support_role_created/iam_support_role_created.py index f4dd61c8a1a..0420d53acc7 100644 --- a/prowler/providers/aws/services/iam/iam_support_role_created/iam_support_role_created.py +++ b/prowler/providers/aws/services/iam/iam_support_role_created/iam_support_role_created.py @@ -6,19 +6,24 @@ class iam_support_role_created(Check): def execute(self) -> Check_Report_AWS: findings = [] if iam_client.entities_role_attached_to_support_policy is not None: - report = Check_Report_AWS( - metadata=self.metadata(), - resource=iam_client.entities_role_attached_to_support_policy, - ) - report.region = iam_client.region - report.resource_id = iam_client.audited_account - report.resource_arn = ( - f"arn:{iam_client.audited_partition}:iam::aws:policy/AWSSupportAccess" - ) if iam_client.entities_role_attached_to_support_policy: + report = Check_Report_AWS( + metadata=self.metadata(), + resource=iam_client.entities_role_attached_to_support_policy[0], + ) + report.region = iam_client.region + report.resource_id = iam_client.audited_account + report.resource_arn = f"arn:{iam_client.audited_partition}:iam::aws:policy/AWSSupportAccess" report.status = "PASS" report.status_extended = f"AWS Support Access policy attached to role {iam_client.entities_role_attached_to_support_policy[0]['RoleName']}." else: + report = Check_Report_AWS( + metadata=self.metadata(), + resource={}, + ) + report.region = iam_client.region + report.resource_id = iam_client.audited_account + report.resource_arn = f"arn:{iam_client.audited_partition}:iam::aws:policy/AWSSupportAccess" report.status = "FAIL" report.status_extended = ( "AWS Support Access policy is not attached to any role." diff --git a/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py b/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py index c0249cf8850..73851d43801 100644 --- a/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py +++ b/prowler/providers/aws/services/resourceexplorer2/resourceexplorer2_indexes_found/resourceexplorer2_indexes_found.py @@ -10,7 +10,7 @@ def execute(self): if resource_explorer_2_client.indexes is not None: report = Check_Report_AWS( metadata=self.metadata(), - resource=resource_explorer_2_client.indexes, + resource={}, ) report.status = "FAIL" report.status_extended = "No Resource Explorer Indexes found." diff --git a/prowler/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans.py b/prowler/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans.py index 2eb2739c31c..03d93d2ff71 100644 --- a/prowler/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans.py +++ b/prowler/providers/aws/services/ssmincidents/ssmincidents_enabled_with_plans/ssmincidents_enabled_with_plans.py @@ -10,7 +10,7 @@ def execute(self): if ssmincidents_client.replication_set is not None: report = Check_Report_AWS( metadata=self.metadata(), - resource=ssmincidents_client.replication_set, + resource={}, ) report.status = "FAIL" report.status_extended = "No SSM Incidents replication set exists." @@ -18,8 +18,15 @@ def execute(self): report.resource_id = ssmincidents_client.audited_account report.region = ssmincidents_client.region if ssmincidents_client.replication_set: + report = Check_Report_AWS( + metadata=self.metadata(), + resource=ssmincidents_client.replication_set[0], + ) + report.resource_id = ssmincidents_client.audited_account + report.region = ssmincidents_client.region report.resource_arn = ssmincidents_client.replication_set[0].arn report.resource_tags = [] # Not supported for replication sets + report.status = "FAIL" report.status_extended = f"SSM Incidents replication set {ssmincidents_client.replication_set[0].arn} exists but not ACTIVE." if ssmincidents_client.replication_set[0].status == "ACTIVE": report.status_extended = f"SSM Incidents replication set {ssmincidents_client.replication_set[0].arn} is ACTIVE but no response plans exist." diff --git a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py index 0ca8c5891a3..3b05a1260b3 100644 --- a/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py +++ b/prowler/providers/aws/services/trustedadvisor/trustedadvisor_errors_and_warnings/trustedadvisor_errors_and_warnings.py @@ -25,7 +25,7 @@ def execute(self): else: report = Check_Report_AWS( metadata=self.metadata(), - resource=trustedadvisor_client.checks, + resource={}, ) report.status = "MANUAL" report.status_extended = "Amazon Web Services Premium Support Subscription is required to use this service." diff --git a/prowler/providers/azure/services/monitor/monitor_diagnostic_setting_with_appropriate_categories/monitor_diagnostic_setting_with_appropriate_categories.py b/prowler/providers/azure/services/monitor/monitor_diagnostic_setting_with_appropriate_categories/monitor_diagnostic_setting_with_appropriate_categories.py index 6bae6ef078d..22e0bd193bf 100644 --- a/prowler/providers/azure/services/monitor/monitor_diagnostic_setting_with_appropriate_categories/monitor_diagnostic_setting_with_appropriate_categories.py +++ b/prowler/providers/azure/services/monitor/monitor_diagnostic_setting_with_appropriate_categories/monitor_diagnostic_setting_with_appropriate_categories.py @@ -10,9 +10,7 @@ def execute(self) -> Check_Report_Azure: subscription_name, diagnostic_settings, ) in monitor_client.diagnostics_settings.items(): - report = Check_Report_Azure( - metadata=self.metadata(), resource=diagnostic_settings - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription_name report.resource_name = "Monitor" report.resource_id = "Monitor" diff --git a/prowler/providers/azure/services/monitor/monitor_diagnostic_settings_exists/monitor_diagnostic_settings_exists.py b/prowler/providers/azure/services/monitor/monitor_diagnostic_settings_exists/monitor_diagnostic_settings_exists.py index bec33b44311..c78a125b3b1 100644 --- a/prowler/providers/azure/services/monitor/monitor_diagnostic_settings_exists/monitor_diagnostic_settings_exists.py +++ b/prowler/providers/azure/services/monitor/monitor_diagnostic_settings_exists/monitor_diagnostic_settings_exists.py @@ -10,9 +10,7 @@ def execute(self) -> Check_Report_Azure: subscription_name, diagnostic_settings, ) in monitor_client.diagnostics_settings.items(): - report = Check_Report_Azure( - metadata=self.metadata(), resource=diagnostic_settings - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription_name report.resource_name = "Diagnostic Settings" report.resource_id = "diagnostic_settings" diff --git a/prowler/providers/azure/services/network/network_bastion_host_exists/network_bastion_host_exists.py b/prowler/providers/azure/services/network/network_bastion_host_exists/network_bastion_host_exists.py index 2f6a55575d1..b567066f924 100644 --- a/prowler/providers/azure/services/network/network_bastion_host_exists/network_bastion_host_exists.py +++ b/prowler/providers/azure/services/network/network_bastion_host_exists/network_bastion_host_exists.py @@ -18,9 +18,7 @@ def execute(self) -> Check_Report_Azure: status = "PASS" status_extended = f"Bastion Host from subscription {subscription} available are: {bastion_names}" - report = Check_Report_Azure( - metadata=self.metadata(), resource=bastion_hosts - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription report.resource_name = "Bastion Host" report.resource_id = "Bastion Host" diff --git a/prowler/providers/azure/services/network/network_watcher_enabled/network_watcher_enabled.py b/prowler/providers/azure/services/network/network_watcher_enabled/network_watcher_enabled.py index 78ed1f3d1ff..06d06ca5fcb 100644 --- a/prowler/providers/azure/services/network/network_watcher_enabled/network_watcher_enabled.py +++ b/prowler/providers/azure/services/network/network_watcher_enabled/network_watcher_enabled.py @@ -6,9 +6,7 @@ class network_watcher_enabled(Check): def execute(self) -> list[Check_Report_Azure]: findings = [] for subscription, network_watchers in network_client.network_watchers.items(): - report = Check_Report_Azure( - metadata=self.metadata(), resource=network_watchers - ) + report = Check_Report_Azure(metadata=self.metadata(), resource={}) report.subscription = subscription report.resource_name = "Network Watcher" report.location = "global" From 1b464cc15cb71cb27360553334fd2c720aa83119 Mon Sep 17 00:00:00 2001 From: MrCloudSec Date: Wed, 22 Jan 2025 10:52:35 -0500 Subject: [PATCH 10/12] chore: revision --- prowler/lib/check/models.py | 8 ++++---- prowler/lib/outputs/ocsf/ocsf.py | 13 +++++++++---- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/prowler/lib/check/models.py b/prowler/lib/check/models.py index cdcdd2dd39c..68512778ff5 100644 --- a/prowler/lib/check/models.py +++ b/prowler/lib/check/models.py @@ -3,7 +3,7 @@ import re import sys from abc import ABC, abstractmethod -from dataclasses import dataclass +from dataclasses import asdict, dataclass, is_dataclass from enum import Enum from typing import Any, Dict, Set @@ -416,7 +416,7 @@ def __init__(self, metadata: Dict, resource: Any) -> None: Args: metadata: The metadata of the check. resource: Basic information about the resource. Defaults to None. - Only accepted dict, list, BaseModels (dict attribute), custom models (with to_dict attribute) or objects with __dict__. + Only accepted dict, list, BaseModels (dict attribute), custom models (with to_dict attribute) and dataclasses. """ self.status = "" self.check_metadata = CheckMetadata.parse_raw(metadata) @@ -426,8 +426,8 @@ def __init__(self, metadata: Dict, resource: Any) -> None: self.resource = resource.dict() elif hasattr(resource, "to_dict"): self.resource = resource.to_dict() - elif hasattr(resource, "__dict__"): - self.resource = resource.__dict__ + elif is_dataclass(resource): + self.resource = asdict(resource) else: logger.error( f"Resource metadata {type(resource)} in {self.check_metadata.CheckID} could not be converted to dict" diff --git a/prowler/lib/outputs/ocsf/ocsf.py b/prowler/lib/outputs/ocsf/ocsf.py index 5d3ee887a3b..c632e8274a0 100644 --- a/prowler/lib/outputs/ocsf/ocsf.py +++ b/prowler/lib/outputs/ocsf/ocsf.py @@ -193,10 +193,15 @@ def batch_write_data_to_file(self) -> None: ): self._file_descriptor.write("[") for finding in self._data: - self._file_descriptor.write( - finding.json(exclude_none=True, indent=4) - ) - self._file_descriptor.write(",") + try: + self._file_descriptor.write( + finding.json(exclude_none=True, indent=4) + ) + self._file_descriptor.write(",") + except Exception as error: + logger.error( + f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" + ) if self._file_descriptor.tell() > 0: if self._file_descriptor.tell() != 1: self._file_descriptor.seek( From 8f11c94fc8b7f6a8a85858574f3d01509908d334 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= Date: Wed, 22 Jan 2025 17:43:15 +0100 Subject: [PATCH 11/12] fix: use own models to avoid parse to JSON errors --- .../azure/services/entra/entra_service.py | 27 +++-- ...sers_cannot_create_security_groups_test.py | 70 +++++++----- ...re_default_user_cannot_create_apps_test.py | 70 +++++++----- ...default_user_cannot_create_tenants_test.py | 70 +++++++----- ..._guest_invite_only_for_admin_roles_test.py | 90 +++++++++------ ...cy_guest_users_access_restrictions_test.py | 84 ++++++++------ ...cy_restricts_user_consent_for_apps_test.py | 108 ++++++++++-------- ...icy_user_consent_for_verified_apps_test.py | 73 ++++++------ .../services/entra/entra_service_test.py | 4 +- ...cannot_create_microsoft_365_groups_test.py | 10 +- 10 files changed, 354 insertions(+), 252 deletions(-) diff --git a/prowler/providers/azure/services/entra/entra_service.py b/prowler/providers/azure/services/entra/entra_service.py index 9876e5d822e..ae4eadce0e6 100644 --- a/prowler/providers/azure/services/entra/entra_service.py +++ b/prowler/providers/azure/services/entra/entra_service.py @@ -1,13 +1,8 @@ from asyncio import gather, get_event_loop -from dataclasses import dataclass from typing import List, Optional from uuid import UUID from msgraph import GraphServiceClient -from msgraph.generated.models.default_user_role_permissions import ( - DefaultUserRolePermissions, -) -from msgraph.generated.models.setting_value import SettingValue from pydantic import BaseModel from prowler.lib.logger import logger @@ -326,8 +321,17 @@ class User(BaseModel): authentication_methods: List[AuthMethod] = [] -@dataclass -class AuthorizationPolicy: +class DefaultUserRolePermissions(BaseModel): + allowed_to_create_apps: Optional[bool] + allowed_to_create_security_groups: Optional[bool] + allowed_to_create_tenants: Optional[bool] + allowed_to_read_bitlocker_keys_for_owned_device: Optional[bool] + allowed_to_read_other_users: Optional[bool] + odata_type: Optional[str] + permission_grant_policies_assigned: Optional[List[str]] = None + + +class AuthorizationPolicy(BaseModel): id: str name: str description: str @@ -336,8 +340,13 @@ class AuthorizationPolicy: guest_user_role_id: UUID -@dataclass -class GroupSetting: +class SettingValue(BaseModel): + name: Optional[str] + odata_type: Optional[str] + value: Optional[str] + + +class GroupSetting(BaseModel): name: Optional[str] template_id: Optional[str] settings: List[SettingValue] diff --git a/tests/providers/azure/services/entra/entra_policy_default_users_cannot_create_security_groups/entra_policy_default_users_cannot_create_security_groups_test.py b/tests/providers/azure/services/entra/entra_policy_default_users_cannot_create_security_groups/entra_policy_default_users_cannot_create_security_groups_test.py index 5b8d45a2c26..6e67d8381ef 100644 --- a/tests/providers/azure/services/entra/entra_policy_default_users_cannot_create_security_groups/entra_policy_default_users_cannot_create_security_groups_test.py +++ b/tests/providers/azure/services/entra/entra_policy_default_users_cannot_create_security_groups/entra_policy_default_users_cannot_create_security_groups_test.py @@ -9,12 +9,15 @@ def test_entra_no_tenants(self): entra_client = mock.MagicMock entra_client.authorization_policy = {} - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_default_users_cannot_create_security_groups.entra_policy_default_users_cannot_create_security_groups.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_default_users_cannot_create_security_groups.entra_policy_default_users_cannot_create_security_groups.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_default_users_cannot_create_security_groups.entra_policy_default_users_cannot_create_security_groups import ( entra_policy_default_users_cannot_create_security_groups, @@ -28,12 +31,15 @@ def test_entra_tenant_empty(self): entra_client = mock.MagicMock entra_client.authorization_policy = {DOMAIN: {}} - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_default_users_cannot_create_security_groups.entra_policy_default_users_cannot_create_security_groups.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_default_users_cannot_create_security_groups.entra_policy_default_users_cannot_create_security_groups.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_default_users_cannot_create_security_groups.entra_policy_default_users_cannot_create_security_groups import ( entra_policy_default_users_cannot_create_security_groups, @@ -57,18 +63,22 @@ def test_entra_default_user_role_permissions_allowed_to_create_security_groups( entra_client = mock.MagicMock id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_default_users_cannot_create_security_groups.entra_policy_default_users_cannot_create_security_groups.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_default_users_cannot_create_security_groups.entra_policy_default_users_cannot_create_security_groups.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_default_users_cannot_create_security_groups.entra_policy_default_users_cannot_create_security_groups import ( entra_policy_default_users_cannot_create_security_groups, ) from prowler.providers.azure.services.entra.entra_service import ( AuthorizationPolicy, + DefaultUserRolePermissions, ) entra_client.authorization_policy = { @@ -76,11 +86,11 @@ def test_entra_default_user_role_permissions_allowed_to_create_security_groups( id=id, name="Test", description="Test", - default_user_role_permissions=mock.MagicMock( + default_user_role_permissions=DefaultUserRolePermissions( allowed_to_create_security_groups=True ), guest_invite_settings="everyone", - guest_user_role_id=None, + guest_user_role_id=uuid4(), ) } @@ -102,18 +112,22 @@ def test_entra_default_user_role_permissions_not_allowed_to_create_security_grou entra_client = mock.MagicMock id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_default_users_cannot_create_security_groups.entra_policy_default_users_cannot_create_security_groups.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_default_users_cannot_create_security_groups.entra_policy_default_users_cannot_create_security_groups.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_default_users_cannot_create_security_groups.entra_policy_default_users_cannot_create_security_groups import ( entra_policy_default_users_cannot_create_security_groups, ) from prowler.providers.azure.services.entra.entra_service import ( AuthorizationPolicy, + DefaultUserRolePermissions, ) entra_client.authorization_policy = { @@ -121,11 +135,11 @@ def test_entra_default_user_role_permissions_not_allowed_to_create_security_grou id=id, name="Test", description="Test", - default_user_role_permissions=mock.MagicMock( + default_user_role_permissions=DefaultUserRolePermissions( allowed_to_create_security_groups=False ), guest_invite_settings="everyone", - guest_user_role_id=None, + guest_user_role_id=uuid4(), ) } diff --git a/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_apps/entra_policy_ensure_default_user_cannot_create_apps_test.py b/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_apps/entra_policy_ensure_default_user_cannot_create_apps_test.py index 9bb7ce4888b..2dd8dc94bfd 100644 --- a/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_apps/entra_policy_ensure_default_user_cannot_create_apps_test.py +++ b/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_apps/entra_policy_ensure_default_user_cannot_create_apps_test.py @@ -8,12 +8,15 @@ class Test_entra_policy_ensure_default_user_cannot_create_apps: def test_entra_no_tenants(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps import ( entra_policy_ensure_default_user_cannot_create_apps, @@ -28,12 +31,15 @@ def test_entra_no_tenants(self): def test_entra_tenant_empty(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps import ( entra_policy_ensure_default_user_cannot_create_apps, @@ -57,18 +63,22 @@ def test_entra_default_user_role_permissions_not_allowed_to_create_apps(self): id = str(uuid4()) entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps import ( entra_policy_ensure_default_user_cannot_create_apps, ) from prowler.providers.azure.services.entra.entra_service import ( AuthorizationPolicy, + DefaultUserRolePermissions, ) entra_client.authorization_policy = { @@ -76,11 +86,11 @@ def test_entra_default_user_role_permissions_not_allowed_to_create_apps(self): id=id, name="Test", description="Test", - default_user_role_permissions=mock.MagicMock( + default_user_role_permissions=DefaultUserRolePermissions( allowed_to_create_apps=False ), guest_invite_settings="none", - guest_user_role_id=None, + guest_user_role_id=uuid4(), ) } @@ -100,18 +110,22 @@ def test_entra_default_user_role_permissions_allowed_to_create_apps(self): id = str(uuid4()) entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_apps.entra_policy_ensure_default_user_cannot_create_apps import ( entra_policy_ensure_default_user_cannot_create_apps, ) from prowler.providers.azure.services.entra.entra_service import ( AuthorizationPolicy, + DefaultUserRolePermissions, ) entra_client.authorization_policy = { @@ -119,11 +133,11 @@ def test_entra_default_user_role_permissions_allowed_to_create_apps(self): id=id, name="Test", description="Test", - default_user_role_permissions=mock.MagicMock( + default_user_role_permissions=DefaultUserRolePermissions( allowed_to_create_apps=True ), guest_invite_settings="none", - guest_user_role_id=None, + guest_user_role_id=uuid4(), ) } diff --git a/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants_test.py b/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants_test.py index bbb167fda02..7e97b4558d4 100644 --- a/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants_test.py +++ b/tests/providers/azure/services/entra/entra_policy_ensure_default_user_cannot_create_tenants/entra_policy_ensure_default_user_cannot_create_tenants_test.py @@ -9,12 +9,15 @@ def test_entra_no_tenants(self): entra_client = mock.MagicMock entra_client.authorization_policy = {} - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants import ( entra_policy_ensure_default_user_cannot_create_tenants, @@ -28,12 +31,15 @@ def test_entra_empty_tenant(self): entra_client = mock.MagicMock entra_client.authorization_policy = {DOMAIN: {}} - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants import ( entra_policy_ensure_default_user_cannot_create_tenants, @@ -55,18 +61,22 @@ def test_entra_default_user_role_permissions_not_allowed_to_create_tenants(self) id = str(uuid4()) entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants import ( entra_policy_ensure_default_user_cannot_create_tenants, ) from prowler.providers.azure.services.entra.entra_service import ( AuthorizationPolicy, + DefaultUserRolePermissions, ) entra_client.authorization_policy = { @@ -74,11 +84,11 @@ def test_entra_default_user_role_permissions_not_allowed_to_create_tenants(self) id=id, name="Test", description="Test", - default_user_role_permissions=mock.MagicMock( + default_user_role_permissions=DefaultUserRolePermissions( allowed_to_create_tenants=False ), guest_invite_settings="everyone", - guest_user_role_id=None, + guest_user_role_id=uuid4(), ) } @@ -98,18 +108,22 @@ def test_entra_default_user_role_permissions_allowed_to_create_tenants(self): id = str(uuid4()) entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_ensure_default_user_cannot_create_tenants.entra_policy_ensure_default_user_cannot_create_tenants import ( entra_policy_ensure_default_user_cannot_create_tenants, ) from prowler.providers.azure.services.entra.entra_service import ( AuthorizationPolicy, + DefaultUserRolePermissions, ) entra_client.authorization_policy = { @@ -117,11 +131,11 @@ def test_entra_default_user_role_permissions_allowed_to_create_tenants(self): id=id, name="Test", description="Test", - default_user_role_permissions=mock.MagicMock( + default_user_role_permissions=DefaultUserRolePermissions( allowed_to_create_tenants=True ), guest_invite_settings="everyone", - guest_user_role_id=None, + guest_user_role_id=uuid4(), ) } diff --git a/tests/providers/azure/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles_test.py b/tests/providers/azure/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles_test.py index 35ffa024118..6c2b3fbe2fd 100644 --- a/tests/providers/azure/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles_test.py +++ b/tests/providers/azure/services/entra/entra_policy_guest_invite_only_for_admin_roles/entra_policy_guest_invite_only_for_admin_roles_test.py @@ -8,12 +8,15 @@ class Test_entra_policy_guest_invite_only_for_admin_roles: def test_entra_no_tenants(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_guest_invite_only_for_admin_roles.entra_policy_guest_invite_only_for_admin_roles.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_guest_invite_only_for_admin_roles.entra_policy_guest_invite_only_for_admin_roles.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_guest_invite_only_for_admin_roles.entra_policy_guest_invite_only_for_admin_roles import ( entra_policy_guest_invite_only_for_admin_roles, @@ -28,12 +31,15 @@ def test_entra_no_tenants(self): def test_entra_empty_tenant(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_guest_invite_only_for_admin_roles.entra_policy_guest_invite_only_for_admin_roles.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_guest_invite_only_for_admin_roles.entra_policy_guest_invite_only_for_admin_roles.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_guest_invite_only_for_admin_roles.entra_policy_guest_invite_only_for_admin_roles import ( entra_policy_guest_invite_only_for_admin_roles, @@ -57,18 +63,22 @@ def test_entra_tenant_policy_allow_invites_from_everyone(self): entra_client = mock.MagicMock id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_guest_invite_only_for_admin_roles.entra_policy_guest_invite_only_for_admin_roles.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_guest_invite_only_for_admin_roles.entra_policy_guest_invite_only_for_admin_roles.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_guest_invite_only_for_admin_roles.entra_policy_guest_invite_only_for_admin_roles import ( entra_policy_guest_invite_only_for_admin_roles, ) from prowler.providers.azure.services.entra.entra_service import ( AuthorizationPolicy, + DefaultUserRolePermissions, ) entra_client.authorization_policy = { @@ -76,9 +86,9 @@ def test_entra_tenant_policy_allow_invites_from_everyone(self): id=id, name="TestPolicy", description="TestPolicyDescription", - default_user_role_permissions=None, + default_user_role_permissions=DefaultUserRolePermissions(), guest_invite_settings="everyone", - guest_user_role_id=None, + guest_user_role_id=uuid4(), ) } @@ -97,18 +107,22 @@ def test_entra_tenant_policy_allow_invites_from_admins(self): entra_client = mock.MagicMock id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_guest_invite_only_for_admin_roles.entra_policy_guest_invite_only_for_admin_roles.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_guest_invite_only_for_admin_roles.entra_policy_guest_invite_only_for_admin_roles.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_guest_invite_only_for_admin_roles.entra_policy_guest_invite_only_for_admin_roles import ( entra_policy_guest_invite_only_for_admin_roles, ) from prowler.providers.azure.services.entra.entra_service import ( AuthorizationPolicy, + DefaultUserRolePermissions, ) entra_client.authorization_policy = { @@ -116,9 +130,9 @@ def test_entra_tenant_policy_allow_invites_from_admins(self): id=id, name="TestPolicy", description="TestPolicyDescription", - default_user_role_permissions=None, + default_user_role_permissions=DefaultUserRolePermissions(), guest_invite_settings="adminsAndGuestInviters", - guest_user_role_id=None, + guest_user_role_id=uuid4(), ) } @@ -137,18 +151,22 @@ def test_entra_tenant_policy_allow_invites_from_none(self): entra_client = mock.MagicMock id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_guest_invite_only_for_admin_roles.entra_policy_guest_invite_only_for_admin_roles.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_guest_invite_only_for_admin_roles.entra_policy_guest_invite_only_for_admin_roles.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_guest_invite_only_for_admin_roles.entra_policy_guest_invite_only_for_admin_roles import ( entra_policy_guest_invite_only_for_admin_roles, ) from prowler.providers.azure.services.entra.entra_service import ( AuthorizationPolicy, + DefaultUserRolePermissions, ) entra_client.authorization_policy = { @@ -156,9 +174,9 @@ def test_entra_tenant_policy_allow_invites_from_none(self): id=id, name="TestPolicy", description="TestPolicyDescription", - default_user_role_permissions=None, + default_user_role_permissions=DefaultUserRolePermissions(), guest_invite_settings="none", - guest_user_role_id=None, + guest_user_role_id=uuid4(), ) } diff --git a/tests/providers/azure/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions_test.py b/tests/providers/azure/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions_test.py index ae5db4ebffa..8961acf45bc 100644 --- a/tests/providers/azure/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions_test.py +++ b/tests/providers/azure/services/entra/entra_policy_guest_users_access_restrictions/entra_policy_guest_users_access_restrictions_test.py @@ -8,12 +8,15 @@ class Test_entra_policy_guest_users_access_restrictions: def test_entra_no_tenants(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_guest_users_access_restrictions.entra_policy_guest_users_access_restrictions.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_guest_users_access_restrictions.entra_policy_guest_users_access_restrictions.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_guest_users_access_restrictions.entra_policy_guest_users_access_restrictions import ( entra_policy_guest_users_access_restrictions, @@ -28,12 +31,15 @@ def test_entra_no_tenants(self): def test_entra_tenant_empty(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_guest_users_access_restrictions.entra_policy_guest_users_access_restrictions.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_guest_users_access_restrictions.entra_policy_guest_users_access_restrictions.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_guest_users_access_restrictions.entra_policy_guest_users_access_restrictions import ( entra_policy_guest_users_access_restrictions, @@ -57,12 +63,15 @@ def test_entra_tenant_policy_access_same_as_member(self): entra_client = mock.MagicMock id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_guest_users_access_restrictions.entra_policy_guest_users_access_restrictions.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_guest_users_access_restrictions.entra_policy_guest_users_access_restrictions.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_guest_users_access_restrictions.entra_policy_guest_users_access_restrictions import ( entra_policy_guest_users_access_restrictions, @@ -76,8 +85,7 @@ def test_entra_tenant_policy_access_same_as_member(self): id=id, name="Authorization Policy", description="", - default_user_role_permissions=None, - guest_invite_settings=None, + guest_invite_settings="none", guest_user_role_id=UUID("a0b1b346-4d3e-4e8b-98f8-753987be4970"), ) } @@ -98,12 +106,15 @@ def test_entra_tenant_policy_limited_access(self): entra_client = mock.MagicMock id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_guest_users_access_restrictions.entra_policy_guest_users_access_restrictions.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_guest_users_access_restrictions.entra_policy_guest_users_access_restrictions.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_guest_users_access_restrictions.entra_policy_guest_users_access_restrictions import ( entra_policy_guest_users_access_restrictions, @@ -117,8 +128,7 @@ def test_entra_tenant_policy_limited_access(self): id=id, name="Authorization Policy", description="", - default_user_role_permissions=None, - guest_invite_settings=None, + guest_invite_settings="none", guest_user_role_id=UUID("10dae51f-b6af-4016-8d66-8c2a99b929b3"), ) } @@ -139,12 +149,15 @@ def test_entra_tenant_policy_access_restricted(self): entra_client = mock.MagicMock id = str(uuid4()) - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_guest_users_access_restrictions.entra_policy_guest_users_access_restrictions.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_guest_users_access_restrictions.entra_policy_guest_users_access_restrictions.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_guest_users_access_restrictions.entra_policy_guest_users_access_restrictions import ( entra_policy_guest_users_access_restrictions, @@ -158,8 +171,7 @@ def test_entra_tenant_policy_access_restricted(self): id=id, name="Authorization Policy", description="", - default_user_role_permissions=None, - guest_invite_settings=None, + guest_invite_settings="none", guest_user_role_id=UUID("2af84b1e-32c8-42b7-82bc-daa82404023b"), ) } diff --git a/tests/providers/azure/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps_test.py b/tests/providers/azure/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps_test.py index 10ff3ae95d1..ecc7433746e 100644 --- a/tests/providers/azure/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps_test.py +++ b/tests/providers/azure/services/entra/entra_policy_restricts_user_consent_for_apps/entra_policy_restricts_user_consent_for_apps_test.py @@ -8,12 +8,15 @@ class Test_entra_policy_restricts_user_consent_for_apps: def test_entra_no_tenants(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_restricts_user_consent_for_apps.entra_policy_restricts_user_consent_for_apps.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_restricts_user_consent_for_apps.entra_policy_restricts_user_consent_for_apps.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_restricts_user_consent_for_apps.entra_policy_restricts_user_consent_for_apps import ( entra_policy_restricts_user_consent_for_apps, @@ -28,12 +31,15 @@ def test_entra_no_tenants(self): def test_entra_tenant_empty(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_restricts_user_consent_for_apps.entra_policy_restricts_user_consent_for_apps.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_restricts_user_consent_for_apps.entra_policy_restricts_user_consent_for_apps.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_restricts_user_consent_for_apps.entra_policy_restricts_user_consent_for_apps import ( entra_policy_restricts_user_consent_for_apps, @@ -56,12 +62,15 @@ def test_entra_tenant_empty(self): def test_entra_tenant_no_default_user_role_permissions(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_restricts_user_consent_for_apps.entra_policy_restricts_user_consent_for_apps.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_restricts_user_consent_for_apps.entra_policy_restricts_user_consent_for_apps.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_restricts_user_consent_for_apps.entra_policy_restricts_user_consent_for_apps import ( entra_policy_restricts_user_consent_for_apps, @@ -71,12 +80,11 @@ def test_entra_tenant_no_default_user_role_permissions(self): ) auth_policy = AuthorizationPolicy( - id=uuid4(), + id=str(uuid4()), name="Authorization Policy", description="Authorization Policy Description", - default_user_role_permissions=None, guest_invite_settings="none", - guest_user_role_id=None, + guest_user_role_id=uuid4(), ) entra_client.authorization_policy = {DOMAIN: auth_policy} @@ -96,30 +104,33 @@ def test_entra_tenant_no_default_user_role_permissions(self): def test_entra_tenant_no_consent(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_restricts_user_consent_for_apps.entra_policy_restricts_user_consent_for_apps.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_restricts_user_consent_for_apps.entra_policy_restricts_user_consent_for_apps.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_restricts_user_consent_for_apps.entra_policy_restricts_user_consent_for_apps import ( entra_policy_restricts_user_consent_for_apps, ) from prowler.providers.azure.services.entra.entra_service import ( AuthorizationPolicy, + DefaultUserRolePermissions, ) - def_user_role_permissions = mock.MagicMock - def_user_role_permissions.permission_grant_policies_assigned = [] - auth_policy = AuthorizationPolicy( - id=uuid4(), + id=str(uuid4()), name="Authorization Policy", description="Authorization Policy Description", - default_user_role_permissions=def_user_role_permissions, + default_user_role_permissions=DefaultUserRolePermissions( + permission_grant_policies_assigned=[] + ), guest_invite_settings="none", - guest_user_role_id=None, + guest_user_role_id=uuid4(), ) entra_client.authorization_policy = {DOMAIN: auth_policy} @@ -139,32 +150,35 @@ def test_entra_tenant_no_consent(self): def test_entra_tenant_legacy_consent(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_restricts_user_consent_for_apps.entra_policy_restricts_user_consent_for_apps.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_restricts_user_consent_for_apps.entra_policy_restricts_user_consent_for_apps.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_restricts_user_consent_for_apps.entra_policy_restricts_user_consent_for_apps import ( entra_policy_restricts_user_consent_for_apps, ) from prowler.providers.azure.services.entra.entra_service import ( AuthorizationPolicy, + DefaultUserRolePermissions, ) - def_user_role_permissions = mock.MagicMock - def_user_role_permissions.permission_grant_policies_assigned = [ - "ManagePermissionGrantsForSelf.microsoft-user-default-legacy" - ] - auth_policy = AuthorizationPolicy( - id=uuid4(), + id=str(uuid4()), name="Authorization Policy", description="Authorization Policy Description", - default_user_role_permissions=def_user_role_permissions, + default_user_role_permissions=DefaultUserRolePermissions( + permission_grant_policies_assigned=[ + "ManagePermissionGrantsForSelf.microsoft-user-default-legacy" + ] + ), guest_invite_settings="none", - guest_user_role_id=None, + guest_user_role_id=uuid4(), ) entra_client.authorization_policy = {DOMAIN: auth_policy} diff --git a/tests/providers/azure/services/entra/entra_policy_user_consent_for_verified_apps/entra_policy_user_consent_for_verified_apps_test.py b/tests/providers/azure/services/entra/entra_policy_user_consent_for_verified_apps/entra_policy_user_consent_for_verified_apps_test.py index 6e91e31650d..02bd0a22207 100644 --- a/tests/providers/azure/services/entra/entra_policy_user_consent_for_verified_apps/entra_policy_user_consent_for_verified_apps_test.py +++ b/tests/providers/azure/services/entra/entra_policy_user_consent_for_verified_apps/entra_policy_user_consent_for_verified_apps_test.py @@ -8,12 +8,15 @@ class Test_entra_policy_user_consent_for_verified_apps: def test_entra_no_subscriptions(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_user_consent_for_verified_apps.entra_policy_user_consent_for_verified_apps.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_user_consent_for_verified_apps.entra_policy_user_consent_for_verified_apps.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_user_consent_for_verified_apps.entra_policy_user_consent_for_verified_apps import ( entra_policy_user_consent_for_verified_apps, @@ -28,30 +31,33 @@ def test_entra_no_subscriptions(self): def test_entra_tenant_no_consent(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_user_consent_for_verified_apps.entra_policy_user_consent_for_verified_apps.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_user_consent_for_verified_apps.entra_policy_user_consent_for_verified_apps.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_user_consent_for_verified_apps.entra_policy_user_consent_for_verified_apps import ( entra_policy_user_consent_for_verified_apps, ) from prowler.providers.azure.services.entra.entra_service import ( AuthorizationPolicy, + DefaultUserRolePermissions, ) - def_user_role_permissions = mock.MagicMock - def_user_role_permissions.permission_grant_policies_assigned = [] - auth_policy = AuthorizationPolicy( - id=uuid4(), + id=str(uuid4()), name="Authorization Policy", description="Authorization Policy Description", - default_user_role_permissions=def_user_role_permissions, + default_user_role_permissions=DefaultUserRolePermissions( + permission_grant_policies_assigned=[] + ), guest_invite_settings="none", - guest_user_role_id=None, + guest_user_role_id=uuid4(), ) entra_client.authorization_policy = {DOMAIN: auth_policy} @@ -71,32 +77,35 @@ def test_entra_tenant_no_consent(self): def test_entra_tenant_legacy_consent(self): entra_client = mock.MagicMock - with mock.patch( - "prowler.providers.common.provider.Provider.get_global_provider", - return_value=set_mocked_azure_provider(), - ), mock.patch( - "prowler.providers.azure.services.entra.entra_policy_user_consent_for_verified_apps.entra_policy_user_consent_for_verified_apps.entra_client", - new=entra_client, + with ( + mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), + mock.patch( + "prowler.providers.azure.services.entra.entra_policy_user_consent_for_verified_apps.entra_policy_user_consent_for_verified_apps.entra_client", + new=entra_client, + ), ): from prowler.providers.azure.services.entra.entra_policy_user_consent_for_verified_apps.entra_policy_user_consent_for_verified_apps import ( entra_policy_user_consent_for_verified_apps, ) from prowler.providers.azure.services.entra.entra_service import ( AuthorizationPolicy, + DefaultUserRolePermissions, ) - def_user_role_permissions = mock.MagicMock - def_user_role_permissions.permission_grant_policies_assigned = [ - "ManagePermissionGrantsForSelf.microsoft-user-default-legacy" - ] - auth_policy = AuthorizationPolicy( - id=uuid4(), + id=str(uuid4()), name="Authorization Policy", description="Authorization Policy Description", - default_user_role_permissions=def_user_role_permissions, + default_user_role_permissions=DefaultUserRolePermissions( + permission_grant_policies_assigned=[ + "ManagePermissionGrantsForSelf.microsoft-user-default-legacy" + ] + ), guest_invite_settings="none", - guest_user_role_id=None, + guest_user_role_id=uuid4(), ) entra_client.authorization_policy = {DOMAIN: auth_policy} diff --git a/tests/providers/azure/services/entra/entra_service_test.py b/tests/providers/azure/services/entra/entra_service_test.py index 1e2716f65b3..b09b6edaa41 100644 --- a/tests/providers/azure/services/entra/entra_service_test.py +++ b/tests/providers/azure/services/entra/entra_service_test.py @@ -1,4 +1,5 @@ from unittest.mock import patch +from uuid import uuid4 from prowler.providers.azure.models import AzureIdentityInfo from prowler.providers.azure.services.entra.entra_service import ( @@ -28,9 +29,8 @@ async def mock_entra_get_authorization_policy(_): id="id-1", name="Name 1", description="Description 1", - default_user_role_permissions=None, guest_invite_settings="none", - guest_user_role_id=None, + guest_user_role_id=uuid4(), ) } diff --git a/tests/providers/azure/services/entra/entra_users_cannot_create_microsoft_365_groups/entra_users_cannot_create_microsoft_365_groups_test.py b/tests/providers/azure/services/entra/entra_users_cannot_create_microsoft_365_groups/entra_users_cannot_create_microsoft_365_groups_test.py index fa6a0f358cd..86c03a7a233 100644 --- a/tests/providers/azure/services/entra/entra_users_cannot_create_microsoft_365_groups/entra_users_cannot_create_microsoft_365_groups_test.py +++ b/tests/providers/azure/services/entra/entra_users_cannot_create_microsoft_365_groups/entra_users_cannot_create_microsoft_365_groups_test.py @@ -62,6 +62,7 @@ def test_entra_users_cannot_create_microsoft_365_groups(self): ): from prowler.providers.azure.services.entra.entra_service import ( GroupSetting, + SettingValue, ) from prowler.providers.azure.services.entra.entra_users_cannot_create_microsoft_365_groups.entra_users_cannot_create_microsoft_365_groups import ( entra_users_cannot_create_microsoft_365_groups, @@ -70,9 +71,7 @@ def test_entra_users_cannot_create_microsoft_365_groups(self): id = str(uuid4()) template_id = str(uuid4()) - setting = mock.MagicMock - setting.name = "EnableGroupCreation" - setting.value = "false" + setting = SettingValue(name="EnableGroupCreation", value="false") entra_client.group_settings = { DOMAIN: { @@ -107,6 +106,7 @@ def test_entra_users_can_create_microsoft_365_groups(self): ): from prowler.providers.azure.services.entra.entra_service import ( GroupSetting, + SettingValue, ) from prowler.providers.azure.services.entra.entra_users_cannot_create_microsoft_365_groups.entra_users_cannot_create_microsoft_365_groups import ( entra_users_cannot_create_microsoft_365_groups, @@ -115,9 +115,7 @@ def test_entra_users_can_create_microsoft_365_groups(self): id = str(uuid4()) template_id = str(uuid4()) - setting = mock.MagicMock - setting.name = "EnableGroupCreation" - setting.value = "true" + setting = SettingValue(name="EnableGroupCreation", value="true") entra_client.group_settings = { DOMAIN: { From 50fc487f3c0994ef264e05bd4705d1717f254e16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= Date: Wed, 22 Jan 2025 19:42:58 +0100 Subject: [PATCH 12/12] fix: use new models in Entra service --- .../azure/services/entra/entra_service.py | 53 +++++++++++++++++-- 1 file changed, 50 insertions(+), 3 deletions(-) diff --git a/prowler/providers/azure/services/entra/entra_service.py b/prowler/providers/azure/services/entra/entra_service.py index ae4eadce0e6..f2b02dcc5da 100644 --- a/prowler/providers/azure/services/entra/entra_service.py +++ b/prowler/providers/azure/services/entra/entra_service.py @@ -87,14 +87,54 @@ async def _get_authorization_policy(self): try: for tenant, client in self.clients.items(): auth_policy = await client.policies.authorization_policy.get() + + default_user_role_permissions = getattr( + auth_policy, "default_user_role_permissions", None + ) + authorization_policy.update( { tenant: AuthorizationPolicy( id=auth_policy.id, name=auth_policy.display_name, description=auth_policy.description, - default_user_role_permissions=getattr( - auth_policy, "default_user_role_permissions", None + default_user_role_permissions=DefaultUserRolePermissions( + allowed_to_create_apps=getattr( + default_user_role_permissions, + "allowed_to_create_apps", + None, + ), + allowed_to_create_security_groups=getattr( + default_user_role_permissions, + "allowed_to_create_security_groups", + None, + ), + allowed_to_create_tenants=getattr( + default_user_role_permissions, + "allowed_to_create_tenants", + None, + ), + allowed_to_read_bitlocker_keys_for_owned_device=getattr( + default_user_role_permissions, + "allowed_to_read_bitlocker_keys_for_owned_device", + None, + ), + allowed_to_read_other_users=getattr( + default_user_role_permissions, + "allowed_to_read_other_users", + None, + ), + odata_type=getattr( + default_user_role_permissions, "odata_type", None + ), + permission_grant_policies_assigned=[ + policy_assigned + for policy_assigned in getattr( + default_user_role_permissions, + "permission_grant_policies_assigned", + [], + ) + ], ), guest_invite_settings=( auth_policy.allow_invites_from.value @@ -129,7 +169,14 @@ async def _get_group_settings(self): group_setting.id: GroupSetting( name=getattr(group_setting, "display_name", None), template_id=getattr(group_setting, "template_id", None), - settings=getattr(group_setting, "values", []), + settings=[ + SettingValue( + name=setting.name, + odata_type=setting.odata_type, + value=setting.value, + ) + for setting in getattr(group_setting, "values", []) + ], ) } )