Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(aws): not show findings when AccessDenieds #3803

Merged
merged 12 commits into from
Apr 29, 2024
Merged

fix(aws): not show findings when AccessDenieds #3803

merged 12 commits into from
Apr 29, 2024

Conversation

MrCloudSec
Copy link
Member

@MrCloudSec MrCloudSec commented Apr 17, 2024
edited
Loading

Description

Don't add findings when Prowler does not know the status of the resource because of an AccessDenied.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the provider/aws Issues/PRs related with the AWS provider label Apr 17, 2024
@codecov Codecov
Copy link

codecov bot commented Apr 17, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 86.92033% with 110 lines in your changes are missing coverage. Please review.

Project coverage is 86.37%. Comparing base (6fd7135) to head (fbf8d75).
Report is 39 commits behind head on master.

Files Patch % Lines
prowler/providers/aws/services/iam/iam_service.py 58.06% 26 Missing ⚠️
...ders/aws/services/cloudwatch/cloudwatch_service.py 51.61% 15 Missing ⚠️
...cy/iam_role_cross_account_readonlyaccess_policy.py 66.66% 11 Missing ⚠️
...ders/aws/services/cloudtrail/cloudtrail_service.py 53.33% 7 Missing ⚠️
...ces/resourceexplorer2/resourceexplorer2_service.py 22.22% 7 Missing ⚠️
...er/providers/aws/services/backup/backup_service.py 25.00% 6 Missing ⚠️
.../aws/services/ssmincidents/ssmincidents_service.py 0.00% 6 Missing ⚠️
.../providers/aws/services/account/account_service.py 44.44% 5 Missing ⚠️
prowler/lib/outputs/summary_table.py 0.00% 4 Missing ⚠️
...in_logs/cloudwatch_log_group_no_secrets_in_logs.py 89.47% 4 Missing ⚠️
... and 9 more
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3803      +/-   ##
==========================================
+ Coverage   85.61%   86.37%   +0.75%     
==========================================
  Files         731      746      +15     
  Lines       22659    23228     +569     
==========================================
+ Hits        19400    20063     +663     
+ Misses       3259     3165      -94

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@MrCloudSec
Copy link
Member Author

MrCloudSec commented Apr 17, 2024
edited
Loading

We need to cover the case when there is a region denied and other accessible.
This happens to Backup, CloudWatch, CloudTrail, ResourceExplorer2 and SSMIncidents.

EDIT: DONE

@MrCloudSec MrCloudSec marked this pull request as ready for review April 17, 2024 12:21
@MrCloudSec MrCloudSec requested review from a team April 17, 2024 12:21
jfagoagas
jfagoagas requested changes Apr 19, 2024
View reviewed changes
Copy link
Member

@jfagoagas jfagoagas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a great work and improvement @sergargar 👏

Please, document the criteria followed in the services and how this needs to be done in the checks, include all in the developer guide since it's an important change.

It'd be super helpful to complete tests cases and cover this, you can use mock_object.side_effect = ClientError(error_response, operation_name) to raise exceptions like if boto3 does that.

Thanks!

@MrCloudSec MrCloudSec requested a review from jfagoagas April 22, 2024 08:32
@MrCloudSec
Copy link
Member Author

@jfagoagas re-review it whenever you get a chance, please! Only the tests and docs are pending.

@github-actions GitHub Actions
Copy link
Contributor

You can check the documentation for this PR here -> SaaS Documentation

@MrCloudSec
Copy link
Member Author

Pending testing for CloudTrail, CloudWatch and IAM.

@github-actions GitHub Actions
Copy link
Contributor

You can check the documentation for this PR here -> SaaS Documentation

@MrCloudSec
Copy link
Member Author

Pending testing for CloudTrail and CloudWatch.

@github-actions GitHub Actions
Copy link
Contributor

You can check the documentation for this PR here -> SaaS Documentation

@MrCloudSec
Copy link
Member Author

Pending testing for CloudWatch.

@github-actions GitHub Actions
Copy link
Contributor

You can check the documentation for this PR here -> SaaS Documentation

@jfagoagas jfagoagas merged commit 35c8ea5 into master Apr 29, 2024
12 checks passed
@jfagoagas jfagoagas deleted the handle-access-denieds branch April 29, 2024 15:42
MrCloudSec added a commit that referenced this pull request May 3, 2024
@MrCloudSec
fix(aws): not show findings when AccessDenieds (#3803)
5bda422
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jfagoagas jfagoagas jfagoagas approved these changes

Assignees
No one assigned
Labels
documentation provider/aws Issues/PRs related with the AWS provider
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MrCloudSec @jfagoagas