route53_public_hosted_zones_cloudwatch_logging_enabled passes for every zone if there is one with enabled logging

[xelaris]

Steps to Reproduce

1. Create two hosted zones in Route53 (without query logging set up)
2. Run prowler aws --checks route53_public_hosted_zones_cloudwatch_logging_enabled
3. route53_public_hosted_zones_cloudwatch_logging_enabled fails for both zones
4. Set up query logging for only one of the zones
5. Run prowler aws --checks route53_public_hosted_zones_cloudwatch_logging_enabled

Expected behavior

route53_public_hosted_zones_cloudwatch_logging_enabled should pass for the zone with the logging configuration and fail for the zone without the logging configuration

Actual Result with Screenshots or Logs

route53_public_hosted_zones_cloudwatch_logging_enabled passes for both zones

How did you install Prowler?

From brew (brew install prowler)

Environment Resource

Workstation

OS used

MacOS

Prowler version

5.3.0

Pip version

25.0

Context

It seems the issue hides in _list_query_logging_configs in route53_service.py:

prowler/prowler/providers/aws/services/route53/route53_service.py

Lines 83 to 95 in b7bce60

	for hosted_zone in self.hosted_zones.values():
	list_query_logging_configs_paginator = self.client.get_paginator(
	"list_query_logging_configs"
	)
	for page in list_query_logging_configs_paginator.paginate():
	for logging_config in page["QueryLoggingConfigs"]:
	self.hosted_zones[hosted_zone.id].logging_config = (
	LoggingConfig(
	cloudwatch_log_group_arn=logging_config[
	"CloudWatchLogsLogGroupArn"
	]
	)
	)

The code reads like this:

for every hosted zone
  for every query logging config
    use the configuration as the query logging config for the hosted zone

I think it needs to be something like this:

for every hosted zone
  for every query logging config
    **if the HostedZoneId of the config matches the hosted zone**
      use the configuration as the query logging config for the hosted zone 

[danibarranqueroo]

Hi @xelaris,

Thanks for notifying us this issue, we are on it now and we'll try to come back with a solution soon.

Thanks for using Prowler! 🚀

[danibarranqueroo]

Hi again @xelaris! You were right, we were assigning the same Logging Config to every Hosted Zone, now it's fixed. Try it when you're able and thanks again for your help. We really appreciate it! 🥇

[danibarranqueroo]

Hello again @xelaris, have you been able to test it? We want to be sure that you're no longer having the error before merging the changes.

[xelaris]

Hi @danibarranqueroo, thank you so much for your quick feedback. I just tested it. While I didn't remove the logging configs from any of the zones, to not mess with our setup, I can still confirm that the logging configs are properly assigned to the related zone now, based on the verbose output, which shows the logging group for every zone.

Running the check with the master branch:

Check ID: route53_public_hosted_zones_cloudwatch_logging_enabled - route53 [medium]
	PASS us-east-1: Route53 Public Hosted Zone Z0AAAAAAAAAAAAAAAAAAA has query logging enabled in Log Group arn:aws:logs:us-east-1:123412341234:log-group:/aws/route53/example.com.
	PASS us-east-1: Route53 Public Hosted Zone Z0BBBBBBBBBBBBBBBBBBB has query logging enabled in Log Group arn:aws:logs:us-east-1:123412341234:log-group:/aws/route53/example.com.
	PASS us-east-1: Route53 Public Hosted Zone Z0CCCCCCCCCCCCCCCCCCC has query logging enabled in Log Group arn:aws:logs:us-east-1:123412341234:log-group:/aws/route53/example.com.

Running the check with the PRWLR-6423-fix-check-route-53-public-hosted-zones-cloudwatch-logging-enabled branch:

Check ID: route53_public_hosted_zones_cloudwatch_logging_enabled - route53 [medium]
	PASS us-east-1: Route53 Public Hosted Zone Z0AAAAAAAAAAAAAAAAAAA has query logging enabled in Log Group arn:aws:logs:us-east-1:123412341234:log-group:/aws/route53/example.com.
	PASS us-east-1: Route53 Public Hosted Zone Z0BBBBBBBBBBBBBBBBBBB has query logging enabled in Log Group arn:aws:logs:us-east-1:123412341234:log-group:/aws/route53/foo.com.
	PASS us-east-1: Route53 Public Hosted Zone Z0CCCCCCCCCCCCCCCCCCC has query logging enabled in Log Group arn:aws:logs:us-east-1:123412341234:log-group:/aws/route53/bar.com.

Since the configs are only assigned to the related zone now, I'm pretty sure that the changes resolve the originally described problem too.