-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(aws): New CloudTrail, DLM, DocumentDB, EC2, Account and Support checks #2675
feat(aws): New CloudTrail, DLM, DocumentDB, EC2, Account and Support checks #2675
Conversation
prowler/providers/aws/services/ec2/ec2_ebs_snapshots_exists/ec2_ebs_snapshots_exists.py
Outdated
Show resolved
Hide resolved
Codecov Report
@@ Coverage Diff @@
## master #2675 +/- ##
==========================================
+ Coverage 86.23% 86.26% +0.03%
==========================================
Files 539 551 +12
Lines 17453 17632 +179
==========================================
+ Hits 15051 15211 +160
- Misses 2402 2421 +19
... and 20 files with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've left a lot of comments / changes since some parts of this PR are not coded following our guidelines:
- Some services are duplicated since
documentdb
(likeneptune
) API points to therds
API underneath. - The
support
service is created within thetrustedadvisor
service so there is no need to have another service. - Regarding the
support
check we have to include a list of accounts using the configuration file because we cannot raise a FAIL in each Prowler scan if the account has not AWS Premium Support configured.
I recommend you to follow the Prowler Developer Guide here https://docs.prowler.cloud/en/latest/developer-guide/introduction/ and we can talk more about this using the Slack.
.../account_maintain_different_contact_details_to_security_billing_and_operations.metadata.json
Outdated
Show resolved
Hide resolved
.../account_maintain_different_contact_details_to_security_billing_and_operations.metadata.json
Outdated
Show resolved
Hide resolved
.../account_maintain_different_contact_details_to_security_billing_and_operations.metadata.json
Outdated
Show resolved
Hide resolved
..._operations/account_maintain_different_contact_details_to_security_billing_and_operations.py
Outdated
Show resolved
Hide resolved
...cumentdb/documentdb_instance_storage_encrypted/documentdb_instance_storage_encrypted_test.py
Outdated
Show resolved
Hide resolved
.../providers/aws/services/dlm/dlm_ebs_snapshot_policy_exists/dlm_ebs_snapshot_policy_exists.py
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check is not working as expected, in our demo environments it is raising a FAIL
finding while having a multi-region CloudTrail logging all the management events. Please check this out.
) | ||
) | ||
else: | ||
raise error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
raise error | |
logger.error( | |
f"{regional_client.region} --" | |
f" {error.__class__.__name__}[{error.__traceback__.tb_lineno}]:" | |
f" {error}" | |
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this case I'm catching an error inside a try...catch block already, the raise is to raise other errors that can happen other than the one I want to catch, and be catched and logged by the outer block. I think that the behavior will be the same, the difference is just duplicating the code to log the error instead of reuse this part of the code of the outer try...catch block. Do you prefer me to apply your change? Feel free to do it
c399564
to
4c3e914
Compare
…ent_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.metadata.json Co-authored-by: Pepe Fagoaga <pepe@verica.io>
…ent_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.metadata.json Co-authored-by: Pepe Fagoaga <pepe@verica.io>
…ent_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.metadata.json Co-authored-by: Pepe Fagoaga <pepe@verica.io>
…ent_contact_details_to_security_billing_and_operations/account_maintain_different_contact_details_to_security_billing_and_operations.py Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
…ycle_policy_exists
…hot_lifecycle_policy_exists
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
…e event selectors and add tests
…e unused parameters
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
May thanks @jit-contrib for this huge contribution to keep improving and growing Prowler 🚀 🚀 🚀 🚀
…checks (prowler-cloud#2675) Co-authored-by: Pepe Fagoaga <pepe@verica.io> Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
Context
Adding 6 new AWS rules
Description
This PR implement the fixes suggested in #2645.
List of new added rules:
account_maintain_different_contact_details_to_security_billing_and_operations
cloudtrail_multi_region_enabled_logging_management_events
dlm_ebs_snapshot_lifecycle_policy_exists
ec2_ebs_volume_snapshots_exists
documentdb_instance_storage_encrypted
trustedadvisor_premium_support_plan_subscribed
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.