Skip to content

Commit

Permalink
fix(aws): enhance resource arn filtering (#4837)
Browse files Browse the repository at this point in the history
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
  • Loading branch information
github-actions[bot] and MrCloudSec authored Aug 22, 2024
1 parent fa05936 commit ac623b7
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 13 deletions.
30 changes: 18 additions & 12 deletions prowler/providers/aws/aws_provider.py
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ def __init__(self, arguments: Namespace):
# MFA Configuration (false by default)
input_mfa = getattr(arguments, "mfa", None)
input_profile = getattr(arguments, "profile", None)
input_regions = getattr(arguments, "region", set())
input_regions = set(getattr(arguments, "region", set()))
organizations_role_arn = getattr(arguments, "organizations_role", None)

# Set if unused services must be scanned
Expand Down Expand Up @@ -740,16 +740,22 @@ def get_tagged_resources(self, input_resource_tags: list[str]) -> list[str]:

def get_default_region(self, service: str) -> str:
"""get_default_region returns the default region based on the profile and audited service regions"""
service_regions = self.get_available_aws_service_regions(service)
default_region = self.get_global_region()
# global region of the partition when all regions are audited and there is no profile region
if self._identity.profile_region in service_regions:
# return profile region only if it is audited
default_region = self._identity.profile_region
# return first audited region if specific regions are audited
elif self._identity.audited_regions:
default_region = self._identity.audited_regions[0]
return default_region
try:
service_regions = self.get_available_aws_service_regions(service)
default_region = self.get_global_region()
# global region of the partition when all regions are audited and there is no profile region
if self._identity.profile_region in service_regions:
# return profile region only if it is audited
default_region = self._identity.profile_region
# return first audited region if specific regions are audited
elif self._identity.audited_regions:
default_region = list(self._identity.audited_regions)[0]
return default_region
except Exception as error:
logger.critical(
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
raise error

def get_global_region(self) -> str:
"""get_global_region returns the global region based on the audited partition"""
Expand Down Expand Up @@ -959,7 +965,7 @@ def get_aws_region_for_sts(session_region: str, input_regions: set[str]) -> str:
aws_region = AWS_STS_GLOBAL_ENDPOINT_REGION
else:
# Get the first region passed to the -f/--region
aws_region = input_regions[0]
aws_region = list(input_regions)[0]

return aws_region

Expand Down
2 changes: 1 addition & 1 deletion prowler/providers/aws/lib/arn/arn.py
Original file line number Diff line number Diff line change
Expand Up @@ -58,5 +58,5 @@ def parse_iam_credentials_arn(arn: str) -> ARN:

def is_valid_arn(arn: str) -> bool:
"""is_valid_arn returns True or False whether the given AWS ARN (Amazon Resource Name) is valid or not."""
regex = r"^arn:aws(-cn|-us-gov|-iso|-iso-b)?:[a-zA-Z0-9\-]+:([a-z]{2}-[a-z]+-\d{1})?:(\d{12})?:[a-zA-Z0-9\-_\/:\.]+(:\d+)?$"
regex = r"^arn:aws(-cn|-us-gov|-iso|-iso-b)?:[a-zA-Z0-9\-]+:([a-z]{2}-[a-z]+-\d{1})?:(\d{12})?:[a-zA-Z0-9\-_\/:\.\*]+(:\d+)?$"
return re.match(regex, arn) is not None
1 change: 1 addition & 0 deletions tests/providers/aws/lib/arn/arn_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -386,6 +386,7 @@ def test_is_valid_arn(self):
"arn:aws:lambda:eu-west-1:123456789012:function:lambda-function"
)
assert is_valid_arn("arn:aws:sns:eu-west-1:123456789012:test.fifo")
assert is_valid_arn("arn:aws:logs:eu-west-1:123456789012:log-group:/ecs/test:")
assert not is_valid_arn("arn:azure:::012345678910:user/test")
assert not is_valid_arn("arn:aws:iam::account:user/test")
assert not is_valid_arn("arn:aws:::012345678910:resource")

0 comments on commit ac623b7

Please sign in to comment.