From 3ce785a7b4cedcc1bfc258ae2b3265e726584ac0 Mon Sep 17 00:00:00 2001 From: Prowler Bot Date: Mon, 25 Nov 2024 18:01:45 +0100 Subject: [PATCH] chore(aws): update fixers docstring (#5878) Co-authored-by: Daniel Barranquero <74871504+danibarranqueroo@users.noreply.github.com> --- .../accessanalyzer_enabled_fixer.py | 3 ++- .../cloudtrail_multi_region_enabled_fixer.py | 3 ++- ...documentdb_cluster_public_snapshot_fixer.py | 6 ++---- .../ec2_ebs_default_encryption_fixer.py | 3 ++- .../ec2_ebs_public_snapshot_fixer.py | 4 ++-- ...apshot_account_block_public_access_fixer.py | 3 ++- ...c2_instance_account_imdsv2_enabled_fixer.py | 3 ++- .../guardduty_is_enabled_fixer.py | 3 ++- ...s_passwords_within_90_days_or_less_fixer.py | 5 ++++- .../iam_password_policy_lowercase_fixer.py | 5 ++++- ..._password_policy_minimum_length_14_fixer.py | 5 ++++- .../iam_password_policy_number_fixer.py | 5 ++++- .../iam_password_policy_reuse_24_fixer.py | 5 ++++- .../iam_password_policy_symbol_fixer.py | 5 ++++- .../iam_password_policy_uppercase_fixer.py | 5 ++++- ...ms_cmk_not_deleted_unintentionally_fixer.py | 3 --- .../kms_cmk_rotation_enabled_fixer.py | 3 ++- .../neptune_cluster_public_snapshot_fixer.py | 7 ++----- .../rds_instance_no_public_access_fixer.py | 7 ++----- .../rds_snapshots_public_access_fixer.py | 9 +++------ ...account_level_public_access_blocks_fixer.py | 5 ++++- .../securityhub_enabled_fixer.py | 3 ++- .../documentdb_cluster_backup_enabled_test.py | 18 ++++++++++++++++++ ...entdb_cluster_cloudwatch_log_export_test.py | 15 +++++++++++++++ ...umentdb_cluster_deletion_protection_test.py | 9 +++++++++ ...documentdb_cluster_multi_az_enabled_test.py | 9 +++++++++ .../documentdb_cluster_public_snapshot_test.py | 9 +++++++++ ...ocumentdb_cluster_storage_encrypted_test.py | 9 +++++++++ 28 files changed, 128 insertions(+), 41 deletions(-) diff --git a/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled_fixer.py b/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled_fixer.py index 2ba27ff388f..120c6d2336c 100644 --- a/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled_fixer.py +++ b/prowler/providers/aws/services/accessanalyzer/accessanalyzer_enabled/accessanalyzer_enabled_fixer.py @@ -6,7 +6,8 @@ def fixer(region): """ - Enable Access Analyzer in a region. Requires the access-analyzer:CreateAnalyzer permission: + Enable Access Analyzer in a region. Requires the access-analyzer:CreateAnalyzer permission. + Permissions: { "Version": "2012-10-17", "Statement": [ diff --git a/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled_fixer.py b/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled_fixer.py index ce066b79fa9..92da4fc48f3 100644 --- a/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled_fixer.py +++ b/prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled_fixer.py @@ -7,7 +7,8 @@ def fixer(region): """ NOTE: Define the S3 bucket name in the fixer_config.yaml file. - Enable CloudTrail in a region. Requires the cloudtrail:CreateTrail permission: + Enable CloudTrail in a region. Requires the cloudtrail:CreateTrail permission. + Permissions: { "Version": "2012-10-17", "Statement": [ diff --git a/prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot_fixer.py b/prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot_fixer.py index e6423fabace..341eaf251db 100644 --- a/prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot_fixer.py +++ b/prowler/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot_fixer.py @@ -8,9 +8,8 @@ def fixer(resource_id: str, region: str) -> bool: """ Modify the attributes of a DocumentDB cluster snapshot to remove public access. Specifically, this fixer removes the 'all' value from the 'restore' attribute to - prevent the snapshot from being publicly accessible. - - Requires the rds:ModifyDBClusterSnapshotAttribute permissions. + prevent the snapshot from being publicly accessible. Requires the rds:ModifyDBClusterSnapshotAttribute permissions. + Permissions: { "Version": "2012-10-17", "Statement": [ @@ -21,7 +20,6 @@ def fixer(resource_id: str, region: str) -> bool: } ] } - Args: resource_id (str): The DB cluster snapshot identifier. region (str): AWS region where the snapshot exists. diff --git a/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_fixer.py b/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_fixer.py index 3b128199526..f733b4f2dab 100644 --- a/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_fixer.py +++ b/prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption_fixer.py @@ -5,7 +5,8 @@ def fixer(region): """ Enable EBS encryption by default in a region. NOTE: Custom KMS keys for EBS Default Encryption may be overwritten. - Requires the ec2:EnableEbsEncryptionByDefault permission: + Requires the ec2:EnableEbsEncryptionByDefault permission. + Permissions: { "Version": "2012-10-17", "Statement": [ diff --git a/prowler/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot_fixer.py b/prowler/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot_fixer.py index 792783e4a5d..1c906b420b3 100644 --- a/prowler/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot_fixer.py +++ b/prowler/providers/aws/services/ec2/ec2_ebs_public_snapshot/ec2_ebs_public_snapshot_fixer.py @@ -6,8 +6,8 @@ def fixer(resource_id: str, region: str) -> bool: """ Modify the attributes of an EBS snapshot to remove public access. Specifically, this fixer removes the 'all' value from the 'createVolumePermission' attribute to - prevent the snapshot from being publicly accessible. - Requires the ec2:ModifySnapshotAttribute permission. + prevent the snapshot from being publicly accessible. Requires the ec2:ModifySnapshotAttribute permission. + Permissions: { "Version": "2012-10-17", "Statement": [ diff --git a/prowler/providers/aws/services/ec2/ec2_ebs_snapshot_account_block_public_access/ec2_ebs_snapshot_account_block_public_access_fixer.py b/prowler/providers/aws/services/ec2/ec2_ebs_snapshot_account_block_public_access/ec2_ebs_snapshot_account_block_public_access_fixer.py index 5577b88b424..d1a21c51cfc 100644 --- a/prowler/providers/aws/services/ec2/ec2_ebs_snapshot_account_block_public_access/ec2_ebs_snapshot_account_block_public_access_fixer.py +++ b/prowler/providers/aws/services/ec2/ec2_ebs_snapshot_account_block_public_access/ec2_ebs_snapshot_account_block_public_access_fixer.py @@ -5,7 +5,8 @@ def fixer(region): """ Enable EBS snapshot block public access in a region. - Requires the ec2:EnableSnapshotBlockPublicAccess permission: + Requires the ec2:EnableSnapshotBlockPublicAccess permission. + Permissions: { "Version": "2012-10-17", "Statement": [ diff --git a/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled_fixer.py b/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled_fixer.py index 31c0c3228b1..e8e0de893f1 100644 --- a/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled_fixer.py +++ b/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled_fixer.py @@ -5,7 +5,8 @@ def fixer(region): """ Enable IMDSv2 for EC2 instances in the specified region. - Requires the ec2:ModifyInstanceMetadataDefaults permission: + Requires the ec2:ModifyInstanceMetadataDefaults permission. + Permissions: { "Version": "2012-10-17", "Statement": [ diff --git a/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_fixer.py b/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_fixer.py index 31ca2d09293..c9556c29056 100644 --- a/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_fixer.py +++ b/prowler/providers/aws/services/guardduty/guardduty_is_enabled/guardduty_is_enabled_fixer.py @@ -4,7 +4,8 @@ def fixer(region): """ - Enable GuardDuty in a region. Requires the guardduty:CreateDetector permission: + Enable GuardDuty in a region. Requires the guardduty:CreateDetector permission. + Permissions: { "Version": "2012-10-17", "Statement": [ diff --git a/prowler/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_fixer.py b/prowler/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_fixer.py index 65f4c4ffa97..0643e480779 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_fixer.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less_fixer.py @@ -5,7 +5,8 @@ def fixer(resource_id: str) -> bool: """ Enable IAM password policy to expire passwords within 90 days or less or the configurable value in prowler/config/fixer_config.yaml. - Requires the iam:UpdateAccountPasswordPolicy permission: + Requires the iam:UpdateAccountPasswordPolicy permission. + Permissions: { "Version": "2012-10-17", "Statement": [ @@ -16,6 +17,8 @@ def fixer(resource_id: str) -> bool: } ] } + Args: + resource_id (str): AWS account ID Returns: bool: True if IAM password policy is updated, False otherwise """ diff --git a/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_fixer.py b/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_fixer.py index 59213b623ad..6372e30b653 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_fixer.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase_fixer.py @@ -5,7 +5,8 @@ def fixer(resource_id: str) -> bool: """ Enable IAM password policy to require lowercase characters or the configurable value in prowler/config/fixer_config.yaml. - Requires the iam:UpdateAccountPasswordPolicy permission: + Requires the iam:UpdateAccountPasswordPolicy permission. + Permissions: { "Version": "2012-10-17", "Statement": [ @@ -16,6 +17,8 @@ def fixer(resource_id: str) -> bool: } ] } + Args: + resource_id (str): AWS account ID Returns: bool: True if IAM password policy is updated, False otherwise """ diff --git a/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_fixer.py b/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_fixer.py index a200e81f680..85a14c3bacf 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_fixer.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14_fixer.py @@ -5,7 +5,8 @@ def fixer(resource_id: str) -> bool: """ Enable IAM password policy to require a minimum password length of 14 characters or the configurable value in prowler/config/fixer_config.yaml. - Requires the iam:UpdateAccountPasswordPolicy permission: + Requires the iam:UpdateAccountPasswordPolicy permission. + Permissions: { "Version": "2012-10-17", "Statement": [ @@ -16,6 +17,8 @@ def fixer(resource_id: str) -> bool: } ] } + Args: + resource_id (str): AWS account ID Returns: bool: True if IAM password policy is updated, False otherwise """ diff --git a/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_fixer.py b/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_fixer.py index 44208bafe13..7b11d70dd7c 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_fixer.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number_fixer.py @@ -5,7 +5,8 @@ def fixer(resource_id: str) -> bool: """ Enable IAM password policy to require numbers or the configurable value in prowler/config/fixer_config.yaml. - Requires the iam:UpdateAccountPasswordPolicy permission: + Requires the iam:UpdateAccountPasswordPolicy permission. + Permissions: { "Version": "2012-10-17", "Statement": [ @@ -16,6 +17,8 @@ def fixer(resource_id: str) -> bool: } ] } + Args: + resource_id (str): AWS account ID Returns: bool: True if IAM password policy is updated, False otherwise """ diff --git a/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_fixer.py b/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_fixer.py index db36cc8253d..1ad0ccbcaf7 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_fixer.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24_fixer.py @@ -5,7 +5,8 @@ def fixer(resource_id: str) -> bool: """ Enable IAM password policy to prevent reusing the 24 previous passwords or the configurable value in prowler/config/fixer_config.yaml. - Requires the iam:UpdateAccountPasswordPolicy permission: + Requires the iam:UpdateAccountPasswordPolicy permission. + Permissions: { "Version": "2012-10-17", "Statement": [ @@ -16,6 +17,8 @@ def fixer(resource_id: str) -> bool: } ] } + Args: + resource_id (str): AWS account ID Returns: bool: True if IAM password policy is updated, False otherwise """ diff --git a/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_fixer.py b/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_fixer.py index d85bcd9bd6e..4fa6bf6ee81 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_fixer.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol_fixer.py @@ -5,7 +5,8 @@ def fixer(resource_id: str) -> bool: """ Enable IAM password policy to require symbols or the configurable value in prowler/config/fixer_config.yaml. - Requires the iam:UpdateAccountPasswordPolicy permission: + Requires the iam:UpdateAccountPasswordPolicy permission. + Permissions: { "Version": "2012-10-17", "Statement": [ @@ -16,6 +17,8 @@ def fixer(resource_id: str) -> bool: } ] } + Args: + resource_id (str): AWS account ID Returns: bool: True if IAM password policy is updated, False otherwise """ diff --git a/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_fixer.py b/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_fixer.py index 360559891e0..4723cd9dcd8 100644 --- a/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_fixer.py +++ b/prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase_fixer.py @@ -5,7 +5,8 @@ def fixer(resource_id: str) -> bool: """ Enable IAM password policy to require uppercase characters or the configurable value in prowler/config/fixer_config.yaml. - Requires the iam:UpdateAccountPasswordPolicy permission: + Requires the iam:UpdateAccountPasswordPolicy permission. + Permissions: { "Version": "2012-10-17", "Statement": [ @@ -16,6 +17,8 @@ def fixer(resource_id: str) -> bool: } ] } + Args: + resource_id (str): AWS account ID Returns: bool: True if IAM password policy is updated, False otherwise """ diff --git a/prowler/providers/aws/services/kms/kms_cmk_not_deleted_unintentionally/kms_cmk_not_deleted_unintentionally_fixer.py b/prowler/providers/aws/services/kms/kms_cmk_not_deleted_unintentionally/kms_cmk_not_deleted_unintentionally_fixer.py index fafcc50563f..595b532562a 100644 --- a/prowler/providers/aws/services/kms/kms_cmk_not_deleted_unintentionally/kms_cmk_not_deleted_unintentionally_fixer.py +++ b/prowler/providers/aws/services/kms/kms_cmk_not_deleted_unintentionally/kms_cmk_not_deleted_unintentionally_fixer.py @@ -7,7 +7,6 @@ def fixer(resource_id: str, region: str) -> bool: Cancel the scheduled deletion of a KMS key. Specifically, this fixer calls the 'cancel_key_deletion' method to restore the KMS key's availability if it is marked for deletion. Requires the kms:CancelKeyDeletion permission. - Permissions: { "Version": "2012-10-17", @@ -19,11 +18,9 @@ def fixer(resource_id: str, region: str) -> bool: } ] } - Args: resource_id (str): The ID of the KMS key to cancel the deletion for. region (str): AWS region where the KMS key exists. - Returns: bool: True if the operation is successful (deletion cancellation is completed), False otherwise. """ diff --git a/prowler/providers/aws/services/kms/kms_cmk_rotation_enabled/kms_cmk_rotation_enabled_fixer.py b/prowler/providers/aws/services/kms/kms_cmk_rotation_enabled/kms_cmk_rotation_enabled_fixer.py index f95f1d94ace..5387af8ad73 100644 --- a/prowler/providers/aws/services/kms/kms_cmk_rotation_enabled/kms_cmk_rotation_enabled_fixer.py +++ b/prowler/providers/aws/services/kms/kms_cmk_rotation_enabled/kms_cmk_rotation_enabled_fixer.py @@ -4,7 +4,8 @@ def fixer(resource_id: str, region: str) -> bool: """ - Enable CMK rotation. Requires the kms:EnableKeyRotation permission: + Enable CMK rotation. Requires the kms:EnableKeyRotation permission. + Permissions: { "Version": "2012-10-17", "Statement": [ diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot_fixer.py b/prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot_fixer.py index ad2a081cba6..d7c4ecef3cc 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot_fixer.py +++ b/prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot_fixer.py @@ -6,9 +6,8 @@ def fixer(resource_id: str, region: str) -> bool: """ Modify the attributes of a Neptune DB cluster snapshot to remove public access. Specifically, this fixer removes the 'all' value from the 'restore' attribute to - prevent the snapshot from being publicly accessible. - - Requires the rds:ModifyDBClusterSnapshotAttribute permissions. + prevent the snapshot from being publicly accessible. Requires the rds:ModifyDBClusterSnapshotAttribute permissions. + Permissions: { "Version": "2012-10-17", "Statement": [ @@ -19,11 +18,9 @@ def fixer(resource_id: str, region: str) -> bool: } ] } - Args: resource_id (str): The DB cluster snapshot identifier. region (str): AWS region where the snapshot exists. - Returns: bool: True if the operation is successful (public access is removed), False otherwise. """ diff --git a/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_fixer.py b/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_fixer.py index bf44b90b4de..e15f7325b80 100644 --- a/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_fixer.py +++ b/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_fixer.py @@ -6,9 +6,8 @@ def fixer(resource_id: str, region: str) -> bool: """ Modify the attributes of an RDS instance to disable public accessibility. Specifically, this fixer sets the 'PubliclyAccessible' attribute to False - to prevent the RDS instance from being publicly accessible. - - Requires the rds:ModifyDBInstance permission: + to prevent the RDS instance from being publicly accessible. Requires the rds:ModifyDBInstance permission. + Permissions: { "Version": "2012-10-17", "Statement": [ @@ -19,11 +18,9 @@ def fixer(resource_id: str, region: str) -> bool: } ] } - Args: resource_id (str): The DB instance identifier. region (str): AWS region where the DB instance exists. - Returns: bool: True if the operation is successful (public access is disabled), False otherwise. """ diff --git a/prowler/providers/aws/services/rds/rds_snapshots_public_access/rds_snapshots_public_access_fixer.py b/prowler/providers/aws/services/rds/rds_snapshots_public_access/rds_snapshots_public_access_fixer.py index 752c8586a58..57ede076c0d 100644 --- a/prowler/providers/aws/services/rds/rds_snapshots_public_access/rds_snapshots_public_access_fixer.py +++ b/prowler/providers/aws/services/rds/rds_snapshots_public_access/rds_snapshots_public_access_fixer.py @@ -5,10 +5,9 @@ def fixer(resource_id: str, region: str) -> bool: """ Modify the attributes of an RDS DB snapshot or DB cluster snapshot to remove public access. - Specifically, this fixer removes the 'all' value from the 'restore' attribute to - prevent the snapshot from being publicly accessible for both DB snapshots and DB cluster snapshots. - - Requires the rds:ModifyDBSnapshotAttribute or rds:ModifyDBClusterSnapshotAttribute permissions. + Specifically, this fixer removes the 'all' value from the 'restore' attribute to prevent the snapshot from being publicly accessible + for both DB snapshots and DB cluster snapshots. Requires the rds:ModifyDBSnapshotAttribute or rds:ModifyDBClusterSnapshotAttribute permissions. + Permissions: { "Version": "2012-10-17", "Statement": [ @@ -24,11 +23,9 @@ def fixer(resource_id: str, region: str) -> bool: } ] } - Args: resource_id (str): The DB snapshot or DB cluster snapshot identifier. region (str): AWS region where the snapshot exists. - Returns: bool: True if the operation is successful (public access is removed), False otherwise. """ diff --git a/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks_fixer.py b/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks_fixer.py index 407c5d6daa7..6de203a3f84 100644 --- a/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks_fixer.py +++ b/prowler/providers/aws/services/s3/s3_account_level_public_access_blocks/s3_account_level_public_access_blocks_fixer.py @@ -5,7 +5,8 @@ def fixer(resource_id: str) -> bool: """ Enable S3 Block Public Access for the account. NOTE: By blocking all S3 public access you may break public S3 buckets. - Requires the s3:PutAccountPublicAccessBlock permission: + Requires the s3:PutAccountPublicAccessBlock permission. + Permissions: { "Version": "2012-10-17", "Statement": [ @@ -16,6 +17,8 @@ def fixer(resource_id: str) -> bool: } ] } + Args: + resource_id (str): The AWS account ID. Returns: bool: True if S3 Block Public Access is enabled, False otherwise """ diff --git a/prowler/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled_fixer.py b/prowler/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled_fixer.py index 9445bcad23b..aceade1da65 100644 --- a/prowler/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled_fixer.py +++ b/prowler/providers/aws/services/securityhub/securityhub_enabled/securityhub_enabled_fixer.py @@ -6,7 +6,8 @@ def fixer(region): """ - Enable Security Hub in a region. Requires the securityhub:EnableSecurityHub permission: + Enable Security Hub in a region. Requires the securityhub:EnableSecurityHub permission. + Permissions: { "Version": "2012-10-17", "Statement": [ diff --git a/tests/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled_test.py b/tests/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled_test.py index 61e59acc228..5e61250dc2d 100644 --- a/tests/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled_test.py +++ b/tests/providers/aws/services/documentdb/documentdb_cluster_backup_enabled/documentdb_cluster_backup_enabled_test.py @@ -21,6 +21,9 @@ def test_documentdb_no_clusters(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_backup_enabled.documentdb_cluster_backup_enabled import ( documentdb_cluster_backup_enabled, @@ -52,6 +55,9 @@ def test_documentdb_cluster_not_backed_up(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_backup_enabled.documentdb_cluster_backup_enabled import ( documentdb_cluster_backup_enabled, @@ -92,6 +98,9 @@ def test_documentdb_cluster_with_backup_less_than_recommended(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_backup_enabled.documentdb_cluster_backup_enabled import ( documentdb_cluster_backup_enabled, @@ -130,6 +139,9 @@ def test_documentdb_cluster_with_backup_equal_to_recommended(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_backup_enabled.documentdb_cluster_backup_enabled import ( documentdb_cluster_backup_enabled, @@ -168,6 +180,9 @@ def test_documentdb_cluster_with_backup(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_backup_enabled.documentdb_cluster_backup_enabled import ( documentdb_cluster_backup_enabled, @@ -207,6 +222,9 @@ def test_documentdb_cluster_with_backup_modified_retention(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_backup_enabled.documentdb_cluster_backup_enabled import ( documentdb_cluster_backup_enabled, diff --git a/tests/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export_test.py b/tests/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export_test.py index 7008c2690cd..3dc1cdb1c27 100644 --- a/tests/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export_test.py +++ b/tests/providers/aws/services/documentdb/documentdb_cluster_cloudwatch_log_export/documentdb_cluster_cloudwatch_log_export_test.py @@ -20,6 +20,9 @@ def test_documentdb_no_clusters(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_cloudwatch_log_export.documentdb_cluster_cloudwatch_log_export import ( documentdb_cluster_cloudwatch_log_export, @@ -51,6 +54,9 @@ def test_documentdb_cluster_cloudwatch_log_export_disabled(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_cloudwatch_log_export.documentdb_cluster_cloudwatch_log_export import ( documentdb_cluster_cloudwatch_log_export, @@ -90,6 +96,9 @@ def test_documentdb_cluster_cloudwatch_log_export_audit_only_enabled(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_cloudwatch_log_export.documentdb_cluster_cloudwatch_log_export import ( documentdb_cluster_cloudwatch_log_export, @@ -127,6 +136,9 @@ def test_documentdb_cluster_cloudwatch_log_export_profiler_only_enabled(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_cloudwatch_log_export.documentdb_cluster_cloudwatch_log_export import ( documentdb_cluster_cloudwatch_log_export, @@ -164,6 +176,9 @@ def test_documentdb_cluster_cloudwatch_log_export_enabled(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_cloudwatch_log_export.documentdb_cluster_cloudwatch_log_export import ( documentdb_cluster_cloudwatch_log_export, diff --git a/tests/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection_test.py b/tests/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection_test.py index 4f02bc8114a..45e28afe180 100644 --- a/tests/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection_test.py +++ b/tests/providers/aws/services/documentdb/documentdb_cluster_deletion_protection/documentdb_cluster_deletion_protection_test.py @@ -20,6 +20,9 @@ def test_documentdb_no_clusters(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_deletion_protection.documentdb_cluster_deletion_protection import ( documentdb_cluster_deletion_protection, @@ -51,6 +54,9 @@ def test_documentdb_cluster_deletion_protection_disabled(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_deletion_protection.documentdb_cluster_deletion_protection import ( documentdb_cluster_deletion_protection, @@ -90,6 +96,9 @@ def test_documentdb_cluster_deletion_protection_enabled(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_deletion_protection.documentdb_cluster_deletion_protection import ( documentdb_cluster_deletion_protection, diff --git a/tests/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled_test.py b/tests/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled_test.py index 88609b9a507..92c4268f831 100644 --- a/tests/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled_test.py +++ b/tests/providers/aws/services/documentdb/documentdb_cluster_multi_az_enabled/documentdb_cluster_multi_az_enabled_test.py @@ -20,6 +20,9 @@ def test_documentdb_no_clusters(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_multi_az_enabled.documentdb_cluster_multi_az_enabled import ( documentdb_cluster_multi_az_enabled, @@ -51,6 +54,9 @@ def test_documentdb_cluster_not_encrypted(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_multi_az_enabled.documentdb_cluster_multi_az_enabled import ( documentdb_cluster_multi_az_enabled, @@ -89,6 +95,9 @@ def test_documentdb_cluster_with_encryption(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_multi_az_enabled.documentdb_cluster_multi_az_enabled import ( documentdb_cluster_multi_az_enabled, diff --git a/tests/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot_test.py b/tests/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot_test.py index 0104ac579b8..53c82763507 100644 --- a/tests/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot_test.py +++ b/tests/providers/aws/services/documentdb/documentdb_cluster_public_snapshot/documentdb_cluster_public_snapshot_test.py @@ -22,6 +22,9 @@ def test_documentdb_no_snapshot(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_public_snapshot.documentdb_cluster_public_snapshot import ( documentdb_cluster_public_snapshot, @@ -63,6 +66,9 @@ def test_documentdb_cluster_private_snapshot(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_public_snapshot.documentdb_cluster_public_snapshot import ( documentdb_cluster_public_snapshot, @@ -116,6 +122,9 @@ def test_documentdb_cluster_public_snapshot(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_public_snapshot.documentdb_cluster_public_snapshot import ( documentdb_cluster_public_snapshot, diff --git a/tests/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted_test.py b/tests/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted_test.py index ae6bc0c8a04..cadb11d0eed 100644 --- a/tests/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted_test.py +++ b/tests/providers/aws/services/documentdb/documentdb_cluster_storage_encrypted/documentdb_cluster_storage_encrypted_test.py @@ -20,6 +20,9 @@ def test_documentdb_no_clusters(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_storage_encrypted.documentdb_cluster_storage_encrypted import ( documentdb_cluster_storage_encrypted, @@ -51,6 +54,9 @@ def test_documentdb_cluster_not_encrypted(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_storage_encrypted.documentdb_cluster_storage_encrypted import ( documentdb_cluster_storage_encrypted, @@ -89,6 +95,9 @@ def test_documentdb_cluster_with_encryption(self): with mock.patch( "prowler.providers.aws.services.documentdb.documentdb_service.DocumentDB", new=documentdb_client, + ), mock.patch( + "prowler.providers.aws.services.documentdb.documentdb_client.documentdb_client", + new=documentdb_client, ): from prowler.providers.aws.services.documentdb.documentdb_cluster_storage_encrypted.documentdb_cluster_storage_encrypted import ( documentdb_cluster_storage_encrypted,