From b397493371bb39582b1689b7ef478ebd1f6779ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pedro=20Mart=C3=ADn?= <pedromarting3@gmail.com>
Date: Thu, 12 Dec 2024 16:51:09 +0100
Subject: [PATCH] fix(rds): add invalid SG to status_extended (#6157)

(cherry picked from commit 83c204e010f3c803b9e26b3d42acbf9d9d06ea23)
---
 .../rds_instance_no_public_access.py          | 21 +++++++++++--------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access.py b/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access.py
index ca0e1b3bebe..dffa850693c 100644
--- a/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access.py
+++ b/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access.py
@@ -37,18 +37,21 @@ def execute(self):
                                     ):
                                         report.status_extended = f"RDS Instance {db_instance.id} is set as publicly accessible and security group {security_group.name} ({security_group.id}) has {db_instance.engine} port {db_instance_port} open to the Internet at endpoint {db_instance.endpoint.get('Address')} but is not in a public subnet."
                                         public_sg = True
+                                        if db_instance.subnet_ids:
+                                            for subnet_id in db_instance.subnet_ids:
+                                                if (
+                                                    subnet_id in vpc_client.vpc_subnets
+                                                    and vpc_client.vpc_subnets[
+                                                        subnet_id
+                                                    ].public
+                                                ):
+                                                    report.status = "FAIL"
+                                                    report.status_extended = f"RDS Instance {db_instance.id} is set as publicly accessible and security group {security_group.name} ({security_group.id}) has {db_instance.engine} port {db_instance_port} open to the Internet at endpoint {db_instance.endpoint.get('Address')} in a public subnet {subnet_id}."
+                                                    break
+                                    if public_sg:
                                         break
                             if public_sg:
                                 break
-                        if db_instance.subnet_ids:
-                            for subnet_id in db_instance.subnet_ids:
-                                if (
-                                    subnet_id in vpc_client.vpc_subnets
-                                    and vpc_client.vpc_subnets[subnet_id].public
-                                ):
-                                    report.status = "FAIL"
-                                    report.status_extended = f"RDS Instance {db_instance.id} is set as publicly accessible and security group {security_group.name} ({security_group.id}) has {db_instance.engine} port {db_instance_port} open to the Internet at endpoint {db_instance.endpoint.get('Address')} in a public subnet {subnet_id}."
-                                    break
 
             findings.append(report)