chore(acm): add ignore unused services feature (#4371)

prowler/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check.py

@@ -6,7 +6,7 @@ class acm_certificates_expiration_check(Check):
     def execute(self):
         findings = []
         for certificate in acm_client.certificates:
-            if certificate.in_use or acm_client.provider.scan_unused_services:
+            if certificate.in_use or not acm_client.audit_info.ignore_unused_services:
                 report = Check_Report_AWS(self.metadata())
                 report.region = certificate.region
                 if certificate.expiration_days > acm_client.audit_config.get(

prowler/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled.py

@@ -6,29 +6,30 @@ class acm_certificates_transparency_logs_enabled(Check):
     def execute(self):
         findings = []
         for certificate in acm_client.certificates:
-            report = Check_Report_AWS(self.metadata())
-            report.region = certificate.region
-            if certificate.type == "IMPORTED":
-                report.status = "PASS"
-                report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is imported."
-                report.resource_id = certificate.id
-                report.resource_details = certificate.name
-                report.resource_arn = certificate.arn
-                report.resource_tags = certificate.tags
-            else:
-                if not certificate.transparency_logging:
-                    report.status = "FAIL"
-                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has Certificate Transparency logging disabled."
-                    report.resource_id = certificate.id
-                    report.resource_details = certificate.name
-                    report.resource_arn = certificate.arn
-                    report.resource_tags = certificate.tags
-                else:
+            if certificate.in_use or not acm_client.audit_info.ignore_unused_services:
+                report = Check_Report_AWS(self.metadata())
+                report.region = certificate.region
+                if certificate.type == "IMPORTED":
                     report.status = "PASS"
-                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has Certificate Transparency logging enabled."
+                    report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} is imported."
                     report.resource_id = certificate.id
                     report.resource_details = certificate.name
                     report.resource_arn = certificate.arn
                     report.resource_tags = certificate.tags
-            findings.append(report)
+                else:
+                    if not certificate.transparency_logging:
+                        report.status = "FAIL"
+                        report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has Certificate Transparency logging disabled."
+                        report.resource_id = certificate.id
+                        report.resource_details = certificate.name
+                        report.resource_arn = certificate.arn
+                        report.resource_tags = certificate.tags
+                    else:
+                        report.status = "PASS"
+                        report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} has Certificate Transparency logging enabled."
+                        report.resource_id = certificate.id
+                        report.resource_details = certificate.name
+                        report.resource_arn = certificate.arn
+                        report.resource_tags = certificate.tags
+                findings.append(report)
         return findings

tests/providers/aws/services/acm/acm_certificates_expiration_check/acm_certificates_expiration_check_test.py

@@ -27,7 +27,7 @@ def test_no_acm_certificates(self):
 
             assert len(result) == 0
 
-    def test_acm_certificate_expirated(self):
+    def test_acm_certificate_expired(self):
         certificate_id = str(uuid.uuid4())
         certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}"
         certificate_name = "test-certificate.com"
@@ -49,6 +49,7 @@ def test_acm_certificate_expirated(self):
             )
         ]
 
+        acm_client.audit_info = mock.MagicMock
         acm_client.audit_config = {"days_to_expire_threshold": 7}
 
         with mock.patch(
@@ -74,7 +75,7 @@ def test_acm_certificate_expirated(self):
             assert result[0].region == AWS_REGION
             assert result[0].resource_tags == []
 
-    def test_acm_certificate_expirated_long_time(self):
+    def test_acm_certificate_expired_long_time(self):
         certificate_id = str(uuid.uuid4())
         certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}"
         certificate_name = "test-certificate.com"
@@ -96,6 +97,7 @@ def test_acm_certificate_expirated_long_time(self):
             )
         ]
 
+        acm_client.audit_info = mock.MagicMock
         acm_client.audit_config = {"days_to_expire_threshold": 7}
 
         with mock.patch(
@@ -120,7 +122,7 @@ def test_acm_certificate_expirated_long_time(self):
             assert result[0].region == AWS_REGION
             assert result[0].resource_tags == []
 
-    def test_acm_certificate_not_expirated(self):
+    def test_acm_certificate_not_expired(self):
         certificate_id = str(uuid.uuid4())
         certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}"
         certificate_name = "test-certificate.com"
@@ -141,7 +143,7 @@ def test_acm_certificate_not_expirated(self):
                 region=AWS_REGION,
             )
         ]
-
+        acm_client.audit_info = mock.MagicMock
         acm_client.audit_config = {"days_to_expire_threshold": 7}
 
         with mock.patch(
@@ -188,9 +190,9 @@ def test_acm_certificate_not_in_use(self):
             )
         ]
 
+        acm_client.audit_info = mock.MagicMock
         acm_client.audit_config = {"days_to_expire_threshold": 7}
-
-        acm_client.provider = mock.MagicMock(scan_unused_services=False)
+        acm_client.audit_info.ignore_unused_services = True
 
         with mock.patch(
             "prowler.providers.aws.services.acm.acm_service.ACM",
@@ -205,7 +207,7 @@ def test_acm_certificate_not_in_use(self):
 
             assert len(result) == 0
 
-    def test_acm_certificate_not_in_use_expired_scan_unused_services(self):
+    def test_acm_certificate_not_in_use_expired_not_ignore_unused_services(self):
         certificate_id = str(uuid.uuid4())
         certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}"
         certificate_name = "test-certificate.com"
@@ -226,10 +228,9 @@ def test_acm_certificate_not_in_use_expired_scan_unused_services(self):
                 region=AWS_REGION,
             )
         ]
-
+        acm_client.audit_info = mock.MagicMock
         acm_client.audit_config = {"days_to_expire_threshold": 7}
-
-        acm_client.provider = mock.MagicMock(scan_unused_services=True)
+        acm_client.audit_info.ignore_unused_services = False
 
         with mock.patch(
             "prowler.providers.aws.services.acm.acm_service.ACM",

tests/providers/aws/services/acm/acm_certificates_transparency_logs_enabled/acm_certificates_transparency_logs_enabled_test.py

@@ -111,3 +111,46 @@ def test_acm_certificate_without_logging(self):
             assert result[0].resource_arn == certificate_arn
             assert result[0].region == AWS_REGION
             assert result[0].resource_tags == []
+
+    def test_acm_certificate_imported(self):
+        certificate_id = str(uuid.uuid4())
+        certificate_arn = f"arn:aws:acm:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:certificate/{certificate_id}"
+        certificate_name = "test-certificate.com"
+        certificate_type = "IMPORTED"
+
+        acm_client = mock.MagicMock
+        acm_client.certificates = [
+            Certificate(
+                arn=certificate_arn,
+                id=certificate_id,
+                name=certificate_name,
+                type=certificate_type,
+                expiration_days=365,
+                transparency_logging=True,
+                in_use=True,
+                region=AWS_REGION,
+            )
+        ]
+
+        with mock.patch(
+            "prowler.providers.aws.services.acm.acm_service.ACM",
+            new=acm_client,
+        ):
+            # Test Check
+            from prowler.providers.aws.services.acm.acm_certificates_transparency_logs_enabled.acm_certificates_transparency_logs_enabled import (
+                acm_certificates_transparency_logs_enabled,
+            )
+
+            check = acm_certificates_transparency_logs_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"ACM Certificate {certificate_id} for {certificate_name} is imported."
+            )
+            assert result[0].resource_id == certificate_id
+            assert result[0].resource_arn == certificate_arn
+            assert result[0].region == AWS_REGION
+            assert result[0].resource_tags == []