remove nacl logic

prowler/providers/aws/services/elbv2/elbv2_internet_facing/elbv2_internet_facing.py

@@ -16,7 +16,7 @@ def execute(self):
             report.status = "PASS"
             report.status_extended = f"ELBv2 ALB {lb.name} is not internet facing."
             if lb.scheme == "internet-facing":
-                report.status_extended = f"ELBv2 ALB {lb.name} has an internet facing scheme in {lb.dns} but is not public."
+                report.status_extended = f"ELBv2 ALB {lb.name} has an internet facing scheme with domain {lb.dns} but is not public."
                 for sg_id in getattr(lb, "security_groups", []):
                     sg_arn = f"arn:{elbv2_client.audited_partition}:ec2:{lb.region}:{elbv2_client.audited_account}:security-group/{sg_id}"
                     if sg_arn in ec2_client.security_groups:
@@ -27,7 +27,7 @@ def execute(self):
                                 ingress_rule, "tcp", any_address=True
                             ):
                                 report.status = "FAIL"
-                                report.status_extended = f"ELBv2 ALB {lb.name} is internet facing in {lb.dns} due to a public security group {sg_id}."
+                                report.status_extended = f"ELBv2 ALB {lb.name} is internet facing with domain {lb.dns} due to their security group {sg_id} is public."
 
             findings.append(report)
 

prowler/providers/aws/services/vpc/vpc_service.py

@@ -369,34 +369,6 @@ def _describe_vpc_subnets(self, regional_client):
                                         public = True
                                     if "NatGatewayId" in route:
                                         nat_gateway = True
-                            if not public:
-                                # Check if the subnet has any public NACL associated
-                                nacls = (
-                                    regional_client_for_subnet.describe_network_acls(
-                                        Filters=[
-                                            {
-                                                "Name": "association.subnet-id",
-                                                "Values": [subnet["SubnetId"]],
-                                            }
-                                        ]
-                                    )
-                                )
-                                has_ingress = False
-                                has_egress = False
-                                for nacl in nacls.get("NetworkAcls", []):
-                                    for acl_entry in nacl.get("Entries", []):
-                                        if acl_entry.get("RuleAction") == "allow" and (
-                                            acl_entry.get("CidrBlock") == "0.0.0.0/0"
-                                            or acl_entry.get("Ipv6CidrBlock") == "::/0"
-                                        ):
-                                            if acl_entry.get("Egress"):
-                                                has_egress = True
-                                            else:
-                                                has_ingress = True
-                                        if has_egress and has_ingress:
-                                            public = True
-                                            break
-
                             subnet_name = ""
                             for tag in subnet.get("Tags", []):
                                 if tag["Key"] == "Name":
@@ -421,8 +393,6 @@ def _describe_vpc_subnets(self, regional_client):
                             for vpc in self.vpcs.values():
                                 if vpc.id == subnet["VpcId"]:
                                     vpc.subnets.append(object)
-                                    if object.public:
-                                        vpc.public = True
                         except Exception as error:
                             logger.error(
                                 f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
@@ -484,7 +454,6 @@ class VPCs(BaseModel):
     name: str
     default: bool
     in_use: bool = False
-    public: bool = False
     cidr_block: str
     flow_log: bool = False
     region: str

tests/providers/aws/services/elbv2/elbv2_internet_facing/elbv2_internet_facing_test.py

@@ -144,7 +144,7 @@ def test_elbv2_internet_facing(self):
             assert len(result) == 1
             assert result[0].status == "PASS"
             assert result[0].status_extended == (
-                f"ELBv2 ALB my-lb has an internet facing scheme in {lb['DNSName']} but is not public."
+                f"ELBv2 ALB my-lb has an internet facing scheme with domain {lb['DNSName']} but is not public."
             )
             assert result[0].resource_id == "my-lb"
             assert result[0].resource_arn == lb["LoadBalancerArn"]
@@ -217,7 +217,7 @@ def test_elbv2_public_sg(self):
             assert len(result) == 1
             assert result[0].status == "FAIL"
             assert result[0].status_extended == (
-                f"ELBv2 ALB my-lb is internet facing in {lb['DNSName']} due to a public security group {default_sg_id}."
+                f"ELBv2 ALB my-lb is internet facing with domain {lb['DNSName']} due to their security group {default_sg_id} is public."
             )
             assert result[0].resource_id == "my-lb"
             assert result[0].resource_arn == lb["LoadBalancerArn"]

tests/providers/aws/services/vpc/vpc_service_test.py

@@ -459,7 +459,6 @@ def test_vpc_subnet_with_open_nacl(self):
                 assert vpc.subnets[0].id == subnet_id
                 assert vpc.subnets[0].vpc_id == vpc_id
                 assert vpc.subnets[0].availability_zone == f"{AWS_REGION_US_EAST_1}a"
-                assert vpc.subnets[0].public
                 assert vpc.subnets[0].region == AWS_REGION_US_EAST_1
 
     # Test VPC Describe VPN Connections