fix(aws): enhance resource arn filtering (#4837)

Co-authored-by: Sergio Garcia <[email protected]>
prowler-cloud · Aug 22, 2024 · ac623b7 · ac623b7
1 parent fa05936
commit ac623b7
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 13 deletions.
diff --git a/prowler/providers/aws/aws_provider.py b/prowler/providers/aws/aws_provider.py
@@ -78,7 +78,7 @@ def __init__(self, arguments: Namespace):
         # MFA Configuration (false by default)
         input_mfa = getattr(arguments, "mfa", None)
         input_profile = getattr(arguments, "profile", None)
-        input_regions = getattr(arguments, "region", set())
+        input_regions = set(getattr(arguments, "region", set()))
         organizations_role_arn = getattr(arguments, "organizations_role", None)
 
         # Set if unused services must be scanned
@@ -740,16 +740,22 @@ def get_tagged_resources(self, input_resource_tags: list[str]) -> list[str]:
 
     def get_default_region(self, service: str) -> str:
         """get_default_region returns the default region based on the profile and audited service regions"""
-        service_regions = self.get_available_aws_service_regions(service)
-        default_region = self.get_global_region()
-        # global region of the partition when all regions are audited and there is no profile region
-        if self._identity.profile_region in service_regions:
-            # return profile region only if it is audited
-            default_region = self._identity.profile_region
-        # return first audited region if specific regions are audited
-        elif self._identity.audited_regions:
-            default_region = self._identity.audited_regions[0]
-        return default_region
+        try:
+            service_regions = self.get_available_aws_service_regions(service)
+            default_region = self.get_global_region()
+            # global region of the partition when all regions are audited and there is no profile region
+            if self._identity.profile_region in service_regions:
+                # return profile region only if it is audited
+                default_region = self._identity.profile_region
+            # return first audited region if specific regions are audited
+            elif self._identity.audited_regions:
+                default_region = list(self._identity.audited_regions)[0]
+            return default_region
+        except Exception as error:
+            logger.critical(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+            raise error
 
     def get_global_region(self) -> str:
         """get_global_region returns the global region based on the audited partition"""
@@ -959,7 +965,7 @@ def get_aws_region_for_sts(session_region: str, input_regions: set[str]) -> str:
             aws_region = AWS_STS_GLOBAL_ENDPOINT_REGION
     else:
         # Get the first region passed to the -f/--region
-        aws_region = input_regions[0]
+        aws_region = list(input_regions)[0]
 
     return aws_region
 

diff --git a/prowler/providers/aws/lib/arn/arn.py b/prowler/providers/aws/lib/arn/arn.py
@@ -58,5 +58,5 @@ def parse_iam_credentials_arn(arn: str) -> ARN:
 
 def is_valid_arn(arn: str) -> bool:
     """is_valid_arn returns True or False whether the given AWS ARN (Amazon Resource Name) is valid or not."""
-    regex = r"^arn:aws(-cn|-us-gov|-iso|-iso-b)?:[a-zA-Z0-9\-]+:([a-z]{2}-[a-z]+-\d{1})?:(\d{12})?:[a-zA-Z0-9\-_\/:\.]+(:\d+)?$"
+    regex = r"^arn:aws(-cn|-us-gov|-iso|-iso-b)?:[a-zA-Z0-9\-]+:([a-z]{2}-[a-z]+-\d{1})?:(\d{12})?:[a-zA-Z0-9\-_\/:\.\*]+(:\d+)?$"
     return re.match(regex, arn) is not None
diff --git a/tests/providers/aws/lib/arn/arn_test.py b/tests/providers/aws/lib/arn/arn_test.py
@@ -386,6 +386,7 @@ def test_is_valid_arn(self):
             "arn:aws:lambda:eu-west-1:123456789012:function:lambda-function"
         )
         assert is_valid_arn("arn:aws:sns:eu-west-1:123456789012:test.fifo")
+        assert is_valid_arn("arn:aws:logs:eu-west-1:123456789012:log-group:/ecs/test:")
         assert not is_valid_arn("arn:azure:::012345678910:user/test")
         assert not is_valid_arn("arn:aws:iam::account:user/test")
         assert not is_valid_arn("arn:aws:::012345678910:resource")