chore(arn): improve resource ARNs in checks

docs/developer-guide/checks.md

@@ -125,7 +125,7 @@ All the checks MUST fill the `report.resource_id` and `report.resource_arn` with
     - Resource ARN -- `report.resource_arn`
         - AWS Account --> Root ARN `arn:aws:iam::123456789012:root`
         - AWS Resource --> Resource ARN
-        - Root resource --> Root ARN `arn:aws:iam::123456789012:root`
+        - Root resource --> Resource Type ARN `f"arn:{service_client.audited_partition}:<service_name>:{service_client.region}:{service_client.audited_account}:<resource_type>"`
 - GCP
     - Resource ID -- `report.resource_id`
         - GCP Resource --> Resource ID

prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py

@@ -17,7 +17,7 @@ def execute(self):
             report = Check_Report_AWS(self.metadata())
             report.status = "FAIL"
             report.status_extended = "No Backup Plan exist."
-            report.resource_arn = backup_client.audited_account_arn
+            report.resource_arn = backup_client.backup_plan_arn_template
             report.resource_id = backup_client.audited_account
             report.region = backup_client.region
             findings.append(report)

prowler/providers/aws/services/backup/backup_reportplans_exist/backup_reportplans_exist.py

@@ -10,7 +10,7 @@ def execute(self):
             report = Check_Report_AWS(self.metadata())
             report.status = "FAIL"
             report.status_extended = "No Backup Report Plan exist."
-            report.resource_arn = backup_client.audited_account_arn
+            report.resource_arn = backup_client.report_plan_arn_template
             report.resource_id = backup_client.audited_account
             report.region = backup_client.region
             if backup_client.backup_report_plans:

prowler/providers/aws/services/backup/backup_service.py

@@ -13,6 +13,9 @@ class Backup(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info)
+        self.backup_plan_arn_template = f"arn:{self.audited_partition}:backup:{self.region}:{self.audited_account}:backup-plan"
+        self.report_plan_arn_template = f"arn:{self.audited_partition}:backup:{self.region}:{self.audited_account}:report-plan"
+        self.backup_vault_arn_template = f"arn:{self.audited_partition}:backup:{self.region}:{self.audited_account}:backup-vault"
         self.backup_vaults = []
         self.__threading_call__(self.__list_backup_vaults__)
         self.backup_plans = []

prowler/providers/aws/services/backup/backup_vaults_exist/backup_vaults_exist.py

@@ -8,7 +8,7 @@ def execute(self):
         report = Check_Report_AWS(self.metadata())
         report.status = "FAIL"
         report.status_extended = "No Backup Vault exist."
-        report.resource_arn = backup_client.audited_account_arn
+        report.resource_arn = backup_client.backup_vault_arn_template
         report.resource_id = backup_client.audited_account
         report.region = backup_client.region
         if backup_client.backup_vaults:

prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled/cloudtrail_multi_region_enabled.py

@@ -32,7 +32,9 @@ def execute(self):
                         report.status_extended = (
                             "No CloudTrail trails enabled and logging were found."
                         )
-                        report.resource_arn = cloudtrail_client.audited_account_arn
+                        report.resource_arn = (
+                            cloudtrail_client.__get_trail_arn_template__(region)
+                        )
                         report.resource_id = cloudtrail_client.audited_account
             # If there are no trails logging it is needed to store the FAIL once all the trails have been checked
             if report.status == "FAIL":

prowler/providers/aws/services/cloudtrail/cloudtrail_multi_region_enabled_logging_management_events/cloudtrail_multi_region_enabled_logging_management_events.py

@@ -14,7 +14,7 @@ def execute(self):
         )
         report.region = cloudtrail_client.region
         report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.resource_arn = cloudtrail_client.trail_arn_template
 
         for trail in cloudtrail_client.trails:
             if trail.is_logging:

prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_read_enabled/cloudtrail_s3_dataevents_read_enabled.py

@@ -54,7 +54,7 @@ def execute(self):
         ):
             report = Check_Report_AWS(self.metadata())
             report.region = cloudtrail_client.region
-            report.resource_arn = cloudtrail_client.audited_account_arn
+            report.resource_arn = cloudtrail_client.trail_arn_template
             report.resource_id = cloudtrail_client.audited_account
             report.status = "FAIL"
             report.status_extended = "No CloudTrail trails have a data event to record all S3 object-level API operations."

prowler/providers/aws/services/cloudtrail/cloudtrail_s3_dataevents_write_enabled/cloudtrail_s3_dataevents_write_enabled.py

@@ -54,7 +54,7 @@ def execute(self):
         ):
             report = Check_Report_AWS(self.metadata())
             report.region = cloudtrail_client.region
-            report.resource_arn = cloudtrail_client.audited_account_arn
+            report.resource_arn = cloudtrail_client.trail_arn_template
             report.resource_id = cloudtrail_client.audited_account
             report.status = "FAIL"
             report.status_extended = "No CloudTrail trails have a data event to record all S3 object-level API operations."

prowler/providers/aws/services/cloudtrail/cloudtrail_service.py

@@ -14,13 +14,21 @@ class Cloudtrail(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info)
+        self.trail_arn_template = f"arn:{self.audited_partition}:cloudtrail:{self.region}:{self.audited_account}:trail"
         self.trails = []
         self.__threading_call__(self.__get_trails__)
         self.__get_trail_status__()
         self.__get_insight_selectors__()
         self.__get_event_selectors__()
         self.__list_tags_for_resource__()
 
+    def __get_trail_arn_template__(self, region):
+        return (
+            f"arn:{self.audited_partition}:cloudtrail:{region}:{self.audited_account}:trail"
+            if region
+            else f"arn:{self.audited_partition}:cloudtrail:{self.region}:{self.audited_account}:trail"
+        )
+
     def __get_trails__(self, regional_client):
         logger.info("Cloudtrail - Getting trails...")
         try:

prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py

@@ -20,9 +20,9 @@ def execute(self):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
-        report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.region = logs_client.region
+        report.resource_id = logs_client.audited_account
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py

@@ -20,9 +20,9 @@ def execute(self):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
-        report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.region = logs_client.region
+        report.resource_id = logs_client.audited_account
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py

@@ -20,9 +20,9 @@ def execute(self):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
-        report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.region = logs_client.region
+        report.resource_id = logs_client.audited_account
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py

@@ -20,9 +20,9 @@ def execute(self):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
-        report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.region = logs_client.region
+        report.resource_id = logs_client.audited_account
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_cross_account_sharing_disabled/cloudwatch_cross_account_sharing_disabled.py

@@ -8,7 +8,7 @@ def execute(self):
         report = Check_Report_AWS(self.metadata())
         report.status = "PASS"
         report.status_extended = "CloudWatch doesn't allow cross-account sharing."
-        report.resource_arn = iam_client.audited_account_arn
+        report.resource_arn = iam_client.role_arn_template
         report.resource_id = iam_client.audited_account
         report.region = iam_client.region
         for role in iam_client.roles:

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py

@@ -22,9 +22,9 @@ def execute(self):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
-        report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.region = logs_client.region
+        report.resource_id = logs_client.audited_account
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py

@@ -22,9 +22,9 @@ def execute(self):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
-        report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.region = logs_client.region
+        report.resource_id = logs_client.audited_account
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_authentication_failures/cloudwatch_log_metric_filter_authentication_failures.py

@@ -20,9 +20,9 @@ def execute(self):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
-        report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.region = logs_client.region
+        report.resource_id = logs_client.audited_account
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_aws_organizations_changes/cloudwatch_log_metric_filter_aws_organizations_changes.py

@@ -20,9 +20,9 @@ def execute(self):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
-        report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.region = logs_client.region
+        report.resource_id = logs_client.audited_account
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk/cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk.py

@@ -20,9 +20,9 @@ def execute(self):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
-        report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.region = logs_client.region
+        report.resource_id = logs_client.audited_account
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes/cloudwatch_log_metric_filter_for_s3_bucket_policy_changes.py

@@ -20,9 +20,9 @@ def execute(self):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
-        report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.region = logs_client.region
+        report.resource_id = logs_client.audited_account
+        report.resource_arn = logs_client.log_group_arn_template
 
         report = check_cloudwatch_log_metric_filter(
             pattern,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_policy_changes/cloudwatch_log_metric_filter_policy_changes.py

@@ -20,9 +20,9 @@ def execute(self):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
-        report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.region = logs_client.region
+        report.resource_id = logs_client.audited_account
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_root_usage/cloudwatch_log_metric_filter_root_usage.py

@@ -20,9 +20,9 @@ def execute(self):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
-        report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.region = logs_client.region
+        report.resource_id = logs_client.audited_account
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_security_group_changes/cloudwatch_log_metric_filter_security_group_changes.py

@@ -20,9 +20,9 @@ def execute(self):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
-        report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.region = logs_client.region
+        report.resource_id = logs_client.audited_account
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_sign_in_without_mfa/cloudwatch_log_metric_filter_sign_in_without_mfa.py

@@ -20,9 +20,9 @@ def execute(self):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
-        report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.region = logs_client.region
+        report.resource_id = logs_client.audited_account
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_log_metric_filter_unauthorized_api_calls/cloudwatch_log_metric_filter_unauthorized_api_calls.py

@@ -20,9 +20,9 @@ def execute(self):
         report.status_extended = (
             "No CloudWatch log groups found with metric filters or alarms associated."
         )
-        report.region = cloudwatch_client.region
-        report.resource_id = cloudtrail_client.audited_account
-        report.resource_arn = cloudtrail_client.audited_account_arn
+        report.region = logs_client.region
+        report.resource_id = logs_client.audited_account
+        report.resource_arn = logs_client.log_group_arn_template
         report = check_cloudwatch_log_metric_filter(
             pattern,
             cloudtrail_client.trails,

prowler/providers/aws/services/cloudwatch/cloudwatch_service.py

@@ -67,6 +67,7 @@ class Logs(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info)
+        self.log_group_arn_template = f"arn:{self.audited_partition}:logs:{self.region}:{self.audited_account}:log-group"
         self.metric_filters = []
         self.log_groups = []
         self.__threading_call__(self.__describe_metric_filters__)

prowler/providers/aws/services/config/config_recorder_all_regions_enabled/config_recorder_all_regions_enabled.py

@@ -8,9 +8,9 @@ def execute(self):
         for recorder in config_client.recorders:
             report = Check_Report_AWS(self.metadata())
             report.region = recorder.region
-            report.resource_arn = (
-                config_client.audited_account_arn
-            )  # Config Recorders do not have ARNs
+            report.resource_arn = config_client.__get_recorder_arn_template__(
+                recorder.region
+            )
             report.resource_id = (
                 config_client.audited_account if not recorder.name else recorder.name
             )

prowler/providers/aws/services/config/config_service.py

@@ -15,6 +15,9 @@ def __init__(self, audit_info):
         self.recorders = []
         self.__threading_call__(self.__describe_configuration_recorder_status__)
 
+    def __get_recorder_arn_template__(self, region):
+        return f"arn:{self.audited_partition}:config:{region}:{self.audited_account}:recorder"
+
     def __describe_configuration_recorder_status__(self, regional_client):
         logger.info("Config - Listing Recorders...")
         try:

prowler/providers/aws/services/dlm/dlm_ebs_snapshot_lifecycle_policy_exists/dlm_ebs_snapshot_lifecycle_policy_exists.py

@@ -16,7 +16,9 @@ def execute(self):
                 report.status_extended = "No EBS Snapshot lifecycle policies found."
                 report.region = region
                 report.resource_id = dlm_client.audited_account
-                report.resource_arn = dlm_client.audited_account_arn
+                report.resource_arn = dlm_client.__get_lifecycle_policy_arn_template__(
+                    region
+                )
                 if dlm_client.lifecycle_policies[region]:
                     report.status = "PASS"
                     report.status_extended = "EBS snapshot lifecycle policies found."

prowler/providers/aws/services/dlm/dlm_service.py

@@ -9,9 +9,15 @@ class DLM(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info)
+        self.lifecycle_policy_arn_template = f"arn:{self.audited_partition}:dlm:{self.region}:{self.audited_account}:policy"
         self.lifecycle_policies = {}
         self.__threading_call__(self.__get_lifecycle_policies__)
 
+    def __get_lifecycle_policy_arn_template__(self, region):
+        return (
+            f"arn:{self.audited_partition}:dlm:{region}:{self.audited_account}:policy"
+        )
+
     def __get_lifecycle_policies__(self, regional_client):
         logger.info("DLM - Getting EBS Snapshots Lifecycle Policies...")
         try:

prowler/providers/aws/services/drs/drs_job_exist/drs_job_exist.py

@@ -11,7 +11,9 @@ def execute(self):
             report.status_extended = "DRS is not enabled for this region."
             report.region = drs.region
             report.resource_tags = []
-            report.resource_arn = drs_client.audited_account_arn
+            report.resource_arn = drs_client.__get_recovery_job_arn_template__(
+                drs.region
+            )
             report.resource_id = drs_client.audited_account
             if drs.status == "ENABLED":
                 report.status_extended = "DRS is enabled for this region without jobs."

prowler/providers/aws/services/drs/drs_service.py

@@ -11,9 +11,13 @@ class DRS(AWSService):
     def __init__(self, audit_info):
         # Call AWSService's __init__
         super().__init__(__class__.__name__, audit_info)
+        self.recovery_job_arn_template = f"arn:{self.audited_partition}:drs:{self.region}:{self.audited_account}:recovery-job"
         self.drs_services = []
         self.__threading_call__(self.__describe_jobs__)
 
+    def __get_recovery_job_arn_template__(self, region):
+        return f"arn:{self.audited_partition}:drs:{region}:{self.audited_account}:recovery-job"
+
     def __describe_jobs__(self, regional_client):
         logger.info("DRS - Describe Jobs...")
         try: