chore(backport): include latest changes of v4 in v3 (#4027)

docs/tutorials/configuration_file.md

@@ -33,7 +33,7 @@ The following list includes all the AWS checks with configurable variables that
 | `drs_job_exist`                                               | `allowlist_non_default_regions`                  | Boolean         |
 | `guardduty_is_enabled`                                        | `allowlist_non_default_regions`                  | Boolean         |
 | `securityhub_enabled`                                         | `allowlist_non_default_regions`                  | Boolean         |
-
+| `rds_instance_backup_enabled`                                  | `check_rds_instance_replicas`      | Boolean        |
 ## Azure
 
 ### Configurable Checks
@@ -144,6 +144,11 @@ aws:
   # trustedadvisor_premium_support_plan_subscribed
   verify_premium_support_plans: True
 
+  # AWS RDS
+  # aws.rds_instance_backup_enabled
+  # Whether to check RDS instance replicas or not
+  check_rds_instance_replicas: False
+
 # Azure Configuration
 azure:
   # Azure Network Configuration

prowler/compliance/aws/aws_foundational_technical_review_aws.json

@@ -363,7 +363,7 @@
       "Checks": [
         "ec2_ami_public",
         "ec2_instance_public_ip",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",

prowler/compliance/aws/aws_well_architected_framework_security_pillar_aws.json

@@ -719,7 +719,7 @@
         "ec2_networkacl_allow_ingress_any_port",
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",

prowler/compliance/aws/cis_1.4_aws.json

@@ -1168,7 +1168,7 @@
       "Id": "5.2",
       "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports",
       "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
       ],

prowler/compliance/aws/cis_1.5_aws.json

@@ -1252,7 +1252,7 @@
       "Id": "5.2",
       "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports",
       "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
       ],
@@ -1275,7 +1275,7 @@
       "Id": "5.3",
       "Description": "Ensure no security groups allow ingress from ::/0 to remote server administration ports",
       "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
       ],

prowler/compliance/aws/cis_2.0_aws.json

@@ -1250,7 +1250,7 @@
       "Id": "5.2",
       "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports",
       "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
       ],
@@ -1273,7 +1273,7 @@
       "Id": "5.3",
       "Description": "Ensure no security groups allow ingress from ::/0 to remote server administration ports",
       "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
       ],

prowler/compliance/aws/cis_3.0_aws.json

@@ -1208,7 +1208,7 @@
       "Id": "5.2",
       "Description": "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports",
       "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
       ],
@@ -1231,7 +1231,7 @@
       "Id": "5.3",
       "Description": "Ensure no security groups allow ingress from ::/0 to remote server administration ports",
       "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389"
       ],

prowler/compliance/aws/cisa_aws.json

@@ -134,7 +134,7 @@
         "vpc_endpoint_connections_trust_boundaries",
         "ec2_securitygroup_default_restrict_traffic",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port"
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports"
       ]
     },
     {
@@ -297,7 +297,7 @@
         "vpc_flow_logs_enabled",
         "ec2_networkacl_allow_ingress_any_port",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port"
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports"
       ]
     },
     {

prowler/compliance/aws/ens_rd2022_aws.json

@@ -2157,7 +2157,7 @@
         }
       ],
       "Checks": [
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port"
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports"
       ]
     },
     {

prowler/compliance/aws/mitre_attack_aws.json

@@ -106,7 +106,7 @@
         "ec2_networkacl_allow_ingress_any_port",
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
@@ -1022,7 +1022,7 @@
         "ec2_networkacl_allow_ingress_any_port",
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
@@ -1468,7 +1468,7 @@
         "ec2_networkacl_allow_ingress_any_port",
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
@@ -1648,7 +1648,7 @@
         "ec2_networkacl_allow_ingress_any_port",
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",
@@ -1900,7 +1900,7 @@
         "ec2_networkacl_allow_ingress_any_port",
         "ec2_networkacl_allow_ingress_tcp_port_22",
         "ec2_networkacl_allow_ingress_tcp_port_3389",
-        "ec2_securitygroup_allow_ingress_from_internet_to_any_port",
+        "ec2_securitygroup_allow_ingress_from_internet_to_all_ports",
         "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21",
         "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22",

prowler/config/config.yaml

@@ -96,6 +96,11 @@ aws:
   # trustedadvisor_premium_support_plan_subscribed
   verify_premium_support_plans: True
 
+  # AWS RDS
+  # aws.rds_instance_backup_enabled
+  # Whether to check RDS instance replicas or not
+  check_rds_instance_replicas: False
+
 # Azure Configuration
 azure:
   # Azure Network Configuration

prowler/providers/aws/aws_provider.py

@@ -1,10 +1,13 @@
 import os
 import pathlib
 import sys
+from datetime import datetime
 
 from boto3 import client, session
 from botocore.credentials import RefreshableCredentials
 from botocore.session import get_session
+from pytz import utc
+from tzlocal import get_localzone
 
 from prowler.config.config import aws_services_json_file
 from prowler.lib.check.check import list_modules, recover_checks_from_service
@@ -14,6 +17,7 @@
     AWS_STS_GLOBAL_ENDPOINT_REGION,
     ROLE_SESSION_NAME,
 )
+from prowler.providers.aws.lib.audit_info.audit_info import current_audit_info
 from prowler.providers.aws.lib.audit_info.models import AWS_Assume_Role, AWS_Audit_Info
 from prowler.providers.aws.lib.credentials.credentials import create_sts_session
 
@@ -98,18 +102,31 @@ def set_session(self, audit_info):
     # https://github.com/boto/botocore/blob/098cc255f81a25b852e1ecdeb7adebd94c7b1b73/botocore/credentials.py#L570
     def refresh_credentials(self):
         logger.info("Refreshing assumed credentials...")
-
-        response = assume_role(self.aws_session, self.role_info)
-        refreshed_credentials = dict(
-            # Keys of the dict has to be the same as those that are being searched in the parent class
-            # https://github.com/boto/botocore/blob/098cc255f81a25b852e1ecdeb7adebd94c7b1b73/botocore/credentials.py#L609
-            access_key=response["Credentials"]["AccessKeyId"],
-            secret_key=response["Credentials"]["SecretAccessKey"],
-            token=response["Credentials"]["SessionToken"],
-            expiry_time=response["Credentials"]["Expiration"].isoformat(),
-        )
-        logger.info("Refreshed Credentials:")
-        logger.info(refreshed_credentials)
+        current_credentials = current_audit_info.credentials
+        refreshed_credentials = {
+            "access_key": current_credentials.aws_access_key_id,
+            "secret_key": current_credentials.aws_secret_access_key,
+            "token": current_credentials.aws_session_token,
+            "expiry_time": (
+                current_credentials.expiration.isoformat()
+                if hasattr(current_credentials, "expiration")
+                else current_credentials.expiry_time.isoformat()
+            ),
+        }
+        if datetime.fromisoformat(refreshed_credentials["expiry_time"]) <= datetime.now(
+            get_localzone()
+        ):
+            response = assume_role(self.aws_session, self.role_info)
+            refreshed_credentials = dict(
+                # Keys of the dict has to be the same as those that are being searched in the parent class
+                # https://github.com/boto/botocore/blob/098cc255f81a25b852e1ecdeb7adebd94c7b1b73/botocore/credentials.py#L609
+                access_key=response["Credentials"]["AccessKeyId"],
+                secret_key=response["Credentials"]["SecretAccessKey"],
+                token=response["Credentials"]["SessionToken"],
+                expiry_time=response["Credentials"]["Expiration"].isoformat(),
+            )
+            logger.info("Refreshed Credentials:")
+            logger.info(refreshed_credentials)
         return refreshed_credentials
 
 
@@ -146,6 +163,17 @@ def assume_role(
 
         sts_client = create_sts_session(session, sts_endpoint_region)
         assumed_credentials = sts_client.assume_role(**assume_role_arguments)
+
+        # Convert the UTC datetime object to your local timezone
+        credentials_expiration_local_time = (
+            assumed_credentials["Credentials"]["Expiration"]
+            .replace(tzinfo=utc)
+            .astimezone(get_localzone())
+        )
+        assumed_credentials["Credentials"][
+            "Expiration"
+        ] = credentials_expiration_local_time
+
     except Exception as error:
         logger.critical(
             f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"

prowler/providers/aws/aws_regions_by_service.json

@@ -6161,6 +6161,7 @@
           "ap-southeast-3",
           "ap-southeast-4",
           "ca-central-1",
+          "ca-west-1",
           "eu-central-1",
           "eu-central-2",
           "eu-north-1",
@@ -7073,6 +7074,8 @@
     "mwaa": {
       "regions": {
         "aws": [
+          "af-south-1",
+          "ap-east-1",
           "ap-northeast-1",
           "ap-northeast-2",
           "ap-south-1",
@@ -7081,12 +7084,15 @@
           "ca-central-1",
           "eu-central-1",
           "eu-north-1",
+          "eu-south-1",
           "eu-west-1",
           "eu-west-2",
           "eu-west-3",
+          "me-south-1",
           "sa-east-1",
           "us-east-1",
           "us-east-2",
+          "us-west-1",
           "us-west-2"
         ],
         "aws-cn": [
@@ -7407,10 +7413,13 @@
       "regions": {
         "aws": [
           "ap-northeast-1",
+          "ap-south-1",
           "ap-southeast-1",
           "ap-southeast-2",
           "eu-central-1",
           "eu-west-1",
+          "eu-west-2",
+          "eu-west-3",
           "us-east-1",
           "us-east-2",
           "us-west-2"
@@ -8326,7 +8335,12 @@
     "repostspace": {
       "regions": {
         "aws": [
+          "ap-southeast-1",
+          "ap-southeast-2",
+          "ca-central-1",
           "eu-central-1",
+          "eu-west-1",
+          "us-east-1",
           "us-west-2"
         ],
         "aws-cn": [],
@@ -8777,6 +8791,7 @@
           "ap-southeast-3",
           "ap-southeast-4",
           "ca-central-1",
+          "ca-west-1",
           "eu-central-1",
           "eu-central-2",
           "eu-north-1",
@@ -10667,6 +10682,8 @@
       "regions": {
         "aws": [
           "ap-northeast-1",
+          "ap-northeast-2",
+          "ap-south-1",
           "ap-southeast-1",
           "ap-southeast-2",
           "ca-central-1",

prowler/providers/aws/lib/allowlist/allowlist.py

@@ -185,14 +185,23 @@ def is_allowlisted_in_check(
             # map lambda to awslambda
             allowlisted_check = re.sub("^lambda", "awslambda", allowlisted_check)
 
+            check_match = (
+                "*" == allowlisted_check
+                or check == allowlisted_check
+                or re.search(allowlisted_check, check)
+            )
+
             # Check if the finding is excepted
             exceptions = allowlisted_check_info.get("Exceptions")
-            if is_excepted(
-                exceptions,
-                audited_account,
-                finding_region,
-                finding_resource,
-                finding_tags,
+            if (
+                is_excepted(
+                    exceptions,
+                    audited_account,
+                    finding_region,
+                    finding_resource,
+                    finding_tags,
+                )
+                and check_match
             ):
                 # Break loop and return default value since is excepted
                 break
@@ -205,11 +214,7 @@ def is_allowlisted_in_check(
                 allowlisted_tags = "*"
 
             # If there is a *, it affects to all checks
-            if (
-                "*" == allowlisted_check
-                or check == allowlisted_check
-                or re.search(allowlisted_check, check)
-            ):
+            if check_match:
                 allowlisted_in_check = True
                 allowlisted_in_region = is_allowlisted_in_region(
                     allowlisted_regions, finding_region