chore(ec2): Change security groups to dict (#4700)

Author: puchy22

docs/developer-guide/checks.md

@@ -222,7 +222,7 @@ class ec2_securitygroup_with_many_ingress_egress_rules(Check):
         max_security_group_rules = ec2_client.audit_config.get(
             "max_security_group_rules", 50
         )
-        for security_group in ec2_client.security_groups:
+        for security_group_arn, security_group in ec2_client.security_groups.items():
 ```
 
 ```yaml title="config.yaml"

prowler/providers/aws/services/dms/dms_instance_no_public_access/dms_instance_no_public_access.py

@@ -22,7 +22,7 @@ def execute(self):
                 if instance.security_groups:
                     report.status = "PASS"
                     report.status_extended = f"DMS Replication Instance {instance.id} is set as publicly accessible but filtered with security groups."
-                    for security_group in ec2_client.security_groups:
+                    for security_group in ec2_client.security_groups.values():
                         if security_group.id in instance.security_groups:
                             for ingress_rule in security_group.ingress_rules:
                                 if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_cassandra_exposed_to_internet/ec2_instance_port_cassandra_exposed_to_internet.py

@@ -20,7 +20,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_cifs_exposed_to_internet/ec2_instance_port_cifs_exposed_to_internet.py

@@ -22,7 +22,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_elasticsearch_kibana_exposed_to_internet/ec2_instance_port_elasticsearch_kibana_exposed_to_internet.py

@@ -20,7 +20,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_ftp_exposed_to_internet/ec2_instance_port_ftp_exposed_to_internet.py

@@ -22,7 +22,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_kafka_exposed_to_internet/ec2_instance_port_kafka_exposed_to_internet.py

@@ -20,7 +20,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_kerberos_exposed_to_internet/ec2_instance_port_kerberos_exposed_to_internet.py

@@ -20,7 +20,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_ldap_exposed_to_internet/ec2_instance_port_ldap_exposed_to_internet.py

@@ -22,7 +22,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_memcached_exposed_to_internet/ec2_instance_port_memcached_exposed_to_internet.py

@@ -20,7 +20,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_mongodb_exposed_to_internet/ec2_instance_port_mongodb_exposed_to_internet.py

@@ -20,7 +20,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_mysql_exposed_to_internet/ec2_instance_port_mysql_exposed_to_internet.py

@@ -20,7 +20,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_oracle_exposed_to_internet/ec2_instance_port_oracle_exposed_to_internet.py

@@ -20,7 +20,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_postgresql_exposed_to_internet/ec2_instance_port_postgresql_exposed_to_internet.py

@@ -20,7 +20,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_rdp_exposed_to_internet/ec2_instance_port_rdp_exposed_to_internet.py

@@ -20,7 +20,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_redis_exposed_to_internet/ec2_instance_port_redis_exposed_to_internet.py

@@ -20,7 +20,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_sqlserver_exposed_to_internet/ec2_instance_port_sqlserver_exposed_to_internet.py

@@ -20,7 +20,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_ssh_exposed_to_internet/ec2_instance_port_ssh_exposed_to_internet.py

@@ -20,7 +20,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_instance_port_telnet_exposed_to_internet/ec2_instance_port_telnet_exposed_to_internet.py

@@ -20,7 +20,7 @@ def execute(self):
             report.resource_tags = instance.tags
             is_open_port = False
             if instance.security_groups:
-                for sg in ec2_client.security_groups:
+                for sg in ec2_client.security_groups.values():
                     if sg.id in instance.security_groups:
                         for ingress_rule in sg.ingress_rules:
                             if check_security_group(

prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_all_ports/ec2_securitygroup_allow_ingress_from_internet_to_all_ports.py

@@ -1,13 +1,13 @@
 from prowler.lib.check.models import Check, Check_Report_AWS
 from prowler.providers.aws.services.ec2.ec2_client import ec2_client
-from prowler.providers.aws.services.vpc.vpc_client import vpc_client
 from prowler.providers.aws.services.ec2.lib.security_groups import check_security_group
+from prowler.providers.aws.services.vpc.vpc_client import vpc_client
 
 
 class ec2_securitygroup_allow_ingress_from_internet_to_all_ports(Check):
     def execute(self):
         findings = []
-        for security_group in ec2_client.security_groups:
+        for security_group_arn, security_group in ec2_client.security_groups.items():
             # Check if ignoring flag is set and if the VPC and the SG is in use
             if ec2_client.provider.scan_unused_services or (
                 security_group.vpc_id in vpc_client.vpcs
@@ -20,13 +20,13 @@ def execute(self):
                 report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have all ports open to the Internet."
                 report.resource_details = security_group.name
                 report.resource_id = security_group.id
-                report.resource_arn = security_group.arn
+                report.resource_arn = security_group_arn
                 report.resource_tags = security_group.tags
                 for ingress_rule in security_group.ingress_rules:
                     if check_security_group(ingress_rule, "-1", any_address=True):
                         ec2_client.set_failed_check(
                             self.__class__.__name__,
-                            security_group.arn,
+                            security_group_arn,
                         )
                         report.status = "FAIL"
                         report.status_extended = f"Security group {security_group.name} ({security_group.id}) has all ports open to the Internet."

prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port/ec2_securitygroup_allow_ingress_from_internet_to_any_port.py

@@ -1,17 +1,17 @@
 from prowler.lib.check.models import Check, Check_Report_AWS
 from prowler.providers.aws.services.ec2.ec2_client import ec2_client
-from prowler.providers.aws.services.ec2.ec2_service import NetworkInterface
-from prowler.providers.aws.services.ec2.lib.security_groups import check_security_group
-from prowler.providers.aws.services.vpc.vpc_client import vpc_client
 from prowler.providers.aws.services.ec2.ec2_securitygroup_allow_ingress_from_internet_to_all_ports import (
     ec2_securitygroup_allow_ingress_from_internet_to_all_ports,
 )
+from prowler.providers.aws.services.ec2.ec2_service import NetworkInterface
+from prowler.providers.aws.services.ec2.lib.security_groups import check_security_group
+from prowler.providers.aws.services.vpc.vpc_client import vpc_client
 
 
 class ec2_securitygroup_allow_ingress_from_internet_to_any_port(Check):
     def execute(self):
         findings = []
-        for security_group in ec2_client.security_groups:
+        for security_group_arn, security_group in ec2_client.security_groups.items():
             # Check if ignoring flag is set and if the VPC and the SG is in use
             if ec2_client.provider.scan_unused_services or (
                 security_group.vpc_id in vpc_client.vpcs
@@ -24,12 +24,12 @@ def execute(self):
                 report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have any port open to the Internet."
                 report.resource_details = security_group.name
                 report.resource_id = security_group.id
-                report.resource_arn = security_group.arn
+                report.resource_arn = security_group_arn
                 report.resource_tags = security_group.tags
                 # only proceed if check "..._to_all_ports" did not run or did not FAIL to avoid to report open ports twice
                 if not ec2_client.is_failed_check(
                     ec2_securitygroup_allow_ingress_from_internet_to_all_ports.__name__,
-                    security_group.arn,
+                    security_group_arn,
                 ):
                     # Loop through every security group's ingress rule and check it
                     for ingress_rule in security_group.ingress_rules:
@@ -61,7 +61,6 @@ def check_enis(
     ):
         report.status_extended = f"Security group {security_group_name} ({security_group_id}) has at least one port open to the Internet but is exclusively not attached to any network interface."
         for eni in enis:
-
             if self.is_allowed_eni_type(eni_type=eni.type):
                 report.status = "PASS"
                 report.status_extended = f"Security group {security_group_name} ({security_group_id}) has at least one port open to the Internet but is exclusively attached to an allowed network interface type ({eni.type})."

prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018/ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018.py

@@ -1,17 +1,17 @@
 from prowler.lib.check.models import Check, Check_Report_AWS
 from prowler.providers.aws.services.ec2.ec2_client import ec2_client
-from prowler.providers.aws.services.ec2.lib.security_groups import check_security_group
-from prowler.providers.aws.services.vpc.vpc_client import vpc_client
 from prowler.providers.aws.services.ec2.ec2_securitygroup_allow_ingress_from_internet_to_all_ports import (
     ec2_securitygroup_allow_ingress_from_internet_to_all_ports,
 )
+from prowler.providers.aws.services.ec2.lib.security_groups import check_security_group
+from prowler.providers.aws.services.vpc.vpc_client import vpc_client
 
 
 class ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018(Check):
     def execute(self):
         findings = []
         check_ports = [27017, 27018]
-        for security_group in ec2_client.security_groups:
+        for security_group_arn, security_group in ec2_client.security_groups.items():
             # Check if ignoring flag is set and if the VPC and the SG is in use
             if ec2_client.provider.scan_unused_services or (
                 security_group.vpc_id in vpc_client.vpcs
@@ -22,14 +22,14 @@ def execute(self):
                 report.region = security_group.region
                 report.resource_details = security_group.name
                 report.resource_id = security_group.id
-                report.resource_arn = security_group.arn
+                report.resource_arn = security_group_arn
                 report.resource_tags = security_group.tags
                 report.status = "PASS"
                 report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have MongoDB ports 27017 and 27018 open to the Internet."
                 # only proceed if check "..._to_all_ports" did not run or did not FAIL to avoid to report open ports twice
                 if not ec2_client.is_failed_check(
                     ec2_securitygroup_allow_ingress_from_internet_to_all_ports.__name__,
-                    security_group.arn,
+                    security_group_arn,
                 ):
                     # Loop through every security group's ingress rule and check it
                     for ingress_rule in security_group.ingress_rules:

prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py

@@ -1,17 +1,17 @@
 from prowler.lib.check.models import Check, Check_Report_AWS
 from prowler.providers.aws.services.ec2.ec2_client import ec2_client
-from prowler.providers.aws.services.ec2.lib.security_groups import check_security_group
-from prowler.providers.aws.services.vpc.vpc_client import vpc_client
 from prowler.providers.aws.services.ec2.ec2_securitygroup_allow_ingress_from_internet_to_all_ports import (
     ec2_securitygroup_allow_ingress_from_internet_to_all_ports,
 )
+from prowler.providers.aws.services.ec2.lib.security_groups import check_security_group
+from prowler.providers.aws.services.vpc.vpc_client import vpc_client
 
 
 class ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21(Check):
     def execute(self):
         findings = []
         check_ports = [20, 21]
-        for security_group in ec2_client.security_groups:
+        for security_group_arn, security_group in ec2_client.security_groups.items():
             # Check if ignoring flag is set and if the VPC and the SG is in use
             if ec2_client.provider.scan_unused_services or (
                 security_group.vpc_id in vpc_client.vpcs
@@ -24,12 +24,12 @@ def execute(self):
                 report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have FTP ports 20 and 21 open to the Internet."
                 report.resource_details = security_group.name
                 report.resource_id = security_group.id
-                report.resource_arn = security_group.arn
+                report.resource_arn = security_group_arn
                 report.resource_tags = security_group.tags
                 # only proceed if check "..._to_all_ports" did not run or did not FAIL to avoid to report open ports twice
                 if not ec2_client.is_failed_check(
                     ec2_securitygroup_allow_ingress_from_internet_to_all_ports.__name__,
-                    security_group.arn,
+                    security_group_arn,
                 ):
                     # Loop through every security group's ingress rule and check it
                     for ingress_rule in security_group.ingress_rules:

prowler/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22/ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22.py

@@ -1,17 +1,17 @@
 from prowler.lib.check.models import Check, Check_Report_AWS
 from prowler.providers.aws.services.ec2.ec2_client import ec2_client
-from prowler.providers.aws.services.ec2.lib.security_groups import check_security_group
-from prowler.providers.aws.services.vpc.vpc_client import vpc_client
 from prowler.providers.aws.services.ec2.ec2_securitygroup_allow_ingress_from_internet_to_all_ports import (
     ec2_securitygroup_allow_ingress_from_internet_to_all_ports,
 )
+from prowler.providers.aws.services.ec2.lib.security_groups import check_security_group
+from prowler.providers.aws.services.vpc.vpc_client import vpc_client
 
 
 class ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22(Check):
     def execute(self):
         findings = []
         check_ports = [22]
-        for security_group in ec2_client.security_groups:
+        for security_group_arn, security_group in ec2_client.security_groups.items():
             # Check if ignoring flag is set and if the VPC and the SG is in use
             if ec2_client.provider.scan_unused_services or (
                 security_group.vpc_id in vpc_client.vpcs
@@ -24,12 +24,12 @@ def execute(self):
                 report.status_extended = f"Security group {security_group.name} ({security_group.id}) does not have SSH port 22 open to the Internet."
                 report.resource_details = security_group.name
                 report.resource_id = security_group.id
-                report.resource_arn = security_group.arn
+                report.resource_arn = security_group_arn
                 report.resource_tags = security_group.tags
                 # only proceed if check "..._to_all_ports" did not run or did not FAIL to avoid to report open ports twice
                 if not ec2_client.is_failed_check(
                     ec2_securitygroup_allow_ingress_from_internet_to_all_ports.__name__,
-                    security_group.arn,
+                    security_group_arn,
                 ):
                     # Loop through every security group's ingress rule and check it
                     for ingress_rule in security_group.ingress_rules: