From 52406f6df2ee6edb66fe7365e3d288d339383187 Mon Sep 17 00:00:00 2001 From: Prowler Bot Date: Fri, 20 Dec 2024 17:53:15 +0100 Subject: [PATCH] fix(aws): disallow child-accounts to overwrite policy for `ai_services_opt_out` (#6291) --- ...s_opt_out_ai_services_policy.metadata.json | 8 +- ...rganizations_opt_out_ai_services_policy.py | 45 +++-- ...zations_opt_out_ai_services_policy_test.py | 156 ++++++++++++++++-- 3 files changed, 183 insertions(+), 26 deletions(-) diff --git a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.metadata.json b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.metadata.json index ef3e8c536e1..5df3fe269d1 100644 --- a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.metadata.json +++ b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.metadata.json @@ -1,25 +1,25 @@ { "Provider": "aws", "CheckID": "organizations_opt_out_ai_services_policy", - "CheckTitle": "Ensure that AWS Organizations opt-out of AI services policy is enabled.", + "CheckTitle": "Ensure that AWS Organizations opt-out of AI services policy is enabled and disallow child-accounts to overwrite this policy.", "CheckType": [], "ServiceName": "organizations", "SubServiceName": "", "ResourceIdTemplate": "arn:partition:service::account-id:organization/organization-id", "Severity": "low", "ResourceType": "Other", - "Description": "This control checks whether the AWS Organizations opt-out of AI services policy is enabled. The control fails if the policy is not enabled.", + "Description": "This control checks whether the AWS Organizations opt-out of AI services policy is enabled and whether child-accounts are disallowed to overwrite this policy. The control fails if the policy is not enabled or if child-accounts are not disallowed to overwrite this policy.", "Risk": "By default, AWS may be using your data to train its AI models. This may include data from your AWS CloudTrail logs, AWS Config rules, and AWS GuardDuty findings. If you opt out of AI services, AWS will not use your data to train its AI models.", "RelatedUrl": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_all.html", "Remediation": { "Code": { - "CLI": "aws organizations enable-policy-type --root-id --policy-type AI_SERVICES_OPT_OUT {'services': {'default': {'opt_out_policy': {'@@assign': 'optOut'}}}}", + "CLI": "", "NativeIaC": "", "Other": "", "Terraform": "" }, "Recommendation": { - "Text": "Artificial Intelligence (AI) services opt-out policies enable you to control whether AWS AI services can store and use your content. Enable the AWS Organizations opt-out of AI services policy.", + "Text": "Artificial Intelligence (AI) services opt-out policies enable you to control whether AWS AI services can store and use your content. Enable the AWS Organizations opt-out of AI services policy and disallow child-accounts to overwrite this policy.", "Url": "https://docs.aws.amazon.com/organizations/latest/userguide/disable-policy-type.html" } }, diff --git a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py index 3894f723eb5..d7aa4db3f75 100644 --- a/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py +++ b/prowler/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py @@ -20,21 +20,42 @@ def execute(self): report.status_extended = ( "AWS Organizations is not in-use for this AWS Account." ) + if organizations_client.organization.status == "ACTIVE": - report.status_extended = f"AWS Organization {organizations_client.organization.id} has not opted out of all AI services, granting consent for AWS to access its data." - for policy in organizations_client.organization.policies.get( + all_conditions_passed = False + opt_out_policies = organizations_client.organization.policies.get( "AISERVICES_OPT_OUT_POLICY", [] - ): - if ( - policy.content.get("services", {}) - .get("default", {}) - .get("opt_out_policy", {}) - .get("@@assign") - == "optOut" - ): + ) + + if not opt_out_policies: + report.status_extended = f"AWS Organization {organizations_client.organization.id} has no opt-out policy for AI services." + else: + for policy in opt_out_policies: + opt_out_policy = ( + policy.content.get("services", {}) + .get("default", {}) + .get("opt_out_policy", {}) + ) + + condition_1 = opt_out_policy.get("@@assign") == "optOut" + condition_2 = opt_out_policy.get( + "@@operators_allowed_for_child_policies" + ) == ["@@none"] + + if condition_1 and condition_2: + all_conditions_passed = True + break + + if not condition_1 and not condition_2: + report.status_extended = f"AWS Organization {organizations_client.organization.id} has not opted out of all AI services and it does not disallow child-accounts to overwrite the policy." + elif not condition_1: + report.status_extended = f"AWS Organization {organizations_client.organization.id} has not opted out of all AI services." + elif not condition_2: + report.status_extended = f"AWS Organization {organizations_client.organization.id} has opted out of all AI services but it does not disallow child-accounts to overwrite the policy." + + if all_conditions_passed: report.status = "PASS" - report.status_extended = f"AWS Organization {organizations_client.organization.id} has opted out of all AI services, not granting consent for AWS to access its data." - break + report.status_extended = f"AWS Organization {organizations_client.organization.id} has opted out of all AI services and also disallows child-accounts to overwrite this policy." findings.append(report) diff --git a/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py b/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py index a583ac2265c..4a92efc85e8 100644 --- a/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py +++ b/tests/providers/aws/services/organizations/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy_test.py @@ -87,7 +87,7 @@ def test_organization_with_AI_optout_no_policies(self): assert result[0].status == "FAIL" assert ( result[0].status_extended - == "AWS Organization o-1234567890 has not opted out of all AI services, granting consent for AWS to access its data." + == "AWS Organization o-1234567890 has no opt-out policy for AI services." ) assert result[0].resource_id == "o-1234567890" assert ( @@ -96,7 +96,7 @@ def test_organization_with_AI_optout_no_policies(self): ) assert result[0].region == AWS_REGION_EU_WEST_1 - def test_organization_with_AI_optout_policy(self): + def test_organization_with_AI_optout_policy_complete(self): organizations_client = mock.MagicMock organizations_client.region = AWS_REGION_EU_WEST_1 organizations_client.audited_partition = "aws" @@ -104,6 +104,135 @@ def test_organization_with_AI_optout_policy(self): organizations_client.get_unknown_arn = ( lambda x: f"arn:aws:organizations:{x}:0123456789012:unknown" ) + organizations_client.organization = Organization( + id="o-1234567890", + arn="arn:aws:organizations::1234567890:organization/o-1234567890", + status="ACTIVE", + master_id="1234567890", + policies={ + "AISERVICES_OPT_OUT_POLICY": [ + Policy( + id="p-1234567890", + arn="arn:aws:organizations::1234567890:policy/o-1234567890/p-1234567890", + type="AISERVICES_OPT_OUT_POLICY", + aws_managed=False, + content={ + "services": { + "default": { + "opt_out_policy": { + "@@operators_allowed_for_child_policies": [ + "@@none" + ], + "@@assign": "optOut", + } + } + } + }, + targets=[], + ) + ] + }, + delegated_administrators=None, + ) + + aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ): + with ( + mock.patch( + "prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy.organizations_client", + new=organizations_client, + ), + mock.patch( + "prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy.organizations_client.get_unknown_arn", + return_value="arn:aws:organizations:eu-west-1:0123456789012:unknown", + ), + ): + # Test Check + from prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy import ( + organizations_opt_out_ai_services_policy, + ) + + check = organizations_opt_out_ai_services_policy() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == "AWS Organization o-1234567890 has opted out of all AI services and also disallows child-accounts to overwrite this policy." + ) + assert result[0].resource_id == "o-1234567890" + assert ( + result[0].resource_arn + == "arn:aws:organizations::1234567890:organization/o-1234567890" + ) + assert result[0].region == AWS_REGION_EU_WEST_1 + + def test_organization_with_AI_optout_policy_no_content(self): + organizations_client = mock.MagicMock + organizations_client.region = AWS_REGION_EU_WEST_1 + organizations_client.audited_partition = "aws" + organizations_client.audited_account = "0123456789012" + organizations_client.organization = Organization( + id="o-1234567890", + arn="arn:aws:organizations::1234567890:organization/o-1234567890", + status="ACTIVE", + master_id="1234567890", + policies={ + "AISERVICES_OPT_OUT_POLICY": [ + Policy( + id="p-1234567890", + arn="arn:aws:organizations::1234567890:policy/o-1234567890/p-1234567890", + type="AISERVICES_OPT_OUT_POLICY", + aws_managed=False, + content={}, + targets=[], + ) + ] + }, + delegated_administrators=None, + ) + + aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ): + with mock.patch( + "prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy.organizations_client", + new=organizations_client, + ): + # Test Check + from prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy import ( + organizations_opt_out_ai_services_policy, + ) + + check = organizations_opt_out_ai_services_policy() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == "AWS Organization o-1234567890 has not opted out of all AI services and it does not disallow child-accounts to overwrite the policy." + ) + assert result[0].resource_id == "o-1234567890" + assert ( + result[0].resource_arn + == "arn:aws:organizations::1234567890:organization/o-1234567890" + ) + assert result[0].region == AWS_REGION_EU_WEST_1 + + def test_organization_with_AI_optout_policy_no_disallow(self): + organizations_client = mock.MagicMock + organizations_client.region = AWS_REGION_EU_WEST_1 + organizations_client.audited_partition = "aws" + organizations_client.audited_account = "0123456789012" organizations_client.organization = Organization( id="o-1234567890", arn="arn:aws:organizations::1234567890:organization/o-1234567890", @@ -137,9 +266,6 @@ def test_organization_with_AI_optout_policy(self): with mock.patch( "prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy.organizations_client", new=organizations_client, - ), mock.patch( - "prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy.organizations_client.get_unknown_arn", - return_value="arn:aws:organizations:eu-west-1:0123456789012:unknown", ): # Test Check from prowler.providers.aws.services.organizations.organizations_opt_out_ai_services_policy.organizations_opt_out_ai_services_policy import ( @@ -150,10 +276,10 @@ def test_organization_with_AI_optout_policy(self): result = check.execute() assert len(result) == 1 - assert result[0].status == "PASS" + assert result[0].status == "FAIL" assert ( result[0].status_extended - == "AWS Organization o-1234567890 has opted out of all AI services, not granting consent for AWS to access its data." + == "AWS Organization o-1234567890 has opted out of all AI services but it does not disallow child-accounts to overwrite the policy." ) assert result[0].resource_id == "o-1234567890" assert ( @@ -162,7 +288,7 @@ def test_organization_with_AI_optout_policy(self): ) assert result[0].region == AWS_REGION_EU_WEST_1 - def test_organization_with_AI_optout_policy_no_content(self): + def test_organization_with_AI_optout_policy_no_opt_out(self): organizations_client = mock.MagicMock organizations_client.region = AWS_REGION_EU_WEST_1 organizations_client.audited_partition = "aws" @@ -179,7 +305,17 @@ def test_organization_with_AI_optout_policy_no_content(self): arn="arn:aws:organizations::1234567890:policy/o-1234567890/p-1234567890", type="AISERVICES_OPT_OUT_POLICY", aws_managed=False, - content={}, + content={ + "services": { + "default": { + "opt_out_policy": { + "@@operators_allowed_for_child_policies": [ + "@@none" + ] + } + } + } + }, targets=[], ) ] @@ -209,7 +345,7 @@ def test_organization_with_AI_optout_policy_no_content(self): assert result[0].status == "FAIL" assert ( result[0].status_extended - == "AWS Organization o-1234567890 has not opted out of all AI services, granting consent for AWS to access its data." + == "AWS Organization o-1234567890 has not opted out of all AI services." ) assert result[0].resource_id == "o-1234567890" assert (