diff --git a/prowler/providers/aws/services/fsx/fsx_service.py b/prowler/providers/aws/services/fsx/fsx_service.py index 06c2763ad4..7366204eca 100644 --- a/prowler/providers/aws/services/fsx/fsx_service.py +++ b/prowler/providers/aws/services/fsx/fsx_service.py @@ -51,6 +51,7 @@ def _describe_file_systems(self, regional_client): type=file_system["FileSystemType"], copy_tags_to_backups=copy_tags_to_backups_aux, copy_tags_to_volumes=copy_tags_to_volumes_aux, + subnet_ids=file_system.get("SubnetIds", []), region=regional_client.region, tags=file_system.get("Tags", []), ) @@ -67,4 +68,5 @@ class FileSystem(BaseModel): type: str copy_tags_to_backups: Optional[bool] copy_tags_to_volumes: Optional[bool] + subnet_ids: Optional[list] = [] tags: Optional[list] = [] diff --git a/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/__init__.py b/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.metadata.json b/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.metadata.json new file mode 100644 index 0000000000..633021a0cc --- /dev/null +++ b/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.metadata.json @@ -0,0 +1,32 @@ +{ + "Provider": "aws", + "CheckID": "fsx_windows_file_system_multi_az_enabled", + "CheckTitle": "Check if FSx Windows file systems are configured with Multi-AZ.", + "CheckType": [], + "ServiceName": "fsx", + "SubServiceName": "", + "ResourceIdTemplate": "arn:aws:fsx:{region}:{account-id}:file-system/{file-system-id}", + "Severity": "low", + "ResourceType": "AwsFSxFileSystem", + "Description": "Check if FSx Windows file systems are configured with Multi-AZ. The control fails if this configuration isn't enabled.", + "Risk": "Relative to Single-AZ deployment, Multi-AZ deployments provide enhanced durability by further replicating data across AZs, and enhanced availability during planned system maintenance and unplanned service disruption by failing over automatically to the standby AZ. This allows you to continue accessing your data, and helps to protect your data against instance failure and AZ disruption.", + "RelatedUrl": "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/high-availability-multiAZ.html", + "Remediation": { + "Code": { + "CLI": "", + "NativeIaC": "", + "Other": "", + "Terraform": "" + }, + "Recommendation": { + "Text": "Configure your FSx Windows file system to be highly available with ENIs in Multiple AZs.", + "Url": "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/high-availability-multiAZ.html" + } + }, + "Categories": [ + "redundancy" + ], + "DependsOn": [], + "RelatedTo": [], + "Notes": "" +} diff --git a/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.py b/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.py new file mode 100644 index 0000000000..f0c6c3990f --- /dev/null +++ b/prowler/providers/aws/services/fsx/fsx_windows_file_system_multi_az_enabled/fsx_windows_file_system_multi_az_enabled.py @@ -0,0 +1,25 @@ +from prowler.lib.check.models import Check, Check_Report_AWS +from prowler.providers.aws.services.fsx.fsx_client import fsx_client + + +class fsx_windows_file_system_multi_az_enabled(Check): + def execute(self): + findings = [] + for file_system in fsx_client.file_systems.values(): + if file_system.type == "WINDOWS": + report = Check_Report_AWS(self.metadata()) + report.region = file_system.region + report.resource_id = file_system.id + report.resource_arn = file_system.arn + report.resource_tags = file_system.tags + if len(file_system.subnet_ids) > 1: + report.status = "PASS" + report.status_extended = f"FSx Windows file system {file_system.id} is configured for Multi-AZ deployment." + + else: + report.status = "FAIL" + report.status_extended = f"FSx Windows file system {file_system.id} is not configured for Multi-AZ deployment." + + findings.append(report) + + return findings diff --git a/tests/providers/aws/services/fsx/fsx_file_system_multi_az_enabled/fsx_file_system_multi_az_enabled_test.py b/tests/providers/aws/services/fsx/fsx_file_system_multi_az_enabled/fsx_file_system_multi_az_enabled_test.py new file mode 100644 index 0000000000..a4b6bdf000 --- /dev/null +++ b/tests/providers/aws/services/fsx/fsx_file_system_multi_az_enabled/fsx_file_system_multi_az_enabled_test.py @@ -0,0 +1,144 @@ +from unittest import mock + +from boto3 import client +from moto import mock_aws + +from prowler.providers.aws.services.fsx.fsx_service import FSx +from tests.providers.aws.utils import AWS_REGION_EU_WEST_1, set_mocked_aws_provider + + +class Test_fsx_windows_file_system_multi_az: + @mock_aws + def test_fsx_no_file_system(self): + client("fsx", region_name=AWS_REGION_EU_WEST_1) + + aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), mock.patch( + "prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled.fsx_client", + new=FSx(aws_provider), + ): + from prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled import ( + fsx_windows_file_system_multi_az_enabled, + ) + + check = fsx_windows_file_system_multi_az_enabled() + result = check.execute() + assert len(result) == 0 + + @mock_aws + def test_fsx_file_system_not_windows(self): + fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1) + fsx_client.create_file_system( + FileSystemType="LUSTRE", + StorageCapacity=1200, + LustreConfiguration={"CopyTagsToBackups": True}, + Tags=[{"Key": "Name", "Value": "Test"}], + SubnetIds=["subnet-12345678"], + ) + + aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), mock.patch( + "prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled.fsx_client", + new=FSx(aws_provider), + ): + from prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled import ( + fsx_windows_file_system_multi_az_enabled, + ) + + check = fsx_windows_file_system_multi_az_enabled() + result = check.execute() + assert len(result) == 0 + + @mock_aws + def test_fsx_windows_not_multi_az(self): + fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1) + file_system = fsx_client.create_file_system( + FileSystemType="WINDOWS", + StorageCapacity=1200, + OpenZFSConfiguration={ + "CopyTagsToVolumes": False, + "DeploymentType": "SINGLE_AZ_1", + "ThroughputCapacity": 12, + }, + Tags=[{"Key": "Name", "Value": "Test"}], + SubnetIds=["subnet-12345678"], + ) + + aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), mock.patch( + "prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled.fsx_client", + new=FSx(aws_provider), + ): + from prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled import ( + fsx_windows_file_system_multi_az_enabled, + ) + + check = fsx_windows_file_system_multi_az_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"FSx Windows file system {file_system['FileSystem']['FileSystemId']} is not configured for Multi-AZ deployment." + ) + assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"] + assert ( + result[0].resource_arn + == f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}" + ) + assert result[0].region == AWS_REGION_EU_WEST_1 + + @mock_aws + def test_fsx_windows_multi_az(self): + fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1) + file_system = fsx_client.create_file_system( + FileSystemType="WINDOWS", + StorageCapacity=1200, + OpenZFSConfiguration={ + "CopyTagsToVolumes": True, + "DeploymentType": "MULTI_AZ_1", + "ThroughputCapacity": 12, + }, + Tags=[{"Key": "Name", "Value": "Test"}], + SubnetIds=["subnet-12345678", "subnet-12345670"], + ) + + aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=aws_provider, + ), mock.patch( + "prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled.fsx_client", + new=FSx(aws_provider), + ): + from prowler.providers.aws.services.fsx.fsx_windows_file_system_multi_az_enabled.fsx_windows_file_system_multi_az_enabled import ( + fsx_windows_file_system_multi_az_enabled, + ) + + check = fsx_windows_file_system_multi_az_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"FSx Windows file system {file_system['FileSystem']['FileSystemId']} is configured for Multi-AZ deployment." + ) + assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"] + assert ( + result[0].resource_arn + == f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}" + ) + assert result[0].region == AWS_REGION_EU_WEST_1 diff --git a/tests/providers/aws/services/fsx/fsx_service_test.py b/tests/providers/aws/services/fsx/fsx_service_test.py index 6c44014556..6d31ed363d 100644 --- a/tests/providers/aws/services/fsx/fsx_service_test.py +++ b/tests/providers/aws/services/fsx/fsx_service_test.py @@ -56,7 +56,7 @@ def test_describe_file_systems(self): StorageCapacity=1200, LustreConfiguration={"CopyTagsToBackups": True}, Tags=[{"Key": "Name", "Value": "Test"}], - SubnetIds=["subnet-12345678"], + SubnetIds=["subnet-12345678", "subnet-12345670"], ) arn = f"arn:aws:fsx:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:file-system/{file_system['FileSystem']['FileSystemId']}" aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1]) @@ -67,3 +67,6 @@ def test_describe_file_systems(self): assert fsx.file_systems[arn].copy_tags_to_backups assert fsx.file_systems[arn].region == AWS_REGION_US_EAST_1 assert fsx.file_systems[arn].tags == [{"Key": "Name", "Value": "Test"}] + assert ( + fsx.file_systems[arn].subnet_ids == file_system["FileSystem"]["SubnetIds"] + )