github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/eks/cluster.go (about) 1 package eks 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/eks" 5 "github.com/khulnasoft-lab/defsec/pkg/scanners/cloudformation/parser" 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 ) 8 9 func getClusters(ctx parser.FileContext) (clusters []eks.Cluster) { 10 11 clusterResources := ctx.GetResourcesByType("AWS::EKS::Cluster") 12 13 for _, r := range clusterResources { 14 cluster := eks.Cluster{ 15 Metadata: r.Metadata(), 16 // Logging not supported for cloudformation https://github.com/aws/containers-roadmap/issues/242 17 Logging: eks.Logging{ 18 Metadata: r.Metadata(), 19 API: defsecTypes.BoolUnresolvable(r.Metadata()), 20 Audit: defsecTypes.BoolUnresolvable(r.Metadata()), 21 Authenticator: defsecTypes.BoolUnresolvable(r.Metadata()), 22 ControllerManager: defsecTypes.BoolUnresolvable(r.Metadata()), 23 Scheduler: defsecTypes.BoolUnresolvable(r.Metadata()), 24 }, 25 Encryption: getEncryptionConfig(r), 26 // endpoint protection not supported - https://github.com/aws/containers-roadmap/issues/242 27 PublicAccessEnabled: defsecTypes.BoolUnresolvable(r.Metadata()), 28 PublicAccessCIDRs: nil, 29 } 30 31 clusters = append(clusters, cluster) 32 } 33 return clusters 34 } 35 36 func getEncryptionConfig(r *parser.Resource) eks.Encryption { 37 38 encryption := eks.Encryption{ 39 Metadata: r.Metadata(), 40 Secrets: defsecTypes.BoolDefault(false, r.Metadata()), 41 KMSKeyID: defsecTypes.StringDefault("", r.Metadata()), 42 } 43 44 if encProp := r.GetProperty("EncryptionConfig"); encProp.IsNotNil() { 45 encryption.Metadata = encProp.Metadata() 46 encryption.KMSKeyID = encProp.GetStringProperty("Provider.KeyArn") 47 resourcesProp := encProp.GetProperty("Resources") 48 if resourcesProp.IsList() { 49 if resourcesProp.Contains("secrets") { 50 encryption.Secrets = defsecTypes.Bool(true, resourcesProp.Metadata()) 51 } 52 } 53 } 54 55 return encryption 56 }