github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/athena/enable_at_rest_encryption.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/athena/enable_at_rest_encryption.go (about)

     1  package athena
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/athena"
     7  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     8  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  )
    11  
    12  var CheckEnableAtRestEncryption = rules.Register(
    13  	scan.Rule{
    14  		AVDID:       "AVD-AWS-0006",
    15  		Provider:    providers.AWSProvider,
    16  		Service:     "athena",
    17  		ShortCode:   "enable-at-rest-encryption",
    18  		Summary:     "Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encrypted",
    19  		Impact:      "Data can be read if the Athena Database is compromised",
    20  		Resolution:  "Enable encryption at rest for Athena databases and workgroup configurations",
    21  		Explanation: `Athena databases and workspace result sets should be encrypted at rests. These databases and query sets are generally derived from data in S3 buckets and should have the same level of at rest protection.`,
    22  		Links: []string{
    23  			"https://docs.aws.amazon.com/athena/latest/ug/encryption.html",
    24  		},
    25  		Terraform: &scan.EngineMetadata{
    26  			GoodExamples:        terraformEnableAtRestEncryptionGoodExamples,
    27  			BadExamples:         terraformEnableAtRestEncryptionBadExamples,
    28  			Links:               terraformEnableAtRestEncryptionLinks,
    29  			RemediationMarkdown: terraformEnableAtRestEncryptionRemediationMarkdown,
    30  		},
    31  		CloudFormation: &scan.EngineMetadata{
    32  			GoodExamples:        cloudFormationEnableAtRestEncryptionGoodExamples,
    33  			BadExamples:         cloudFormationEnableAtRestEncryptionBadExamples,
    34  			Links:               cloudFormationEnableAtRestEncryptionLinks,
    35  			RemediationMarkdown: cloudFormationEnableAtRestEncryptionRemediationMarkdown,
    36  		},
    37  		Severity: severity.High,
    38  	},
    39  	func(s *state.State) (results scan.Results) {
    40  		for _, workgroup := range s.AWS.Athena.Workgroups {
    41  			if workgroup.Metadata.IsUnmanaged() {
    42  				continue
    43  			}
    44  			if workgroup.Encryption.Type.EqualTo(athena.EncryptionTypeNone) {
    45  				results.Add(
    46  					"Workgroup does not have encryption configured.",
    47  					workgroup.Encryption.Type,
    48  				)
    49  			} else {
    50  				results.AddPassed(&workgroup)
    51  			}
    52  		}
    53  		for _, database := range s.AWS.Athena.Databases {
    54  			if database.Metadata.IsUnmanaged() {
    55  				continue
    56  			}
    57  			if database.Encryption.Type.EqualTo(athena.EncryptionTypeNone) {
    58  				results.Add(
    59  					"Database does not have encryption configured.",
    60  					database.Encryption.Type,
    61  				)
    62  			} else {
    63  				results.AddPassed(&database)
    64  			}
    65  		}
    66  		return
    67  	},
    68  )