github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudtrail/enable_at_rest_encryption.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudtrail/enable_at_rest_encryption.go (about)

     1  package cloudtrail
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckEnableAtRestEncryption = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0015",
    14  		Provider:    providers.AWSProvider,
    15  		Service:     "cloudtrail",
    16  		ShortCode:   "enable-at-rest-encryption",
    17  		Summary:     "Cloudtrail should be encrypted at rest to secure access to sensitive trail data",
    18  		Impact:      "Data can be freely read if compromised",
    19  		Resolution:  "Enable encryption at rest",
    20  		Explanation: `Cloudtrail logs should be encrypted at rest to secure the sensitive data. Cloudtrail logs record all activity that occurs in the the account through API calls and would be one of the first places to look when reacting to a breach.`,
    21  		Links: []string{
    22  			"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html",
    23  		},
    24  		Terraform: &scan.EngineMetadata{
    25  			GoodExamples:        terraformEnableAtRestEncryptionGoodExamples,
    26  			BadExamples:         terraformEnableAtRestEncryptionBadExamples,
    27  			Links:               terraformEnableAtRestEncryptionLinks,
    28  			RemediationMarkdown: terraformEnableAtRestEncryptionRemediationMarkdown,
    29  		},
    30  		CloudFormation: &scan.EngineMetadata{
    31  			GoodExamples:        cloudFormationEnableAtRestEncryptionGoodExamples,
    32  			BadExamples:         cloudFormationEnableAtRestEncryptionBadExamples,
    33  			Links:               cloudFormationEnableAtRestEncryptionLinks,
    34  			RemediationMarkdown: cloudFormationEnableAtRestEncryptionRemediationMarkdown,
    35  		},
    36  		Severity: severity.High,
    37  	},
    38  	func(s *state.State) (results scan.Results) {
    39  		for _, trail := range s.AWS.CloudTrail.Trails {
    40  			if trail.KMSKeyID.IsEmpty() {
    41  				results.Add(
    42  					"Trail is not encrypted.",
    43  					trail.KMSKeyID,
    44  				)
    45  			} else {
    46  				results.AddPassed(&trail)
    47  			}
    48  		}
    49  		return
    50  	},
    51  )