github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudtrail/no_public_log_access.go (about)

     1  package cloudtrail
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     7  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     8  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  )
    11  
    12  var checkNoPublicLogAccess = rules.Register(
    13  	scan.Rule{
    14  		AVDID:     "AVD-AWS-0161",
    15  		Provider:  providers.AWSProvider,
    16  		Service:   "cloudtrail",
    17  		ShortCode: "no-public-log-access",
    18  		Frameworks: map[framework.Framework][]string{
    19  			framework.Default:     nil,
    20  			framework.CIS_AWS_1_2: {"2.3"},
    21  			framework.CIS_AWS_1_4: {"3.3"},
    22  		},
    23  		Summary:    "The S3 Bucket backing Cloudtrail should be private",
    24  		Impact:     "CloudTrail logs will be publicly exposed, potentially containing sensitive information",
    25  		Resolution: "Restrict public access to the S3 bucket",
    26  		Explanation: `
    27  CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. CIS recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration.
    28  `,
    29  		Links: []string{
    30  			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-bucket.html",
    31  		},
    32  		Terraform: &scan.EngineMetadata{
    33  			GoodExamples:        terraformNoPublicLogAccessGoodExamples,
    34  			BadExamples:         terraformNoPublicLogAccessBadExamples,
    35  			Links:               terraformNoPublicLogAccessLinks,
    36  			RemediationMarkdown: terraformNoPublicLogAccessRemediationMarkdown,
    37  		},
    38  		CloudFormation: &scan.EngineMetadata{
    39  			GoodExamples:        cloudFormationNoPublicLogAccessGoodExamples,
    40  			BadExamples:         cloudFormationNoPublicLogAccessBadExamples,
    41  			Links:               cloudFormationNoPublicLogAccessLinks,
    42  			RemediationMarkdown: cloudFormationNoPublicLogAccessRemediationMarkdown,
    43  		},
    44  		Severity: severity.Critical,
    45  	},
    46  	func(s *state.State) (results scan.Results) {
    47  		for _, trail := range s.AWS.CloudTrail.Trails {
    48  			if trail.BucketName.IsNotEmpty() {
    49  				for _, bucket := range s.AWS.S3.Buckets {
    50  					if bucket.Name.EqualTo(trail.BucketName.Value()) {
    51  						if bucket.HasPublicExposureACL() {
    52  							results.Add("Trail S3 bucket is publicly exposed", &bucket)
    53  						} else {
    54  							results.AddPassed(&bucket)
    55  						}
    56  					}
    57  				}
    58  			}
    59  		}
    60  		return
    61  	},
    62  )