github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/log_group_customer_key.go (about) 1 package cloudwatch 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckLogGroupCustomerKey = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AWS-0017", 14 Provider: providers.AWSProvider, 15 Service: "cloudwatch", 16 ShortCode: "log-group-customer-key", 17 Summary: "CloudWatch log groups should be encrypted using CMK", 18 Impact: "Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.", 19 Resolution: "Enable CMK encryption of CloudWatch Log Groups", 20 Explanation: `CloudWatch log groups are encrypted by default, however, to get the full benefit of controlling key rotation and other KMS aspects a KMS CMK should be used.`, 21 Links: []string{ 22 "https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html", 23 }, 24 Terraform: &scan.EngineMetadata{ 25 GoodExamples: terraformLogGroupCustomerKeyGoodExamples, 26 BadExamples: terraformLogGroupCustomerKeyBadExamples, 27 Links: terraformLogGroupCustomerKeyLinks, 28 RemediationMarkdown: terraformLogGroupCustomerKeyRemediationMarkdown, 29 }, 30 CloudFormation: &scan.EngineMetadata{ 31 GoodExamples: cloudFormationLogGroupCustomerKeyGoodExamples, 32 BadExamples: cloudFormationLogGroupCustomerKeyBadExamples, 33 Links: cloudFormationLogGroupCustomerKeyLinks, 34 RemediationMarkdown: cloudFormationLogGroupCustomerKeyRemediationMarkdown, 35 }, 36 Severity: severity.Low, 37 }, 38 func(s *state.State) (results scan.Results) { 39 for _, group := range s.AWS.CloudWatch.LogGroups { 40 if group.KMSKeyID.IsEmpty() { 41 results.Add( 42 "Log group is not encrypted.", 43 group.KMSKeyID, 44 ) 45 } else { 46 results.AddPassed(&group) 47 } 48 } 49 return 50 }, 51 )