github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/config/aggregate_all_regions.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/config/aggregate_all_regions.go (about)

     1  package config
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckAggregateAllRegions = rules.Register(
    12  	scan.Rule{
    13  		AVDID:      "AVD-AWS-0019",
    14  		Provider:   providers.AWSProvider,
    15  		Service:    "config",
    16  		ShortCode:  "aggregate-all-regions",
    17  		Summary:    "Config configuration aggregator should be using all regions for source",
    18  		Impact:     "Sources that aren't covered by the aggregator are not include in the configuration",
    19  		Resolution: "Set the aggregator to cover all regions",
    20  		Explanation: `The configuration aggregator should be configured with all_regions for the source. 
    21  
    22  This will help limit the risk of any unmonitored configuration in regions that are thought to be unused.`,
    23  		Links: []string{
    24  			"https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html",
    25  		},
    26  		Terraform: &scan.EngineMetadata{
    27  			GoodExamples:        terraformAggregateAllRegionsGoodExamples,
    28  			BadExamples:         terraformAggregateAllRegionsBadExamples,
    29  			Links:               terraformAggregateAllRegionsLinks,
    30  			RemediationMarkdown: terraformAggregateAllRegionsRemediationMarkdown,
    31  		},
    32  		CloudFormation: &scan.EngineMetadata{
    33  			GoodExamples:        cloudFormationAggregateAllRegionsGoodExamples,
    34  			BadExamples:         cloudFormationAggregateAllRegionsBadExamples,
    35  			Links:               cloudFormationAggregateAllRegionsLinks,
    36  			RemediationMarkdown: cloudFormationAggregateAllRegionsRemediationMarkdown,
    37  		},
    38  		Severity: severity.High,
    39  	},
    40  	func(s *state.State) (results scan.Results) {
    41  		if s.AWS.Config.ConfigurationAggregrator.Metadata.IsUnmanaged() {
    42  			return
    43  		}
    44  		if s.AWS.Config.ConfigurationAggregrator.SourceAllRegions.IsFalse() {
    45  			results.Add(
    46  				"Configuration aggregation is not set to source from all regions.",
    47  				s.AWS.Config.ConfigurationAggregrator.SourceAllRegions,
    48  			)
    49  		} else {
    50  			results.AddPassed(s.AWS.Config.ConfigurationAggregrator.SourceAllRegions)
    51  		}
    52  		return
    53  	},
    54  )