github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/documentdb/enable_log_export.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/documentdb/enable_log_export.go (about)

     1  package documentdb
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/documentdb"
     7  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     8  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  )
    11  
    12  var CheckEnableLogExport = rules.Register(
    13  	scan.Rule{
    14  		AVDID:       "AVD-AWS-0020",
    15  		Provider:    providers.AWSProvider,
    16  		Service:     "documentdb",
    17  		ShortCode:   "enable-log-export",
    18  		Summary:     "DocumentDB logs export should be enabled",
    19  		Impact:      "Limited visibility of audit trail for changes to the DocumentDB",
    20  		Resolution:  "Enable export logs",
    21  		Explanation: `Document DB does not have auditing by default. To ensure that you are able to accurately audit the usage of your DocumentDB cluster you should enable export logs.`,
    22  		Links: []string{
    23  			"https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html",
    24  		},
    25  		Terraform: &scan.EngineMetadata{
    26  			GoodExamples:        terraformEnableLogExportGoodExamples,
    27  			BadExamples:         terraformEnableLogExportBadExamples,
    28  			Links:               terraformEnableLogExportLinks,
    29  			RemediationMarkdown: terraformEnableLogExportRemediationMarkdown,
    30  		},
    31  		CloudFormation: &scan.EngineMetadata{
    32  			GoodExamples:        cloudFormationEnableLogExportGoodExamples,
    33  			BadExamples:         cloudFormationEnableLogExportBadExamples,
    34  			Links:               cloudFormationEnableLogExportLinks,
    35  			RemediationMarkdown: cloudFormationEnableLogExportRemediationMarkdown,
    36  		},
    37  		Severity: severity.Medium,
    38  	},
    39  	func(s *state.State) (results scan.Results) {
    40  		for _, cluster := range s.AWS.DocumentDB.Clusters {
    41  			var hasAudit bool
    42  			var hasProfiler bool
    43  
    44  			for _, log := range cluster.EnabledLogExports {
    45  				if log.EqualTo(documentdb.LogExportAudit) {
    46  					hasAudit = true
    47  				}
    48  				if log.EqualTo(documentdb.LogExportProfiler) {
    49  					hasProfiler = true
    50  				}
    51  			}
    52  			if !hasAudit && !hasProfiler {
    53  				results.Add(
    54  					"Neither CloudWatch audit nor profiler log exports are enabled.",
    55  					&cluster,
    56  				)
    57  			} else {
    58  				results.AddPassed(&cluster)
    59  			}
    60  		}
    61  		return
    62  	},
    63  )