github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/documentdb/enable_storage_encryption.go (about) 1 package documentdb 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckEnableStorageEncryption = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AWS-0021", 14 Provider: providers.AWSProvider, 15 Service: "documentdb", 16 ShortCode: "enable-storage-encryption", 17 Summary: "DocumentDB storage must be encrypted", 18 Impact: "Unencrypted sensitive data is vulnerable to compromise.", 19 Resolution: "Enable storage encryption", 20 Explanation: `Encryption of the underlying storage used by DocumentDB ensures that if their is compromise of the disks, the data is still protected.`, 21 Links: []string{"https://docs.aws.amazon.com/documentdb/latest/developerguide/encryption-at-rest.html"}, 22 Terraform: &scan.EngineMetadata{ 23 GoodExamples: terraformEnableStorageEncryptionGoodExamples, 24 BadExamples: terraformEnableStorageEncryptionBadExamples, 25 Links: terraformEnableStorageEncryptionLinks, 26 RemediationMarkdown: terraformEnableStorageEncryptionRemediationMarkdown, 27 }, 28 CloudFormation: &scan.EngineMetadata{ 29 GoodExamples: cloudFormationEnableStorageEncryptionGoodExamples, 30 BadExamples: cloudFormationEnableStorageEncryptionBadExamples, 31 Links: cloudFormationEnableStorageEncryptionLinks, 32 RemediationMarkdown: cloudFormationEnableStorageEncryptionRemediationMarkdown, 33 }, 34 Severity: severity.High, 35 }, 36 func(s *state.State) (results scan.Results) { 37 for _, cluster := range s.AWS.DocumentDB.Clusters { 38 if cluster.StorageEncrypted.IsFalse() { 39 results.Add( 40 "Cluster storage does not have encryption enabled.", 41 cluster.StorageEncrypted, 42 ) 43 } else { 44 results.AddPassed(&cluster) 45 } 46 } 47 return 48 }, 49 )