github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/documentdb/encryption_customer_key.go (about)

     1  package documentdb
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckEncryptionCustomerKey = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0022",
    14  		Provider:    providers.AWSProvider,
    15  		Service:     "documentdb",
    16  		ShortCode:   "encryption-customer-key",
    17  		Summary:     "DocumentDB encryption should use Customer Managed Keys",
    18  		Impact:      "Using AWS managed keys does not allow for fine grained control",
    19  		Resolution:  "Enable encryption using customer managed keys",
    20  		Explanation: `Encryption using AWS keys provides protection for your DocumentDB underlying storage. To increase control of the encryption and manage factors like rotation use customer managed keys.`,
    21  		Links:       []string{"https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.public-key.html"},
    22  		Terraform: &scan.EngineMetadata{
    23  			GoodExamples:        terraformEncryptionCustomerKeyGoodExamples,
    24  			BadExamples:         terraformEncryptionCustomerKeyBadExamples,
    25  			Links:               terraformEncryptionCustomerKeyLinks,
    26  			RemediationMarkdown: terraformEncryptionCustomerKeyRemediationMarkdown,
    27  		},
    28  		CloudFormation: &scan.EngineMetadata{
    29  			GoodExamples:        cloudFormationEncryptionCustomerKeyGoodExamples,
    30  			BadExamples:         cloudFormationEncryptionCustomerKeyBadExamples,
    31  			Links:               cloudFormationEncryptionCustomerKeyLinks,
    32  			RemediationMarkdown: cloudFormationEncryptionCustomerKeyRemediationMarkdown,
    33  		},
    34  		Severity: severity.Low,
    35  	},
    36  	func(s *state.State) (results scan.Results) {
    37  		for _, cluster := range s.AWS.DocumentDB.Clusters {
    38  			if cluster.Metadata.IsManaged() && cluster.KMSKeyID.IsEmpty() {
    39  				results.Add(
    40  					"Cluster encryption does not use a customer-managed KMS key.",
    41  					cluster.KMSKeyID,
    42  				)
    43  			} else {
    44  				results.AddPassed(&cluster)
    45  			}
    46  			for _, instance := range cluster.Instances {
    47  				if instance.Metadata.IsUnmanaged() {
    48  					continue
    49  				}
    50  				if instance.KMSKeyID.IsEmpty() {
    51  					results.Add(
    52  						"Instance encryption does not use a customer-managed KMS key.",
    53  						instance.KMSKeyID,
    54  					)
    55  				} else {
    56  					results.AddPassed(&cluster)
    57  				}
    58  
    59  			}
    60  		}
    61  		return
    62  	},
    63  )