github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/dynamodb/enable_at_rest_encryption.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/dynamodb/enable_at_rest_encryption.go (about)

     1  package dynamodb
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckEnableAtRestEncryption = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0023",
    14  		Provider:    providers.AWSProvider,
    15  		Service:     "dynamodb",
    16  		ShortCode:   "enable-at-rest-encryption",
    17  		Summary:     "DAX Cluster and tables should always encrypt data at rest",
    18  		Impact:      "Data can be freely read if compromised",
    19  		Resolution:  "Enable encryption at rest for DAX Cluster",
    20  		Explanation: `Amazon DynamoDB Accelerator (DAX) and table encryption at rest provides an additional layer of data protection by helping secure your data from unauthorized access to the underlying storage.`,
    21  		Links: []string{
    22  			"https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html",
    23  			"https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dax-cluster.html",
    24  		},
    25  		Terraform: &scan.EngineMetadata{
    26  			GoodExamples:        terraformEnableAtRestEncryptionGoodExamples,
    27  			BadExamples:         terraformEnableAtRestEncryptionBadExamples,
    28  			Links:               terraformEnableAtRestEncryptionLinks,
    29  			RemediationMarkdown: terraformEnableAtRestEncryptionRemediationMarkdown,
    30  		},
    31  		CloudFormation: &scan.EngineMetadata{
    32  			GoodExamples:        cloudFormationEnableAtRestEncryptionGoodExamples,
    33  			BadExamples:         cloudFormationEnableAtRestEncryptionBadExamples,
    34  			Links:               cloudFormationEnableAtRestEncryptionLinks,
    35  			RemediationMarkdown: cloudFormationEnableAtRestEncryptionRemediationMarkdown,
    36  		},
    37  		Severity: severity.High,
    38  	},
    39  	func(s *state.State) (results scan.Results) {
    40  		for _, cluster := range s.AWS.DynamoDB.DAXClusters {
    41  			if cluster.Metadata.IsUnmanaged() {
    42  				continue
    43  			}
    44  			if cluster.ServerSideEncryption.Enabled.IsFalse() {
    45  				results.Add(
    46  					"Table encryption is not enabled.",
    47  					cluster.ServerSideEncryption.Enabled,
    48  				)
    49  			} else {
    50  				results.AddPassed(&cluster)
    51  			}
    52  		}
    53  		for _, table := range s.AWS.DynamoDB.Tables {
    54  			if table.Metadata.IsUnmanaged() {
    55  				continue
    56  			}
    57  			if table.ServerSideEncryption.Enabled.IsFalse() {
    58  				results.Add(
    59  					"Table encryption is not enabled.",
    60  					table.ServerSideEncryption.Enabled,
    61  				)
    62  			} else {
    63  				results.AddPassed(&table)
    64  			}
    65  		}
    66  		return
    67  	},
    68  )