github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/dynamodb/enable_recovery.go (about)

     1  package dynamodb
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckEnableRecovery = rules.Register(
    12  	scan.Rule{
    13  		AVDID:      "AVD-AWS-0024",
    14  		Provider:   providers.AWSProvider,
    15  		Service:    "dynamodb",
    16  		ShortCode:  "enable-recovery",
    17  		Summary:    "Point in time recovery should be enabled to protect DynamoDB table",
    18  		Impact:     "Accidental or malicious writes and deletes can't be rolled back",
    19  		Resolution: "Enable point in time recovery",
    20  		Explanation: `DynamoDB tables should be protected against accidentally or malicious write/delete actions by ensuring that there is adequate protection.
    21  
    22  By enabling point-in-time-recovery you can restore to a known point in the event of loss of data.`,
    23  		Links: []string{
    24  			"https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/PointInTimeRecovery.html",
    25  		},
    26  		Terraform: &scan.EngineMetadata{
    27  			GoodExamples:        terraformEnableRecoveryGoodExamples,
    28  			BadExamples:         terraformEnableRecoveryBadExamples,
    29  			Links:               terraformEnableRecoveryLinks,
    30  			RemediationMarkdown: terraformEnableRecoveryRemediationMarkdown,
    31  		},
    32  		Severity: severity.Medium,
    33  	},
    34  	func(s *state.State) (results scan.Results) {
    35  		for _, cluster := range s.AWS.DynamoDB.DAXClusters {
    36  			if cluster.Metadata.IsUnmanaged() {
    37  				continue
    38  			}
    39  			if cluster.PointInTimeRecovery.IsFalse() {
    40  				results.Add(
    41  					"Point-in-time recovery is not enabled.",
    42  					cluster.PointInTimeRecovery,
    43  				)
    44  			} else {
    45  				results.AddPassed(&cluster)
    46  			}
    47  		}
    48  		for _, table := range s.AWS.DynamoDB.Tables {
    49  			if table.Metadata.IsUnmanaged() {
    50  				continue
    51  			}
    52  			if table.PointInTimeRecovery.IsFalse() {
    53  				results.Add(
    54  					"Point-in-time recovery is not enabled.",
    55  					table.PointInTimeRecovery,
    56  				)
    57  			} else {
    58  				results.AddPassed(&table)
    59  			}
    60  		}
    61  		return
    62  	},
    63  )