github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/dynamodb/table_customer_key.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/dynamodb/table_customer_key.go (about)

     1  package dynamodb
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/dynamodb"
     7  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     8  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  )
    11  
    12  var CheckTableCustomerKey = rules.Register(
    13  	scan.Rule{
    14  		AVDID:       "AVD-AWS-0025",
    15  		Provider:    providers.AWSProvider,
    16  		Service:     "dynamodb",
    17  		ShortCode:   "table-customer-key",
    18  		Summary:     "DynamoDB tables should use at rest encryption with a Customer Managed Key",
    19  		Impact:      "Using AWS managed keys does not allow for fine grained control",
    20  		Resolution:  "Enable server side encryption with a customer managed key",
    21  		Explanation: `DynamoDB tables are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.`,
    22  		Links: []string{
    23  			"https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html",
    24  		},
    25  		Terraform: &scan.EngineMetadata{
    26  			GoodExamples:        terraformTableCustomerKeyGoodExamples,
    27  			BadExamples:         terraformTableCustomerKeyBadExamples,
    28  			Links:               terraformTableCustomerKeyLinks,
    29  			RemediationMarkdown: terraformTableCustomerKeyRemediationMarkdown,
    30  		},
    31  		Severity: severity.Low,
    32  	},
    33  	func(s *state.State) (results scan.Results) {
    34  		for _, cluster := range s.AWS.DynamoDB.DAXClusters {
    35  			if cluster.Metadata.IsUnmanaged() {
    36  				continue
    37  			}
    38  			if cluster.ServerSideEncryption.KMSKeyID.IsEmpty() {
    39  				results.Add(
    40  					"Cluster encryption does not use a customer-managed KMS key.",
    41  					cluster.ServerSideEncryption.KMSKeyID,
    42  				)
    43  			} else if cluster.ServerSideEncryption.KMSKeyID.EqualTo(dynamodb.DefaultKMSKeyID) {
    44  				results.Add(
    45  					"Cluster encryption explicitly uses the default KMS key.",
    46  					cluster.ServerSideEncryption.KMSKeyID,
    47  				)
    48  			} else {
    49  				results.AddPassed(&cluster)
    50  			}
    51  		}
    52  		for _, table := range s.AWS.DynamoDB.Tables {
    53  			if table.Metadata.IsUnmanaged() {
    54  				continue
    55  			}
    56  			if table.ServerSideEncryption.KMSKeyID.IsEmpty() {
    57  				results.Add(
    58  					"Table encryption does not use a customer-managed KMS key.",
    59  					table.ServerSideEncryption.KMSKeyID,
    60  				)
    61  			} else if table.ServerSideEncryption.KMSKeyID.EqualTo(dynamodb.DefaultKMSKeyID) {
    62  				results.Add(
    63  					"Table encryption explicitly uses the default KMS key.",
    64  					table.ServerSideEncryption.KMSKeyID,
    65  				)
    66  			} else {
    67  				results.AddPassed(&table)
    68  			}
    69  		}
    70  		return
    71  	},
    72  )