github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/as_enable_at_rest_encryption.go (about)

     1  package ec2
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckASEnableAtRestEncryption = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0008",
    14  		Aliases:     []string{"aws-autoscaling-enable-at-rest-encryption"},
    15  		Provider:    providers.AWSProvider,
    16  		Service:     "ec2",
    17  		ShortCode:   "enable-launch-config-at-rest-encryption",
    18  		Summary:     "Launch configuration with unencrypted block device.",
    19  		Impact:      "The block device could be compromised and read from",
    20  		Resolution:  "Turn on encryption for all block devices",
    21  		Explanation: `Block devices should be encrypted to ensure sensitive data is held securely at rest.`,
    22  		Links: []string{
    23  			"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html",
    24  		},
    25  		Terraform: &scan.EngineMetadata{
    26  			GoodExamples:        terraformASEnableAtRestEncryptionGoodExamples,
    27  			BadExamples:         terraformASEnableAtRestEncryptionBadExamples,
    28  			Links:               terraformASEnableAtRestEncryptionLinks,
    29  			RemediationMarkdown: terraformASEnableAtRestEncryptionRemediationMarkdown,
    30  		},
    31  		CloudFormation: &scan.EngineMetadata{
    32  			GoodExamples:        cloudFormationASEnableAtRestEncryptionGoodExamples,
    33  			BadExamples:         cloudFormationASEnableAtRestEncryptionBadExamples,
    34  			Links:               cloudFormationASEnableAtRestEncryptionLinks,
    35  			RemediationMarkdown: cloudFormationASEnableAtRestEncryptionRemediationMarkdown,
    36  		},
    37  		Severity: severity.High,
    38  	},
    39  	func(s *state.State) (results scan.Results) {
    40  		for _, launchConfig := range s.AWS.EC2.LaunchConfigurations {
    41  			if launchConfig.RootBlockDevice != nil && launchConfig.RootBlockDevice.Encrypted.IsFalse() {
    42  				results.Add(
    43  					"Root block device is not encrypted.",
    44  					launchConfig.RootBlockDevice.Encrypted,
    45  				)
    46  			} else {
    47  				results.AddPassed(&launchConfig)
    48  			}
    49  			for _, device := range launchConfig.EBSBlockDevices {
    50  				if device.Encrypted.IsFalse() {
    51  					results.Add(
    52  						"EBS block device is not encrypted.",
    53  						device.Encrypted,
    54  					)
    55  				} else {
    56  					results.AddPassed(device)
    57  				}
    58  			}
    59  		}
    60  		return
    61  	},
    62  )