github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/enable_at_rest_encryption.go (about)

     1  package ec2
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckEnableAtRestEncryption = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0131",
    14  		Provider:    providers.AWSProvider,
    15  		Service:     "ec2",
    16  		ShortCode:   "enable-at-rest-encryption",
    17  		Summary:     "Instance with unencrypted block device.",
    18  		Impact:      "The block device could be compromised and read from",
    19  		Resolution:  "Turn on encryption for all block devices",
    20  		Explanation: `Block devices should be encrypted to ensure sensitive data is held securely at rest.`,
    21  		Links: []string{
    22  			"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html",
    23  		},
    24  		Terraform: &scan.EngineMetadata{
    25  			GoodExamples:        terraformEnableAtRestEncryptionGoodExamples,
    26  			BadExamples:         terraformEnableAtRestEncryptionBadExamples,
    27  			Links:               terraformEnableAtRestEncryptionLinks,
    28  			RemediationMarkdown: terraformEnableAtRestEncryptionRemediationMarkdown,
    29  		},
    30  		CloudFormation: &scan.EngineMetadata{
    31  			GoodExamples:        cloudFormationEnableAtRestEncryptionGoodExamples,
    32  			BadExamples:         cloudFormationEnableAtRestEncryptionBadExamples,
    33  			Links:               cloudFormationEnableAtRestEncryptionLinks,
    34  			RemediationMarkdown: cloudFormationEnableAtRestEncryptionRemediationMarkdown,
    35  		},
    36  		Severity: severity.High,
    37  	},
    38  	func(s *state.State) (results scan.Results) {
    39  		for _, instance := range s.AWS.EC2.Instances {
    40  			if instance.RootBlockDevice != nil && instance.RootBlockDevice.Encrypted.IsFalse() {
    41  				results.Add(
    42  					"Root block device is not encrypted.",
    43  					instance.RootBlockDevice.Encrypted,
    44  				)
    45  			} else {
    46  				results.AddPassed(&instance)
    47  			}
    48  			for _, device := range instance.EBSBlockDevices {
    49  				if device.Encrypted.IsFalse() {
    50  					results.Add(
    51  						"EBS block device is not encrypted.",
    52  						device.Encrypted,
    53  					)
    54  				} else {
    55  					results.AddPassed(device)
    56  				}
    57  			}
    58  		}
    59  		return
    60  	},
    61  )