github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/encryption_customer_key.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/encryption_customer_key.go (about)

     1  package ec2
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckEncryptionCustomerKey = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0027",
    14  		Aliases:     []string{"aws-ebs-encryption-customer-key"},
    15  		Provider:    providers.AWSProvider,
    16  		Service:     "ec2",
    17  		ShortCode:   "volume-encryption-customer-key",
    18  		Summary:     "EBS volume encryption should use Customer Managed Keys",
    19  		Impact:      "Using AWS managed keys does not allow for fine grained control",
    20  		Resolution:  "Enable encryption using customer managed keys",
    21  		Explanation: `Encryption using AWS keys provides protection for your EBS volume. To increase control of the encryption and manage factors like rotation use customer managed keys.`,
    22  		Links:       []string{"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html"},
    23  		Terraform: &scan.EngineMetadata{
    24  			GoodExamples:        terraformEncryptionCustomerKeyGoodExamples,
    25  			BadExamples:         terraformEncryptionCustomerKeyBadExamples,
    26  			Links:               terraformEncryptionCustomerKeyLinks,
    27  			RemediationMarkdown: terraformEncryptionCustomerKeyRemediationMarkdown,
    28  		},
    29  		CloudFormation: &scan.EngineMetadata{
    30  			GoodExamples:        cloudFormationEncryptionCustomerKeyGoodExamples,
    31  			BadExamples:         cloudFormationEncryptionCustomerKeyBadExamples,
    32  			Links:               cloudFormationEncryptionCustomerKeyLinks,
    33  			RemediationMarkdown: cloudFormationEncryptionCustomerKeyRemediationMarkdown,
    34  		},
    35  		Severity: severity.Low,
    36  	},
    37  	func(s *state.State) (results scan.Results) {
    38  		for _, volume := range s.AWS.EC2.Volumes {
    39  			if volume.Metadata.IsUnmanaged() {
    40  				continue
    41  			}
    42  			if volume.Encryption.KMSKeyID.IsEmpty() {
    43  				results.Add(
    44  					"EBS volume does not use a customer-managed KMS key.",
    45  					volume.Encryption.KMSKeyID,
    46  				)
    47  			} else {
    48  				results.AddPassed(&volume)
    49  			}
    50  		}
    51  		return
    52  	},
    53  )