github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ecr/repository_customer_key.go (about) 1 package ecr 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/ecr" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckRepositoryCustomerKey = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-AWS-0033", 15 Provider: providers.AWSProvider, 16 Service: "ecr", 17 ShortCode: "repository-customer-key", 18 Summary: "ECR Repository should use customer managed keys to allow more control", 19 Impact: "Using AWS managed keys does not allow for fine grained control", 20 Resolution: "Use customer managed keys", 21 Explanation: `Images in the ECR repository are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.`, 22 Links: []string{ 23 "https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html", 24 }, 25 Terraform: &scan.EngineMetadata{ 26 GoodExamples: terraformRepositoryCustomerKeyGoodExamples, 27 BadExamples: terraformRepositoryCustomerKeyBadExamples, 28 Links: terraformRepositoryCustomerKeyLinks, 29 RemediationMarkdown: terraformRepositoryCustomerKeyRemediationMarkdown, 30 }, 31 CloudFormation: &scan.EngineMetadata{ 32 GoodExamples: cloudFormationRepositoryCustomerKeyGoodExamples, 33 BadExamples: cloudFormationRepositoryCustomerKeyBadExamples, 34 Links: cloudFormationRepositoryCustomerKeyLinks, 35 RemediationMarkdown: cloudFormationRepositoryCustomerKeyRemediationMarkdown, 36 }, 37 Severity: severity.Low, 38 }, 39 func(s *state.State) (results scan.Results) { 40 for _, repo := range s.AWS.ECR.Repositories { 41 if repo.Encryption.Type.NotEqualTo(ecr.EncryptionTypeKMS) { 42 results.Add( 43 "Repository is not encrypted using KMS.", 44 repo.Encryption.Type, 45 ) 46 } else if repo.Encryption.KMSKeyID.IsEmpty() { 47 results.Add( 48 "Repository encryption does not use a customer managed KMS key.", 49 repo.Encryption.KMSKeyID, 50 ) 51 } else { 52 results.AddPassed(&repo) 53 } 54 } 55 return 56 }, 57 )