github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/eks/enable_control_plane_logging.go (about)

     1  package eks
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckEnableControlPlaneLogging = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0038",
    14  		Provider:    providers.AWSProvider,
    15  		Service:     "eks",
    16  		ShortCode:   "enable-control-plane-logging",
    17  		Summary:     "EKS Clusters should have cluster control plane logging turned on",
    18  		Impact:      "Logging provides valuable information about access and usage",
    19  		Resolution:  "Enable logging for the EKS control plane",
    20  		Explanation: `By default cluster control plane logging is not turned on. Logging is available for audit, api, authenticator, controllerManager and scheduler. All logging should be turned on for cluster control plane.`,
    21  		Links: []string{
    22  			"https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html",
    23  		},
    24  		Terraform: &scan.EngineMetadata{
    25  			GoodExamples:        terraformEnableControlPlaneLoggingGoodExamples,
    26  			BadExamples:         terraformEnableControlPlaneLoggingBadExamples,
    27  			Links:               terraformEnableControlPlaneLoggingLinks,
    28  			RemediationMarkdown: terraformEnableControlPlaneLoggingRemediationMarkdown,
    29  		},
    30  		Severity: severity.Medium,
    31  	},
    32  	func(s *state.State) (results scan.Results) {
    33  		for _, cluster := range s.AWS.EKS.Clusters {
    34  			if cluster.Logging.API.IsFalse() {
    35  				results.Add(
    36  					"Control plane API logging is not enabled.",
    37  					cluster.Logging.API,
    38  				)
    39  			} else {
    40  				results.AddPassed(&cluster, "Cluster plane API logging enabled")
    41  			}
    42  
    43  			if cluster.Logging.Audit.IsFalse() {
    44  				results.Add(
    45  					"Control plane audit logging is not enabled.",
    46  					cluster.Logging.Audit,
    47  				)
    48  			} else {
    49  				results.AddPassed(&cluster, "Cluster plane audit logging enabled")
    50  			}
    51  
    52  			if cluster.Logging.Authenticator.IsFalse() {
    53  				results.Add(
    54  					"Control plane authenticator logging is not enabled.",
    55  					cluster.Logging.Authenticator,
    56  				)
    57  			} else {
    58  				results.AddPassed(&cluster, "Cluster plane authenticator logging enabled")
    59  			}
    60  
    61  			if cluster.Logging.ControllerManager.IsFalse() {
    62  				results.Add(
    63  					"Control plane controller manager logging is not enabled.",
    64  					cluster.Logging.ControllerManager,
    65  				)
    66  			} else {
    67  				results.AddPassed(&cluster, "Cluster plane manager logging enabled")
    68  			}
    69  
    70  			if cluster.Logging.Scheduler.IsFalse() {
    71  				results.Add(
    72  					"Control plane scheduler logging is not enabled.",
    73  					cluster.Logging.Scheduler,
    74  				)
    75  			} else {
    76  				results.AddPassed(&cluster, "Cluster plane scheduler logging enabled")
    77  			}
    78  
    79  		}
    80  		return
    81  	},
    82  )