github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/eks/encrypt_secrets.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/eks/encrypt_secrets.go (about)

     1  package eks
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckEncryptSecrets = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0039",
    14  		Provider:    providers.AWSProvider,
    15  		Service:     "eks",
    16  		ShortCode:   "encrypt-secrets",
    17  		Summary:     "EKS should have the encryption of secrets enabled",
    18  		Impact:      "EKS secrets could be read if compromised",
    19  		Resolution:  "Enable encryption of EKS secrets",
    20  		Explanation: `EKS cluster resources should have the encryption_config block set with protection of the secrets resource.`,
    21  		Links: []string{
    22  			"https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/",
    23  		},
    24  		Terraform: &scan.EngineMetadata{
    25  			GoodExamples:        terraformEncryptSecretsGoodExamples,
    26  			BadExamples:         terraformEncryptSecretsBadExamples,
    27  			Links:               terraformEncryptSecretsLinks,
    28  			RemediationMarkdown: terraformEncryptSecretsRemediationMarkdown,
    29  		},
    30  		CloudFormation: &scan.EngineMetadata{
    31  			GoodExamples:        cloudFormationEncryptSecretsGoodExamples,
    32  			BadExamples:         cloudFormationEncryptSecretsBadExamples,
    33  			Links:               cloudFormationEncryptSecretsLinks,
    34  			RemediationMarkdown: cloudFormationEncryptSecretsRemediationMarkdown,
    35  		},
    36  		Severity: severity.High,
    37  	},
    38  	func(s *state.State) (results scan.Results) {
    39  		for _, cluster := range s.AWS.EKS.Clusters {
    40  			if cluster.Encryption.Secrets.IsFalse() {
    41  				results.Add(
    42  					"Cluster does not have secret encryption enabled.",
    43  					cluster.Encryption.Secrets,
    44  				)
    45  			} else if cluster.Encryption.KMSKeyID.IsEmpty() {
    46  				results.Add(
    47  					"Cluster encryption requires a KMS key ID, which is missing",
    48  					cluster.Encryption.KMSKeyID,
    49  				)
    50  			} else {
    51  				results.AddPassed(&cluster)
    52  			}
    53  		}
    54  		return
    55  	},
    56  )