github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/emr/enable_at_rest_encryption.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/emr/enable_at_rest_encryption.go (about)

     1  package emr
     2  
     3  import (
     4  	"encoding/json"
     5  
     6  	"github.com/khulnasoft-lab/defsec/internal/rules"
     7  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     8  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     9  	"github.com/khulnasoft-lab/defsec/pkg/severity"
    10  	"github.com/khulnasoft-lab/defsec/pkg/state"
    11  )
    12  
    13  var CheckEnableAtRestEncryption = rules.Register(
    14  	scan.Rule{
    15  		AVDID:       "AVD-AWS-0137",
    16  		Provider:    providers.AWSProvider,
    17  		Service:     "emr",
    18  		ShortCode:   "enable-at-rest-encryption",
    19  		Summary:     "Enable at-rest encryption for EMR clusters.",
    20  		Impact:      "At-rest data in the EMR cluster could be compromised if accessed.",
    21  		Resolution:  "Enable at-rest encryption for EMR cluster",
    22  		Explanation: `Data stored within an EMR cluster should be encrypted to ensure sensitive data is kept private.`,
    23  		Links: []string{
    24  			"https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist_800-171.html",
    25  		},
    26  		Terraform: &scan.EngineMetadata{
    27  			GoodExamples:        terraformEnableAtRestEncryptionGoodExamples,
    28  			BadExamples:         terraformEnableAtRestEncryptionBadExamples,
    29  			Links:               terraformEnableAtRestEncryptionLinks,
    30  			RemediationMarkdown: terraformEnableAtRestEncryptionRemediationMarkdown,
    31  		},
    32  		Severity: severity.High,
    33  	},
    34  	func(s *state.State) (results scan.Results) {
    35  		for _, conf := range s.AWS.EMR.SecurityConfiguration {
    36  			vars, err := readVarsFromConfigurationAtRest(conf.Configuration.Value())
    37  			if err != nil {
    38  				continue
    39  			}
    40  
    41  			if !vars.EncryptionConfiguration.EnableAtRestEncryption {
    42  				results.Add(
    43  					"EMR cluster does not have at-rest encryption enabled.",
    44  					conf.Configuration,
    45  				)
    46  			} else {
    47  				results.AddPassed(&conf)
    48  			}
    49  
    50  		}
    51  		return
    52  	},
    53  )
    54  
    55  type conf struct {
    56  	EncryptionConfiguration struct {
    57  		AtRestEncryptionConfiguration struct {
    58  			S3EncryptionConfiguration struct {
    59  				EncryptionMode string `json:"EncryptionMode"`
    60  			} `json:"S3EncryptionConfiguration"`
    61  			LocalDiskEncryptionConfiguration struct {
    62  				EncryptionKeyProviderType string `json:"EncryptionKeyProviderType"`
    63  				AwsKmsKey                 string `json:"AwsKmsKey"`
    64  			} `json:"LocalDiskEncryptionConfiguration"`
    65  		} `json:"AtRestEncryptionConfiguration"`
    66  		EnableInTransitEncryption bool `json:"EnableInTransitEncryption"`
    67  		EnableAtRestEncryption    bool `json:"EnableAtRestEncryption"`
    68  	} `json:"EncryptionConfiguration"`
    69  }
    70  
    71  func readVarsFromConfigurationAtRest(raw string) (*conf, error) {
    72  	var testConf conf
    73  	if err := json.Unmarshal([]byte(raw), &testConf); err != nil {
    74  		return nil, err
    75  	}
    76  
    77  	return &testConf, nil
    78  }