github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/msk/enable_in_transit_encryption.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/msk/enable_in_transit_encryption.go (about)

     1  package msk
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/msk"
     7  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     8  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  )
    11  
    12  var CheckEnableInTransitEncryption = rules.Register(
    13  	scan.Rule{
    14  		AVDID:       "AVD-AWS-0073",
    15  		Provider:    providers.AWSProvider,
    16  		Service:     "msk",
    17  		ShortCode:   "enable-in-transit-encryption",
    18  		Summary:     "A MSK cluster allows unencrypted data in transit.",
    19  		Impact:      "Intercepted data can be read in transit",
    20  		Resolution:  "Enable in transit encryption",
    21  		Explanation: `Encryption should be forced for Kafka clusters, including for communication between nodes. This ensure sensitive data is kept private.`,
    22  		Links: []string{
    23  			"https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html",
    24  		},
    25  		Terraform: &scan.EngineMetadata{
    26  			GoodExamples:        terraformEnableInTransitEncryptionGoodExamples,
    27  			BadExamples:         terraformEnableInTransitEncryptionBadExamples,
    28  			Links:               terraformEnableInTransitEncryptionLinks,
    29  			RemediationMarkdown: terraformEnableInTransitEncryptionRemediationMarkdown,
    30  		},
    31  		CloudFormation: &scan.EngineMetadata{
    32  			GoodExamples:        cloudFormationEnableInTransitEncryptionGoodExamples,
    33  			BadExamples:         cloudFormationEnableInTransitEncryptionBadExamples,
    34  			Links:               cloudFormationEnableInTransitEncryptionLinks,
    35  			RemediationMarkdown: cloudFormationEnableInTransitEncryptionRemediationMarkdown,
    36  		},
    37  		Severity: severity.High,
    38  	},
    39  	func(s *state.State) (results scan.Results) {
    40  		for _, cluster := range s.AWS.MSK.Clusters {
    41  			if cluster.EncryptionInTransit.ClientBroker.EqualTo(msk.ClientBrokerEncryptionPlaintext) {
    42  				results.Add(
    43  					"Cluster allows plaintext communication.",
    44  					cluster.EncryptionInTransit.ClientBroker,
    45  				)
    46  			} else if cluster.EncryptionInTransit.ClientBroker.EqualTo(msk.ClientBrokerEncryptionTLSOrPlaintext) {
    47  				results.Add(
    48  					"Cluster allows plaintext communication.",
    49  					cluster.EncryptionInTransit.ClientBroker,
    50  				)
    51  			} else {
    52  				results.AddPassed(&cluster)
    53  			}
    54  
    55  		}
    56  		return
    57  	},
    58  )