github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/enable_bucket_encryption.go (about) 1 package s3 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckEncryptionIsEnabled = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AWS-0088", 14 Provider: providers.AWSProvider, 15 Service: "s3", 16 ShortCode: "enable-bucket-encryption", 17 Summary: "Unencrypted S3 bucket.", 18 Impact: "The bucket objects could be read if compromised", 19 Resolution: "Configure bucket encryption", 20 Explanation: `S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.`, 21 Links: []string{ 22 "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html", 23 }, 24 25 Terraform: &scan.EngineMetadata{ 26 GoodExamples: terraformEnableBucketEncryptionGoodExamples, 27 BadExamples: terraformEnableBucketEncryptionBadExamples, 28 Links: terraformEnableBucketEncryptionLinks, 29 RemediationMarkdown: terraformEnableBucketEncryptionRemediationMarkdown, 30 }, 31 CloudFormation: &scan.EngineMetadata{ 32 GoodExamples: cloudFormationEnableBucketEncryptionGoodExamples, 33 BadExamples: cloudFormationEnableBucketEncryptionBadExamples, 34 Links: cloudFormationEnableBucketEncryptionLinks, 35 RemediationMarkdown: cloudFormationEnableBucketEncryptionRemediationMarkdown, 36 }, 37 Severity: severity.High, 38 }, 39 func(s *state.State) (results scan.Results) { 40 for _, bucket := range s.AWS.S3.Buckets { 41 if bucket.Encryption.Enabled.IsFalse() { 42 results.Add( 43 "Bucket does not have encryption enabled", 44 bucket.Encryption.Enabled, 45 ) 46 } else { 47 results.AddPassed(&bucket, "Bucket encryption correctly configured") 48 } 49 } 50 return results 51 }, 52 )