github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/enable_bucket_logging.go (about) 1 package s3 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckLoggingIsEnabled = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AWS-0089", 14 Provider: providers.AWSProvider, 15 Service: "s3", 16 ShortCode: "enable-bucket-logging", 17 Summary: "S3 Bucket does not have logging enabled.", 18 Explanation: "Buckets should have logging enabled so that access can be audited.", 19 Impact: "There is no way to determine the access to this bucket", 20 Resolution: "Add a logging block to the resource to enable access logging", 21 Links: []string{ 22 "https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html", 23 }, 24 Terraform: &scan.EngineMetadata{ 25 GoodExamples: terraformEnableBucketLoggingGoodExamples, 26 BadExamples: terraformEnableBucketLoggingBadExamples, 27 Links: terraformEnableBucketLoggingLinks, 28 RemediationMarkdown: terraformEnableBucketLoggingRemediationMarkdown, 29 }, 30 CloudFormation: &scan.EngineMetadata{ 31 GoodExamples: cloudFormationEnableBucketLoggingGoodExamples, 32 BadExamples: cloudFormationEnableBucketLoggingBadExamples, 33 Links: cloudFormationEnableBucketLoggingLinks, 34 RemediationMarkdown: cloudFormationEnableBucketLoggingRemediationMarkdown, 35 }, 36 Severity: severity.Medium, 37 }, 38 func(s *state.State) (results scan.Results) { 39 for _, bucket := range s.AWS.S3.Buckets { 40 if !bucket.Logging.Enabled.IsTrue() && bucket.ACL.NotEqualTo("log-delivery-write") { 41 results.Add( 42 "Bucket does not have logging enabled", 43 bucket.Logging.Enabled, 44 ) 45 } else { 46 results.AddPassed(&bucket) 47 } 48 } 49 return results 50 }, 51 )