github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/enable_object_write_logging.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/enable_object_write_logging.go (about)

     1  package s3
     2  
     3  import (
     4  	"fmt"
     5  
     6  	"github.com/khulnasoft-lab/defsec/internal/rules"
     7  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     8  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     9  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    10  	"github.com/khulnasoft-lab/defsec/pkg/severity"
    11  	"github.com/khulnasoft-lab/defsec/pkg/state"
    12  )
    13  
    14  var CheckEnableObjectWriteLogging = rules.Register(
    15  	scan.Rule{
    16  		AVDID:     "AVD-AWS-0171",
    17  		Provider:  providers.AWSProvider,
    18  		Service:   "s3",
    19  		ShortCode: "enable-object-write-logging",
    20  		Frameworks: map[framework.Framework][]string{
    21  			framework.CIS_AWS_1_4: {"3.10"},
    22  		},
    23  		Summary:    "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.",
    24  		Impact:     "Difficult/impossible to audit bucket object/data changes.",
    25  		Resolution: "Enable Object-level logging for S3 buckets.",
    26  		Explanation: `
    27  Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.
    28  `,
    29  		Links: []string{
    30  			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html",
    31  		},
    32  		Severity: severity.Low,
    33  		Terraform: &scan.EngineMetadata{
    34  			GoodExamples:        terraformEnableObjectWriteLoggingGoodExamples,
    35  			BadExamples:         terraformEnableObjectWriteLoggingBadExamples,
    36  			Links:               terraformEnableObjectWriteLoggingLinks,
    37  			RemediationMarkdown: terraformEnableObjectWriteLoggingRemediationMarkdown,
    38  		},
    39  	},
    40  	func(s *state.State) (results scan.Results) {
    41  		for _, bucket := range s.AWS.S3.Buckets {
    42  			if !bucket.Name.GetMetadata().IsResolvable() {
    43  				continue
    44  			}
    45  			bucketName := bucket.Name.Value()
    46  			var hasWriteLogging bool
    47  			for _, trail := range s.AWS.CloudTrail.Trails {
    48  				for _, selector := range trail.EventSelectors {
    49  					if selector.ReadWriteType.EqualTo("ReadOnly") {
    50  						continue
    51  					}
    52  					for _, dataResource := range selector.DataResources {
    53  						if dataResource.Type.NotEqualTo("AWS::S3::Object") {
    54  							continue
    55  						}
    56  						for _, partialARN := range dataResource.Values {
    57  							partial := partialARN.Value()
    58  							if partial == "arn:aws:s3" { // logging for all of s3 is enabled
    59  								hasWriteLogging = true
    60  								break
    61  							}
    62  							// the slash is important as it enables logging for objects inside bucket
    63  							if partial == fmt.Sprintf("arn:aws:s3:::%s/", bucketName) {
    64  								hasWriteLogging = true
    65  								break
    66  							}
    67  						}
    68  					}
    69  				}
    70  				if hasWriteLogging {
    71  					break
    72  				}
    73  			}
    74  			if !hasWriteLogging {
    75  				results.Add(
    76  					"Bucket does not have object-level write logging enabled",
    77  					&bucket,
    78  				)
    79  			} else {
    80  				results.AddPassed(&bucket)
    81  			}
    82  		}
    83  		return results
    84  	},
    85  )