github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/encryption_customer_key.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/encryption_customer_key.go (about)

     1  package s3
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  	"github.com/khulnasoft-lab/defsec/pkg/types"
    10  )
    11  
    12  var CheckEncryptionCustomerKey = rules.Register(
    13  	scan.Rule{
    14  		AVDID:       "AVD-AWS-0132",
    15  		Provider:    providers.AWSProvider,
    16  		Service:     "s3",
    17  		ShortCode:   "encryption-customer-key",
    18  		Summary:     "S3 encryption should use Customer Managed Keys",
    19  		Impact:      "Using AWS managed keys does not allow for fine grained control",
    20  		Resolution:  "Enable encryption using customer managed keys",
    21  		Explanation: `Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.`,
    22  		Links: []string{
    23  			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
    24  		},
    25  		Terraform: &scan.EngineMetadata{
    26  			GoodExamples:        terraformCheckEncryptionCustomerKeyGoodExamples,
    27  			BadExamples:         terraformCheckEncryptionCustomerKeyBadExamples,
    28  			Links:               terraformCheckEncryptionCustomerKeyLinks,
    29  			RemediationMarkdown: terraformCheckEncryptionCustomerKeyRemediationMarkdown,
    30  		},
    31  		CloudFormation: &scan.EngineMetadata{
    32  			GoodExamples:        cloudFormationCheckEncryptionCustomerKeyGoodExamples,
    33  			BadExamples:         cloudFormationCheckEncryptionCustomerKeyBadExamples,
    34  			Links:               cloudFormationCheckEncryptionCustomerKeyLinks,
    35  			RemediationMarkdown: cloudFormationCheckEncryptionCustomerKeyRemediationMarkdown,
    36  		},
    37  		Severity: severity.High,
    38  	},
    39  	func(s *state.State) (results scan.Results) {
    40  		for _, bucket := range s.AWS.S3.Buckets {
    41  
    42  			if bucket.ACL.EqualTo("log-delivery-write", types.IgnoreCase) {
    43  				// Log buckets don't support non AES256 encryption - this rule doesn't apply here
    44  				// https://aws.amazon.com/premiumsupport/knowledge-center/s3-server-access-log-not-delivered/
    45  				continue
    46  			}
    47  			if bucket.Encryption.KMSKeyId.IsEmpty() {
    48  				results.Add(
    49  					"Bucket does not encrypt data with a customer managed key.",
    50  					&bucket.Encryption,
    51  				)
    52  			} else {
    53  				results.AddPassed(&bucket)
    54  			}
    55  		}
    56  		return
    57  	},
    58  )