github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/require_mfa_delete.go (about) 1 package s3 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/framework" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckRequireMFADelete = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-AWS-0170", 15 Provider: providers.AWSProvider, 16 Service: "s3", 17 ShortCode: "require-mfa-delete", 18 Frameworks: map[framework.Framework][]string{ 19 framework.CIS_AWS_1_4: {"2.1.3"}, 20 }, 21 Summary: "Buckets should have MFA deletion protection enabled.", 22 Impact: "Lessened protection against accidental/malicious deletion of data", 23 Resolution: "Enable MFA deletion protection on the bucket", 24 Explanation: ` 25 Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete an object version, adding another layer of security in the event your security credentials are compromised or unauthorized access is obtained. 26 `, 27 Links: []string{ 28 "https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html", 29 }, 30 Severity: severity.Low, 31 Terraform: &scan.EngineMetadata{ 32 GoodExamples: terraformRequireMFADeleteGoodExamples, 33 BadExamples: terraformRequireMFADeleteBadExamples, 34 Links: terraformRequireMFADeleteLinks, 35 RemediationMarkdown: terraformRequireMFADeleteRemediationMarkdown, 36 }, 37 }, 38 func(s *state.State) (results scan.Results) { 39 for _, bucket := range s.AWS.S3.Buckets { 40 if bucket.Versioning.MFADelete.IsFalse() { 41 results.Add( 42 "Bucket does not have MFA deletion protection enabled", 43 bucket.Versioning.MFADelete, 44 ) 45 } else { 46 results.AddPassed(&bucket) 47 } 48 } 49 return results 50 }, 51 )