github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/workspaces/enable_disk_encryption.go (about)

     1  package workspaces
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckEnableDiskEncryption = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0109",
    14  		Provider:    providers.AWSProvider,
    15  		Service:     "workspaces",
    16  		ShortCode:   "enable-disk-encryption",
    17  		Summary:     "Root and user volumes on Workspaces should be encrypted",
    18  		Impact:      "Data can be freely read if compromised",
    19  		Resolution:  "Root and user volume encryption should be enabled",
    20  		Explanation: `Workspace volumes for both user and root should be encrypted to protect the data stored on them.`,
    21  		Links: []string{
    22  			"https://docs.aws.amazon.com/workspaces/latest/adminguide/encrypt-workspaces.html",
    23  		},
    24  		Terraform: &scan.EngineMetadata{
    25  			GoodExamples:        terraformEnableDiskEncryptionGoodExamples,
    26  			BadExamples:         terraformEnableDiskEncryptionBadExamples,
    27  			Links:               terraformEnableDiskEncryptionLinks,
    28  			RemediationMarkdown: terraformEnableDiskEncryptionRemediationMarkdown,
    29  		},
    30  		CloudFormation: &scan.EngineMetadata{
    31  			GoodExamples:        cloudFormationEnableDiskEncryptionGoodExamples,
    32  			BadExamples:         cloudFormationEnableDiskEncryptionBadExamples,
    33  			Links:               cloudFormationEnableDiskEncryptionLinks,
    34  			RemediationMarkdown: cloudFormationEnableDiskEncryptionRemediationMarkdown,
    35  		},
    36  		Severity: severity.High,
    37  	},
    38  	func(s *state.State) (results scan.Results) {
    39  		for _, workspace := range s.AWS.WorkSpaces.WorkSpaces {
    40  			var fail bool
    41  			if workspace.RootVolume.Encryption.Enabled.IsFalse() {
    42  				results.Add(
    43  					"Root volume does not have encryption enabled.",
    44  					workspace.RootVolume.Encryption.Enabled,
    45  				)
    46  				fail = true
    47  			}
    48  			if workspace.UserVolume.Encryption.Enabled.IsFalse() {
    49  				results.Add(
    50  					"User volume does not have encryption enabled.",
    51  					workspace.UserVolume.Encryption.Enabled,
    52  				)
    53  				fail = true
    54  			}
    55  			if !fail {
    56  				results.AddPassed(&workspace)
    57  			}
    58  		}
    59  		return
    60  	},
    61  )