github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/storage/bucket_encryption_customer_key.go (about) 1 package storage 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckBucketEncryptionCustomerKey = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-GCP-0066", 14 Provider: providers.GoogleProvider, 15 Service: "storage", 16 ShortCode: "bucket-encryption-customer-key", 17 Summary: "Cloud Storage buckets should be encrypted with a customer-managed key.", 18 Impact: "Using unmanaged keys does not allow for proper key management.", 19 Resolution: "Encrypt Cloud Storage buckets using customer-managed keys.", 20 Explanation: `Using unmanaged keys makes rotation and general management difficult.`, 21 Links: []string{ 22 "https://cloud.google.com/storage/docs/encryption/customer-managed-keys", 23 }, 24 Terraform: &scan.EngineMetadata{ 25 GoodExamples: terraformBucketEncryptionCustomerKeyGoodExamples, 26 BadExamples: terraformBucketEncryptionCustomerKeyBadExamples, 27 Links: terraformBucketEncryptionCustomerKeyLinks, 28 RemediationMarkdown: terraformBucketEncryptionCustomerKeyRemediationMarkdown, 29 }, 30 Severity: severity.Low, 31 }, 32 func(s *state.State) (results scan.Results) { 33 for _, bucket := range s.Google.Storage.Buckets { 34 if bucket.Metadata.IsUnmanaged() { 35 continue 36 } 37 if bucket.Encryption.DefaultKMSKeyName.IsEmpty() { 38 results.Add( 39 "Storage bucket encryption does not use a customer-managed key.", 40 bucket.Encryption.DefaultKMSKeyName, 41 ) 42 } else { 43 results.AddPassed(&bucket) 44 } 45 } 46 return 47 }, 48 )