Merge pull request #29 from nikpivkin/fix/change-aws-0078-r

fix(rule): restate the AVD-AWS-0078 rule
aquasecurity · Oct 27, 2023 · 4c2cea5 · 4c2cea5
2 parents d9abb81 + c37b6d9
commit 4c2cea5
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 93 deletions.
diff --git a/rules/cloud/policies/aws/rds/enable_performance_insights_encryption.go b/rules/cloud/policies/aws/rds/enable_performance_insights_encryption.go
diff --git a/...ble_performance_insights_encryption.cf.go → ...ce_insights_encryption_customer_key.cf.go b/...ble_performance_insights_encryption.cf.go → ...ce_insights_encryption_customer_key.cf.go
@@ -1,6 +1,6 @@
 package rds
 
-var cloudFormationEnablePerformanceInsightsEncryptionGoodExamples = []string{
+var cloudFormationPerformanceInsightsEncryptionCustomerKeyGoodExamples = []string{
 	`---
 AWSTemplateFormatVersion: 2010-09-09
 Description: Good example
@@ -14,7 +14,7 @@ Resources:
 `,
 }
 
-var cloudFormationEnablePerformanceInsightsEncryptionBadExamples = []string{
+var cloudFormationPerformanceInsightsEncryptionCustomerKeyBadExamples = []string{
 	`---
 AWSTemplateFormatVersion: 2010-09-09
 Description: Bad example
@@ -27,6 +27,6 @@ Resources:
 `,
 }
 
-var cloudFormationEnablePerformanceInsightsEncryptionLinks = []string{}
+var cloudFormationPerformanceInsightsEncryptionCustomerKeyLinks = []string{}
 
-var cloudFormationEnablePerformanceInsightsEncryptionRemediationMarkdown = ``
+var cloudFormationPerformanceInsightsEncryptionCustomerKeyRemediationMarkdown = ``
diff --git a/rules/cloud/policies/aws/rds/performance_insights_encryption_customer_key.go b/rules/cloud/policies/aws/rds/performance_insights_encryption_customer_key.go
@@ -0,0 +1,73 @@
+package rds
+
+import (
+	"fmt"
+
+	"github.com/aquasecurity/defsec/pkg/providers"
+	"github.com/aquasecurity/defsec/pkg/providers/aws/rds"
+	"github.com/aquasecurity/defsec/pkg/scan"
+	"github.com/aquasecurity/defsec/pkg/severity"
+	"github.com/aquasecurity/defsec/pkg/state"
+
+	"github.com/aquasecurity/trivy-policies/pkg/rules"
+)
+
+var CheckPerformanceInsightsEncryptionCustomerKey = rules.Register(
+	scan.Rule{
+		AVDID:      "AVD-AWS-0078",
+		Provider:   providers.AWSProvider,
+		Service:    "rds",
+		ShortCode:  "performance-insights-encryption-customer-key",
+		Summary:    "Performance Insights encryption should use Customer Managed Keys",
+		Impact:     "Using AWS managed keys does not allow for fine grained control",
+		Resolution: "Use Customer Managed Keys to encrypt Performance Insights data",
+		Explanation: `Amazon RDS uses the AWS managed key for your new DB instance. For complete control over KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, and rotating their cryptographic material, use a customer managed keys.
+
+The encryption key specified in ` + "`" + `performance_insights_kms_key_id` + "`" + ` references a KMS ARN`,
+		Links: []string{
+			"https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.access-control.html#USER_PerfInsights.access-control.cmk-policy",
+			"https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt",
+		},
+		Terraform: &scan.EngineMetadata{
+			GoodExamples:        terraformPerformanceInsightsEncryptionCustomerKeyGoodExamples,
+			BadExamples:         terraformPerformanceInsightsEncryptionCustomerKeyBadExamples,
+			Links:               terraformPerformanceInsightsEncryptionCustomerKeyLinks,
+			RemediationMarkdown: terraformPerformanceInsightsEncryptionCustomerKeyRemediationMarkdown,
+		},
+		CloudFormation: &scan.EngineMetadata{
+			GoodExamples:        cloudFormationPerformanceInsightsEncryptionCustomerKeyGoodExamples,
+			BadExamples:         cloudFormationPerformanceInsightsEncryptionCustomerKeyBadExamples,
+			Links:               cloudFormationPerformanceInsightsEncryptionCustomerKeyLinks,
+			RemediationMarkdown: cloudFormationPerformanceInsightsEncryptionCustomerKeyRemediationMarkdown,
+		},
+		Severity: severity.Low,
+	},
+	func(s *state.State) (results scan.Results) {
+
+		checkCMK := func(entity string, instance rds.Instance) {
+			if instance.Metadata.IsUnmanaged() || instance.PerformanceInsights.Enabled.IsFalse() {
+				return
+			}
+
+			if instance.PerformanceInsights.KMSKeyID.IsEmpty() {
+				results.Add(
+					fmt.Sprintf("%s Perfomance Insights enctyption does not use a customer-managed KMS key.", entity),
+					instance.PerformanceInsights.KMSKeyID,
+				)
+			} else {
+				results.AddPassed(&instance)
+			}
+		}
+
+		for _, cluster := range s.AWS.RDS.Clusters {
+			for _, instance := range cluster.Instances {
+				checkCMK("Cluster instance", instance.Instance)
+			}
+		}
+		for _, instance := range s.AWS.RDS.Instances {
+			checkCMK("Instance", instance)
+		}
+
+		return
+	},
+)
diff --git a/...ble_performance_insights_encryption.tf.go → ...ce_insights_encryption_customer_key.tf.go b/...ble_performance_insights_encryption.tf.go → ...ce_insights_encryption_customer_key.tf.go
@@ -1,6 +1,6 @@
 package rds
 
-var terraformEnablePerformanceInsightsEncryptionGoodExamples = []string{
+var terraformPerformanceInsightsEncryptionCustomerKeyGoodExamples = []string{
 	`
 resource "aws_rds_cluster_instance" "good_example" {
 	name = "bar"
@@ -10,7 +10,7 @@ resource "aws_rds_cluster_instance" "good_example" {
 		`,
 }
 
-var terraformEnablePerformanceInsightsEncryptionBadExamples = []string{
+var terraformPerformanceInsightsEncryptionCustomerKeyBadExamples = []string{
 	`
 resource "aws_rds_cluster_instance" "bad_example" {
 	name = "bar"
@@ -20,8 +20,8 @@ resource "aws_rds_cluster_instance" "bad_example" {
 		`,
 }
 
-var terraformEnablePerformanceInsightsEncryptionLinks = []string{
+var terraformPerformanceInsightsEncryptionCustomerKeyLinks = []string{
 	`https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id`, `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id`,
 }
 
-var terraformEnablePerformanceInsightsEncryptionRemediationMarkdown = ``
+var terraformPerformanceInsightsEncryptionCustomerKeyRemediationMarkdown = ``
diff --git a/...e_performance_insights_encryption_test.go → ..._insights_encryption_customer_key_test.go b/...e_performance_insights_encryption_test.go → ..._insights_encryption_customer_key_test.go
@@ -3,17 +3,14 @@ package rds
 import (
 	"testing"
 
-	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
-
-	"github.com/aquasecurity/defsec/pkg/state"
-
 	"github.com/aquasecurity/defsec/pkg/providers/aws/rds"
 	"github.com/aquasecurity/defsec/pkg/scan"
-
+	"github.com/aquasecurity/defsec/pkg/state"
+	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
 	"github.com/stretchr/testify/assert"
 )
 
-func TestCheckEnablePerformanceInsightsEncryption(t *testing.T) {
+func TestCheckPerformanceInsightsEncryptionCustomerKey(t *testing.T) {
 	tests := []struct {
 		name     string
 		input    rds.RDS
@@ -36,7 +33,7 @@ func TestCheckEnablePerformanceInsightsEncryption(t *testing.T) {
 			expected: false,
 		},
 		{
-			name: "RDS Instance with performance insights enabled but missing KMS key",
+			name: "RDS Cluster instance with performance insights enabled but missing KMS key",
 			input: rds.RDS{
 				Clusters: []rds.Cluster{
 					{
@@ -79,10 +76,10 @@ func TestCheckEnablePerformanceInsightsEncryption(t *testing.T) {
 		t.Run(test.name, func(t *testing.T) {
 			var testState state.State
 			testState.AWS.RDS = test.input
-			results := CheckEnablePerformanceInsightsEncryption.Evaluate(&testState)
+			results := CheckPerformanceInsightsEncryptionCustomerKey.Evaluate(&testState)
 			var found bool
 			for _, result := range results {
-				if result.Status() != scan.StatusPassed && result.Rule().LongID() == CheckEnablePerformanceInsightsEncryption.LongID() {
+				if result.Status() != scan.StatusPassed && result.Rule().LongID() == CheckPerformanceInsightsEncryptionCustomerKey.LongID() {
 					found = true
 				}
 			}