Skip to content

Commit

Permalink
Merge branch 'master' into patch-1
Browse files Browse the repository at this point in the history
  • Loading branch information
gaurav-gogia authored Oct 19, 2022
2 parents a702f72 + e289cc6 commit d2588e8
Show file tree
Hide file tree
Showing 6 changed files with 59 additions and 20 deletions.
21 changes: 21 additions & 0 deletions pkg/mapper/iac-providers/cft/config/db-instance.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,16 @@ type DBInstanceConfig struct {
KmsKeyID string `json:"kms_key_id,omitempty"`
IamDBAuthEnabled bool `json:"iam_database_authentication_enabled"`
PubliclyAccessible bool `json:"publicly_accessible"`
BackupRetentionPeriod int `json:"backup_retention_period"`
Username string `json:"username"`
Password string `json:"password"`
InstanceClass string `json:"instance_class"`
Engine string `json:"engine"`
EngineVersion string `json:"engine_version"`
Identifier string `json:"identifier"`
StorageType string `json:"storage_type"`
DeleteAutomatedBackups bool `json:"delete_automated_backups"`
DeletionProtection bool `json:"deletion_protection"`
}

// GetDBInstanceConfig returns config for aws_db_instance
Expand All @@ -47,7 +57,18 @@ func GetDBInstanceConfig(d *rds.DBInstance) []AWSResourceConfig {
CaCertIdentifier: functions.GetVal(d.CACertificateIdentifier),
IamDBAuthEnabled: functions.GetVal(d.EnableIAMDatabaseAuthentication),
PubliclyAccessible: functions.GetVal(d.PubliclyAccessible),
BackupRetentionPeriod: functions.GetVal(d.BackupRetentionPeriod),
Username: functions.GetVal(d.MasterUsername),
Password: functions.GetVal(d.MasterUserPassword),
InstanceClass: functions.GetVal(d.DBInstanceClass),
Engine: functions.GetVal(d.Engine),
EngineVersion: functions.GetVal(d.EngineVersion),
Identifier: functions.GetVal(d.DBInstanceIdentifier),
StorageType: functions.GetVal(d.StorageType),
DeleteAutomatedBackups: functions.GetVal(d.DeleteAutomatedBackups),
DeletionProtection: functions.GetVal(d.DeletionProtection),
}

return []AWSResourceConfig{{
Resource: cf,
Metadata: d.AWSCloudFormationMetadata,
Expand Down
17 changes: 17 additions & 0 deletions pkg/policies/opa/rego/aws/aws_db_instance/AC_AWS_0052.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"name": "rdsBackupDisabled",
"file": "rdsBackupDisabled.rego",
"policy_type": "aws",
"resource_type": "aws_db_instance",
"template_args": {
"prefix": "",
"name": "rdsBackupDisabled",
"suffix": ""
},
"severity": "HIGH",
"description": "Ensure automated backups are enabled for AWS RDS instances",
"reference_id": "AC_AWS_0052",
"category": "Data Protection",
"id": "AC_AWS_0052",
"version": 2
}
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@
{
"name": "dbInstanceLoggingDisabled",
"file": "dbInstanceLoggingDisabled.rego",
"name": "rdsLogExportDisabled",
"file": "rdsLogExportDisabled.rego",
"policy_type": "aws",
"resource_type": "aws_db_instance",
"template_args": {
"prefix": ""
"prefix": "",
"name": "rdsLogExportDisabled",
"suffix": ""
},
"severity": "MEDIUM",
"description": "Ensure AWS RDS instances have logging enabled.",
"description": "Ensure CloudWatch logging is enabled for AWS DB instances",
"reference_id": "AWS.ADI.LM.MEDIUM.0076",
"category": "Logging and Monitoring",
"id": "AC_AWS_0454",
Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
package accurics

{{.prefix}}{{.name}}{{.suffix}}[retVal] {
backup := input.aws_db_instance[_]
object.get(backup.config, "backup_retention_period", "undefined") == ["undefined", null, 0, []][_]

traverse = "backup_retention_period"
retVal := { "Id": backup.id, "ReplaceType": "add", "CodeType": "attribute", "Traverse": traverse, "Attribute": "backup_retention_period", "AttributeDataType": "int", "Expected": 30, "Actual": null }
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
package accurics

{{.prefix}}{{.name}}{{.suffix}}[db_instance.id] {
db_instance := input.aws_db_instance[_]
object.get(db_instance.config, "enabled_cloudwatch_logs_exports", "undefined") == ["undefined", [], null][_]
}

0 comments on commit d2588e8

Please sign in to comment.