-
Notifications
You must be signed in to change notification settings - Fork 66
/
enforce_s3_buckets_encryption.rego
47 lines (40 loc) · 1.25 KB
/
enforce_s3_buckets_encryption.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
package terraform
import input.tfplan as tfplan
allowed_acls = ["private"]
allowed_sse_algorithms = ["aws:kms", "AES256"]
s3_buckets[r] {
r := tfplan.resource_changes[_]
r.type == "aws_s3_bucket"
}
array_contains(arr, elem) {
arr[_] = elem
}
# Rule to restrict S3 bucket ACLs
deny[reason] {
r := s3_buckets[_]
not array_contains(allowed_acls, r.change.after.acl)
reason := sprintf(
"%s: ACL %q is not allowed",
[r.address, r.change.after.acl]
)
}
# Rule to require server-side encryption
deny[reason] {
r := s3_buckets[_]
count(r.change.after.server_side_encryption_configuration) == 0
reason := sprintf(
"%s: requires server-side encryption with expected sse_algorithm to be one of %v",
[r.address, allowed_sse_algorithms]
)
}
# Rule to enforce specific SSE algorithms
deny[reason] {
r := s3_buckets[_]
sse_configuration := r.change.after.server_side_encryption_configuration[_]
apply_sse_by_default := sse_configuration.rule[_].apply_server_side_encryption_by_default[_]
not array_contains(allowed_sse_algorithms, apply_sse_by_default.sse_algorithm)
reason := sprintf(
"%s: expected sse_algorithm to be one of %v",
[r.address, allowed_sse_algorithms]
)
}