solves issue #382, and improved policy to relate disk with the instance

tenable · Jan 19, 2021 · 8fbe227 · 8fbe227
1 parent 1fd99c3
commit 8fbe227
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 5 deletions.
diff --git a/pkg/policies/opa/rego/gcp/google_compute_disk/vmEncryptedwithCsek.rego b/pkg/policies/opa/rego/gcp/google_compute_disk/vmEncryptedwithCsek.rego
@@ -3,5 +3,11 @@ package accurics
 vmEncryptedwithCsek[api.id]
 {
      api := input.google_compute_disk[_]
-     not api.config.disk_encryption_key == null
+     not api.config.disk_encryption_key
 }
+
+vmEncryptedwithCsek[api.id]
+{
+     api := input.google_compute_disk[_]
+     api.config.disk_encryption_key == null
+}
diff --git a/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json b/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json
@@ -3,7 +3,7 @@
     "file": "encryptedwithCsek.rego",
     "template_args": null,
     "severity": "MEDIUM",
-    "description": "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) .",
+    "description": "VM disks attached to a compute instance should be encrypted with Customer Supplied Encryption Keys (CSEK) .",
     "reference_id": "accurics.gcp.EKM.132",
     "category": "Encryption \u0026 Key Management",
     "version": 1

diff --git a/pkg/policies/opa/rego/gcp/google_compute_instance/encryptedwithCsek.rego b/pkg/policies/opa/rego/gcp/google_compute_instance/encryptedwithCsek.rego
@@ -1,7 +1,33 @@
 package accurics
 
-encryptedwithCsek[api.id]
+encryptedwithCsek[retVal]
 {
-     api := input.google_compute_disk[_]
-     not api.config.disk_encryption_key == null
+    api := input.google_compute_disk[_]
+    not api.config.disk_encryption_key
+
+    association := input.google_compute_attached_disk[_]
+    diskName := split(association.config.disk, ".")[1]
+
+    api.name == diskName
+    instanceName := split(association.config.instance, ".")[1]
+
+    instance := input.google_compute_instance[_]
+    instanceName == instance.name
+    retVal := instance.id
 }
+
+encryptedwithCsek[retVal]
+{
+    api := input.google_compute_disk[_]
+    api.config.disk_encryption_key == null
+
+    association := input.google_compute_attached_disk[_]
+    diskName := split(association.config.disk, ".")[1]
+
+    api.name == diskName
+    instanceName := split(association.config.instance, ".")[1]
+
+    instance := input.google_compute_instance[_]
+    instanceName == instance.name
+    retVal := instance.id
+}