-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
ElasticsearchDomainLogging.py
33 lines (25 loc) · 1.39 KB
/
ElasticsearchDomainLogging.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.common.models.consts import ANY_VALUE
class ElasticsearchDomainLogging(BaseResourceValueCheck):
def __init__(self):
name = "Ensure Elasticsearch Domain Logging is enabled"
id = "CKV_AWS_84"
supported_resources = ['aws_elasticsearch_domain', 'aws_opensearch_domain']
categories = [CheckCategories.LOGGING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self):
return "log_publishing_options/[0]/cloudwatch_log_group_arn"
def scan_resource_conf(self, conf):
if conf.get("log_publishing_options") and isinstance(conf.get("log_publishing_options"), list):
option = conf.get("log_publishing_options")[0]
if isinstance(option, dict) and option.get('cloudwatch_log_group_arn'):
if option.get('enabled') == [False]:
self.evaluated_keys = ["log_publishing_options/[0]/enabled"]
return CheckResult.FAILED
return CheckResult.PASSED
self.evaluated_keys = ["log_publishing_options"]
return CheckResult.FAILED
def get_expected_value(self):
return ANY_VALUE
check = ElasticsearchDomainLogging()