forked from aquasecurity/tfsec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
topic_encryption_with_cmk.go
53 lines (51 loc) · 1.98 KB
/
topic_encryption_with_cmk.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
package sns
import (
"github.com/mightymarty/tfsec/defsec/internal/rules"
providers2 "github.com/mightymarty/tfsec/defsec/pkg/providers"
scan2 "github.com/mightymarty/tfsec/defsec/pkg/scan"
severity2 "github.com/mightymarty/tfsec/defsec/pkg/severity"
state2 "github.com/mightymarty/tfsec/defsec/pkg/state"
)
var CheckTopicEncryptionUsesCMK = rules.Register(
scan2.Rule{
AVDID: "AVD-AWS-0136",
ShortCode: "topic-encryption-use-cmk",
Summary: "SNS topic not encrypted with CMK.",
Explanation: `Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.`,
Impact: "Key management very limited when using default keys.",
Resolution: "Use a CMK for SNS Topic encryption",
Provider: providers2.AWSProvider,
Service: "sns",
Links: []string{
"https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html",
},
Severity: severity2.High,
Terraform: &scan2.EngineMetadata{
GoodExamples: terraformTopicEncryptionUsesCMKGoodExamples,
BadExamples: terraformTopicEncryptionUsesCMKBadExamples,
Links: terraformTopicEncryptionUsesCMKLinks,
RemediationMarkdown: terraformTopicEncryptionUsesCMKRemediationMarkdown,
},
CloudFormation: &scan2.EngineMetadata{
GoodExamples: cloudFormationTopicEncryptionUsesCMKGoodExamples,
BadExamples: cloudFormationTopicEncryptionUsesCMKBadExamples,
Links: cloudFormationTopicEncryptionUsesCMKLinks,
RemediationMarkdown: cloudFormationTopicEncryptionUsesCMKRemediationMarkdown,
},
CustomChecks: scan2.CustomChecks{},
RegoPackage: "",
},
func(s *state2.State) (results scan2.Results) {
for _, topic := range s.AWS.SNS.Topics {
if topic.Encryption.KMSKeyID.EqualTo("alias/aws/sns") {
results.Add(
"Topic encryption does not use a customer managed key.",
topic.Encryption.KMSKeyID,
)
} else {
results.AddPassed(&topic)
}
}
return
},
)