/
dynamodb.sp
91 lines (88 loc) · 3.77 KB
/
dynamodb.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
query "dynamodb_table_encrypted_with_kms_cmk" {
sql = <<-EOQ
select
address as resource,
case
-- // kms_key_arn - This attribute should only be specified if the key is different from the default DynamoDB CMK, alias/aws/dynamodb.
-- This query only checks if table is encrypted by default AWS KMS i.e. If enabled is false then server-side encryption is set to AWS owned CMK
when (attributes_std -> 'server_side_encryption' ->> 'enabled')::bool is false then 'alarm'
when (attributes_std -> 'server_side_encryption'->> 'enabled')::bool is true and (attributes_std -> 'server_side_encryption' ->> 'kms_key_arn') is not null then 'ok'
else 'alarm'
end status,
split_part(address, '.', 2) || case
when (attributes_std -> 'server_side_encryption' ->> 'enabled')::bool is false then ' encrypted by DynamoDB managed and owned AWS KMS key'
when (attributes_std -> 'server_side_encryption'->> 'enabled')::bool is true and (attributes_std -> 'server_side_encryption' ->> 'kms_key_arn') is not null then ' encrypted by AWS managed CMK'
else ' not encrypted by AWS managed CMK'
end || '.' as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
terraform_resource
where
type = 'aws_dynamodb_table';
EOQ
}
query "dynamodb_table_encryption_enabled" {
sql = <<-EOQ
select
address as resource,
case
when (attributes_std -> 'server_side_encryption') is not null then 'ok'
else 'alarm'
end status,
split_part(address, '.', 2) || case
when (attributes_std -> 'server_side_encryption') is not null then ' server-side encryption not set to DynamoDB owned KMS key'
else ' server-side encryption set to AWS owned CMK'
end || '.' as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
terraform_resource
where
type = 'aws_dynamodb_table';
EOQ
}
query "dynamodb_table_point_in_time_recovery_enabled" {
sql = <<-EOQ
select
address as resource,
case
when (attributes_std -> 'point_in_time_recovery') is null then 'alarm'
when (attributes_std -> 'point_in_time_recovery' ->> 'enabled')::boolean then 'ok'
else 'alarm'
end status,
split_part(address, '.', 2) || case
when (attributes_std -> 'point_in_time_recovery') is null then ' ''point_in_time_recovery'' disabled'
when (attributes_std -> 'point_in_time_recovery' ->> 'enabled')::boolean then ' ''point_in_time_recovery'' enabled'
else ' ''point_in_time_recovery'' disabled'
end || '.' as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
terraform_resource
where
type = 'aws_dynamodb_table';
EOQ
}
query "dynamodb_vpc_endpoint_routetable_association" {
sql = <<-EOQ
select
address as resource,
case
when (attributes_std ->> 'service_name') like '%dynamodb%' and (attributes_std -> 'route_table_ids') is null then 'alarm'
when (attributes_std ->> 'service_name') like '%dynamodb%' and (attributes_std -> 'route_table_ids') is not null then 'ok'
else 'alarm'
end as status,
split_part(address, '.', 2) || case
when (attributes_std ->> 'service_name') like '%dynamodb%' and (attributes_std -> 'route_table_ids') is null then ' VPC Endpoint for DynamoDB disabled'
when (attributes_std ->> 'service_name') like '%dynamodb%' and (attributes_std -> 'route_table_ids') is not null then ' VPC Endpoint for DynamoDB enabled'
else ' VPC Endpoint for DynamoDB disabled'
end || '.' as reason
${local.tag_dimensions_sql}
${local.common_dimensions_sql}
from
terraform_resource
where
type = 'aws_vpc_endpoint';
EOQ
}