Skip to content

Commit

Permalink
refactor(checks): improve metadata retrieval
Browse files Browse the repository at this point in the history
Signed-off-by: Nikita Pivkin <[email protected]>
  • Loading branch information
nikpivkin authored and simar7 committed Oct 16, 2024
1 parent 9a8d5ab commit 4809e39
Show file tree
Hide file tree
Showing 81 changed files with 491 additions and 182 deletions.
12 changes: 10 additions & 2 deletions checks/cloud/aws/apigateway/enable_access_logging.rego
Original file line number Diff line number Diff line change
Expand Up @@ -33,16 +33,24 @@ package builtin.aws.apigateway.aws0001

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some stage in input.aws.apigateway.v1.apis[_].stages
not logging_is_configured(stage)
res := result.new("Access logging is not configured.", stage.accesslogging.cloudwatchloggrouparn)
res := result.new(
"Access logging is not configured.",
metadata.obj_by_path(stage, ["accesslogging", "cloudwatchloggrouparn"]),
)
}

deny contains res if {
some stage in input.aws.apigateway.v2.apis[_].stages
not logging_is_configured(stage)
res := result.new("Access logging is not configured.", stage.accesslogging.cloudwatchloggrouparn)
res := result.new(
"Access logging is not configured.",
metadata.obj_by_path(stage, ["accesslogging", "cloudwatchloggrouparn"]),
)
}

logging_is_configured(stage) if {
Expand Down
4 changes: 3 additions & 1 deletion checks/cloud/aws/apigateway/enable_cache.rego
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ package builtin.aws.apigateway.aws0190

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some api in input.aws.apigateway.v1.apis
isManaged(api)
Expand All @@ -40,6 +42,6 @@ deny contains res if {
not settings.cacheenabled.value
res := result.new(
"Cache data is not enabled.",
object.get(settings, "cacheenabled", settings),
metadata.obj_by_path(settings, ["cacheenabled"]),
)
}
5 changes: 4 additions & 1 deletion checks/cloud/aws/apigateway/enable_cache_encryption.rego
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ package builtin.aws.apigateway.aws0002

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some api in input.aws.apigateway.v1.apis
isManaged(api)
Expand All @@ -37,8 +39,9 @@ deny contains res if {
isManaged(settings)
settings.cacheenabled.value
not settings.cachedataencrypted.value

res := result.new(
"Cache data is not encrypted.",
object.get(settings, "cachedataencrypted", settings),
metadata.obj_by_path(settings, ["cachedataencrypted"]),
)
}
4 changes: 3 additions & 1 deletion checks/cloud/aws/apigateway/enable_tracing.rego
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ package builtin.aws.apigateway.aws0003

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some api in input.aws.apigateway.v1.apis
isManaged(api)
Expand All @@ -36,6 +38,6 @@ deny contains res if {
not stage.xraytracingenabled.value
res := result.new(
"X-Ray tracing is not enabled.",
object.get(stage, "xraytracingenabled", stage),
metadata.obj_by_path(stage, ["xraytracingenabled"]),
)
}
6 changes: 4 additions & 2 deletions checks/cloud/aws/apigateway/use_secure_tls_policy.rego
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,14 @@ package builtin.aws.apigateway.aws0005

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some domain in input.aws.apigateway.v1.domainnames
not is_tls_1_2(domain)
res := result.new(
"Domain name is configured with an outdated TLS policy.",
object.get(domain, "securitypolicy", domain),
metadata.obj_by_path(domain, "securitypolicy"),
)
}

Expand All @@ -44,7 +46,7 @@ deny contains res if {
not is_tls_1_2(domain)
res := result.new(
"Domain name is configured with an outdated TLS policy.",
object.get(domain, "securitypolicy", domain),
metadata.obj_by_path(domain, "securitypolicy"),
)
}

Expand Down
20 changes: 14 additions & 6 deletions checks/cloud/aws/athena/enable_at_rest_encryption.rego
Original file line number Diff line number Diff line change
Expand Up @@ -34,20 +34,28 @@ package builtin.aws.athena.aws0006

import rego.v1

import data.lib.cloud.metadata

encryption_type_none := ""

deny contains res if {
some workgroup in input.aws.athena.workgroups
is_encryption_type_none(workgroup.encryption)
res := result.new("Workgroup does not have encryption configured.", workgroup)
not is_encrypted(workgroup)
res := result.new(
"Workgroup does not have encryption configured.",
metadata.obj_by_path(workgroup, ["encryption", "type"]),
)
}

deny contains res if {
some database in input.aws.athena.databases
is_encryption_type_none(database.encryption)
res := result.new("Database does not have encryption configured.", database)
not is_encrypted(database)
res := result.new(
"Database does not have encryption configured.",
metadata.obj_by_path(database, ["encryption", "type"]),
)
}

is_encryption_type_none(encryption) if {
encryption.type.value == encryption_type_none
is_encrypted(obj) if {
obj.encryption.type.value != encryption_type_none
}
7 changes: 6 additions & 1 deletion checks/cloud/aws/athena/no_encryption_override.rego
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,13 @@ package builtin.aws.athena.aws0007

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some workgroup in input.aws.athena.workgroups
not workgroup.enforceconfiguration.value
res := result.new("The workgroup configuration is not enforced.", workgroup.enforceconfiguration)
res := result.new(
"The workgroup configuration is not enforced.",
metadata.obj_by_path(workgroup, ["enforceconfiguration"]),
)
}
4 changes: 3 additions & 1 deletion checks/cloud/aws/cloudfront/enable_logging.rego
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,14 @@ package builtin.aws.cloudfront.aws0010

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some dist in input.aws.cloudfront.distributions
not has_logging_bucket(dist)
res := result.new(
"Distribution does not have logging enabled",
object.get(dist, ["logging", "bucket"], dist),
metadata.obj_by_path(dist, ["logging", "bucket"]),
)
}

Expand Down
4 changes: 3 additions & 1 deletion checks/cloud/aws/cloudfront/use_secure_tls_policy.rego
Original file line number Diff line number Diff line change
Expand Up @@ -39,13 +39,15 @@ import rego.v1

protocol_version_tls1_2_2021 = "TLSv1.2_2021"

import data.lib.cloud.metadata

deny contains res if {
some dist in input.aws.cloudfront.distributions
not dist.viewercertificate.cloudfrontdefaultcertificate.value
not is_tls_1_2(dist)
res := result.new(
"Distribution allows unencrypted communications.",
object.get(dist, ["viewercertificate", "minimumprotocolversion"], dist),
metadata.obj_by_path(dist, ["viewercertificate", "minimumprotocolversion"]),
)
}

Expand Down
7 changes: 6 additions & 1 deletion checks/cloud/aws/cloudtrail/enable_all_regions.rego
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,13 @@ package builtin.aws.cloudtrail.aws0014

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some trail in input.aws.cloudtrail.trails
not trail.ismultiregion.value
res := result.new("Trail is not enabled across all regions.", trail.ismultiregion)
res := result.new(
"Trail is not enabled across all regions.",
metadata.obj_by_path(trail, ["ismultiregion"]),
)
}
7 changes: 6 additions & 1 deletion checks/cloud/aws/cloudtrail/enable_log_validation.rego
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,13 @@ package builtin.aws.cloudtrail.aws0016

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some trail in input.aws.cloudtrail.trails
not trail.enablelogfilevalidation.value
res := result.new("Trail does not have log validation enabled.", trail.enablelogfilevalidation)
res := result.new(
"Trail does not have log validation enabled.",
metadata.obj_by_path(trail, ["enablelogfilevalidation"]),
)
}
11 changes: 9 additions & 2 deletions checks/cloud/aws/cloudtrail/encryption_customer_key.rego
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,15 @@ package builtin.aws.cloudtrail.aws0015

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some trail in input.aws.cloudtrail.trails
trail.kmskeyid.value == ""
res := result.new("CloudTrail does not use a customer managed key to encrypt the logs.", trail.kmskeyid)
not use_cms(trail)
res := result.new(
"CloudTrail does not use a customer managed key to encrypt the logs.",
metadata.obj_by_path(trail, ["kmskeyid"]),
)
}

use_cms(trail) if trail.kmskeyid.value != ""
11 changes: 9 additions & 2 deletions checks/cloud/aws/cloudtrail/ensure_cloudwatch_integration.rego
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,15 @@ package builtin.aws.cloudtrail.aws0162

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some trail in input.aws.cloudtrail.trails
trail.cloudwatchlogsloggrouparn.value == ""
res := result.new("Trail does not have CloudWatch logging configured", trail)
not is_logging_configured(trail)
res := result.new(
"Trail does not have CloudWatch logging configured",
metadata.obj_by_path(trail, ["cloudwatchlogsloggrouparn"]),
)
}

is_logging_configured(trail) if trail.cloudwatchlogsloggrouparn.value != ""
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ package builtin.aws.cloudtrail.aws0163

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some trail in input.aws.cloudtrail.trails
trail.bucketname.value != ""
Expand All @@ -50,5 +52,8 @@ deny contains res if {
bucket.name.value == trail.bucketname.value
not bucket.logging.enabled.value

res := result.new("Trail S3 bucket does not have logging enabled", bucket)
res := result.new(
"Trail S3 bucket does not have logging enabled",
metadata.obj_by_path(bucket, ["name"]),
)
}
11 changes: 9 additions & 2 deletions checks/cloud/aws/cloudwatch/log_group_customer_key.rego
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,15 @@ package builtin.aws.cloudwatch.aws0017

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some group in input.aws.cloudwatch.loggroups
group.kmskeyid.value == ""
res := result.new("Log group is not encrypted.", group)
not has_cms(group)
res := result.new(
"Log group is not encrypted.",
metadata.obj_by_path(group, ["kmskeyid"]),
)
}

has_cms(group) if group.kmskeyid.value != ""
19 changes: 14 additions & 5 deletions checks/cloud/aws/codebuild/enable_encryption.rego
Original file line number Diff line number Diff line change
Expand Up @@ -34,16 +34,25 @@ package builtin.aws.codebuild.aws0018

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some project in input.aws.codebuild.projects
encryptionenabled := project.artifactsettings.encryptionenabled
not encryptionenabled.value
res := result.new("Encryption is not enabled for project artifacts.", encryptionenabled)
not is_encryption_enabled(project.artifactsettings)
res := result.new(
"Encryption is not enabled for project artifacts.",
metadata.obj_by_path(project, ["artifactsettings", "encryptionenabled"]),
)
}

is_encryption_enabled(settings) if settings.encryptionenabled.value

deny contains res if {
some project in input.aws.codebuild.projects
some setting in project.secondaryartifactsettings
not setting.encryptionenabled.value
res := result.new("Encryption is not enabled for secondary project artifacts.", setting.encryptionenabled)
not is_encryption_enabled(setting)
res := result.new(
"Encryption is not enabled for secondary project artifacts.",
metadata.obj_by_path(setting, ["encryptionenabled"]),
)
}
9 changes: 7 additions & 2 deletions checks/cloud/aws/config/aggregate_all_regions.rego
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,14 @@ package builtin.aws.config.aws0019

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
cfg_aggregator := input.aws.config.configurationaggregrator
cfg_aggregator.__defsec_metadata.managed
isManaged(cfg_aggregator)
not cfg_aggregator.sourceallregions.value
res := result.new("Configuration aggregation is not set to source from all regions.", cfg_aggregator.sourceallregions)
res := result.new(
"Configuration aggregation is not set to source from all regions.",
metadata.obj_by_path(cfg_aggregator, ["sourceallregions"]),
)
}
7 changes: 6 additions & 1 deletion checks/cloud/aws/documentdb/enable_storage_encryption.rego
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,13 @@ package builtin.aws.documentdb.aws0021

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some cluster in input.aws.documentdb.clusters
not cluster.storageencrypted.value
res := result.new("Cluster storage does not have encryption enabled.", cluster.storageencrypted)
res := result.new(
"Cluster storage does not have encryption enabled.",
metadata.obj_by_path(cluster, ["storageencrypted"]),
)
}
22 changes: 16 additions & 6 deletions checks/cloud/aws/documentdb/encryption_customer_key.rego
Original file line number Diff line number Diff line change
Expand Up @@ -33,17 +33,27 @@ package builtin.aws.documentdb.aws0022

import rego.v1

import data.lib.cloud.metadata

deny contains res if {
some cluster in input.aws.documentdb.clusters
cluster.kmskeyid.value == ""

res := result.new("Cluster encryption does not use a customer-managed KMS key.", cluster)
isManaged(cluster)
not has_cms(cluster)
res := result.new(
"Cluster encryption does not use a customer-managed KMS key.",
metadata.obj_by_path(cluster, ["kmskeyid"]),
)
}

deny contains res if {
some cluster in input.aws.documentdb.clusters
some instance in cluster.instances
instance.kmskeyid.value == ""

res := result.new("Instance encryption does not use a customer-managed KMS key.", cluster)
isManaged(instance)
not has_cms(instance)
res := result.new(
"Instance encryption does not use a customer-managed KMS key.",
metadata.obj_by_path(instance, ["kmskeyid"]),
)
}

has_cms(obj) if obj.kmskeyid.value != ""
Loading

0 comments on commit 4809e39

Please sign in to comment.