Merge pull request #162 from nikpivkin/go2rego-aws-2

refactor(checks): migrate AWS codebuild, config, documentdb, dynamodb to Rego

avd_docs/aws/codebuild/AVD-AWS-0018/docs.md

@@ -1,8 +1,9 @@
 
 All artifacts produced by your CodeBuild project pipeline should always be encrypted
 
+
 ### Impact
-CodeBuild project artifacts are unencrypted
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/config/AVD-AWS-0019/docs.md

@@ -1,10 +1,10 @@
 
-The configuration aggregator should be configured with all_regions for the source. 
-
+Sources that aren't covered by the aggregator are not include in the configuration. The configuration aggregator should be configured with all_regions for the source.
 This will help limit the risk of any unmonitored configuration in regions that are thought to be unused.
 
+
 ### Impact
-Sources that aren't covered by the aggregator are not include in the configuration
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/documentdb/AVD-AWS-0020/docs.md

@@ -1,8 +1,9 @@
 
 Document DB does not have auditing by default. To ensure that you are able to accurately audit the usage of your DocumentDB cluster you should enable export logs.
 
+
 ### Impact
-Limited visibility of audit trail for changes to the DocumentDB
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/documentdb/AVD-AWS-0021/docs.md

@@ -1,8 +1,9 @@
 
-Encryption of the underlying storage used by DocumentDB ensures that if their is compromise of the disks, the data is still protected.
+Unencrypted sensitive data is vulnerable to compromise. Encryption of the underlying storage used by DocumentDB ensures that if their is compromise of the disks, the data is still protected.
+
 
 ### Impact
-Unencrypted sensitive data is vulnerable to compromise.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/documentdb/AVD-AWS-0022/docs.md

@@ -1,8 +1,9 @@
 
-Encryption using AWS keys provides protection for your DocumentDB underlying storage. To increase control of the encryption and manage factors like rotation use customer managed keys.
+Using AWS managed keys does not allow for fine grained control. Encryption using AWS keys provides protection for your DocumentDB underlying storage. To increase control of the encryption and manage factors like rotation use customer managed keys.
+
 
 ### Impact
-Using AWS managed keys does not allow for fine grained control
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/dynamodb/AVD-AWS-0023/docs.md

@@ -1,8 +1,9 @@
 
-Amazon DynamoDB Accelerator (DAX) encryption at rest provides an additional layer of data protection by helping secure your data from unauthorized access to the underlying storage.
+Data can be freely read if compromised. Amazon DynamoDB Accelerator (DAX) encryption at rest provides an additional layer of data protection by helping secure your data from unauthorized access to the underlying storage.
+
 
 ### Impact
-Data can be freely read if compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/dynamodb/AVD-AWS-0024/docs.md

@@ -1,10 +1,10 @@
 
 DynamoDB tables should be protected against accidentally or malicious write/delete actions by ensuring that there is adequate protection.
-
 By enabling point-in-time-recovery you can restore to a known point in the event of loss of data.
 
+
 ### Impact
-Accidental or malicious writes and deletes can't be rolled back
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/dynamodb/AVD-AWS-0025/docs.md

@@ -1,8 +1,9 @@
 
-DynamoDB tables are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.
+Using AWS managed keys does not allow for fine grained control. DynamoDB tables are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.
+
 
 ### Impact
-Using AWS managed keys does not allow for fine grained control
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

checks/cloud/aws/codebuild/enable_encryption.go

@@ -34,7 +34,8 @@ var CheckEnableEncryption = rules.Register(
 			Links:               cloudFormationEnableEncryptionLinks,
 			RemediationMarkdown: cloudFormationEnableEncryptionRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, project := range s.AWS.CodeBuild.Projects {

checks/cloud/aws/codebuild/enable_encryption.rego

@@ -0,0 +1,49 @@
+# METADATA
+# title: CodeBuild Project artifacts encryption should not be disabled
+# description: |
+#   All artifacts produced by your CodeBuild project pipeline should always be encrypted
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-artifacts.html
+#   - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html
+# custom:
+#   id: AVD-AWS-0018
+#   avd_id: AVD-AWS-0018
+#   provider: aws
+#   service: codebuild
+#   severity: HIGH
+#   short_code: enable-encryption
+#   recommended_action: Enable encryption for CodeBuild project artifacts
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: codebuild
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project#encryption_disabled
+#     good_examples: checks/cloud/aws/codebuild/enable_encryption.tf.go
+#     bad_examples: checks/cloud/aws/codebuild/enable_encryption.tf.go
+#   cloudformation:
+#     good_examples: checks/cloud/aws/codebuild/enable_encryption.cf.go
+#     bad_examples: checks/cloud/aws/codebuild/enable_encryption.cf.go
+package builtin.aws.codebuild.aws0018
+
+import rego.v1
+
+deny contains res if {
+	some project in input.aws.codebuild.projects
+	encryptionenabled := project.artifactsettings.encryptionenabled
+	not encryptionenabled.value
+	res := result.new("Encryption is not enabled for project artifacts.", encryptionenabled)
+}
+
+deny contains res if {
+	some project in input.aws.codebuild.projects
+	some setting in project.secondaryartifactsettings
+	not setting.encryptionenabled.value
+	res := result.new("Encryption is not enabled for secondary project artifacts.", setting.encryptionenabled)
+}

checks/cloud/aws/codebuild/enable_encryption_test.rego

@@ -0,0 +1,24 @@
+package builtin.aws.codebuild.aws0018_test
+
+import rego.v1
+
+import data.builtin.aws.codebuild.aws0018 as check
+import data.lib.test
+
+test_allow_artifact_settings_with_encryption if {
+	test.assert_empty(check.deny) with input as build_input({"artifactsettings": {"encryptionenabled": {"value": true}}})
+}
+
+test_allow_secondary_artifact_settings_with_encryption if {
+	test.assert_empty(check.deny) with input as build_input({"secondaryartifactsettings": [{"encryptionenabled": {"value": true}}]})
+}
+
+test_disallow_artifact_settings_without_encryption if {
+	test.assert_equal_message("Encryption is not enabled for project artifacts.", check.deny) with input as build_input({"artifactsettings": {"encryptionenabled": {"value": false}}})
+}
+
+test_disallow_secondary_artifact_settings_without_encryption if {
+	test.assert_equal_message("Encryption is not enabled for secondary project artifacts.", check.deny) with input as build_input({"secondaryartifactsettings": [{"encryptionenabled": {"value": false}}]})
+}
+
+build_input(project) := {"aws": {"codebuild": {"projects": [project]}}}

checks/cloud/aws/config/aggregate_all_regions.go

@@ -35,7 +35,8 @@ This will help limit the risk of any unmonitored configuration in regions that a
 			Links:               cloudFormationAggregateAllRegionsLinks,
 			RemediationMarkdown: cloudFormationAggregateAllRegionsRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		if s.AWS.Config.ConfigurationAggregrator.Metadata.IsUnmanaged() {

checks/cloud/aws/config/aggregate_all_regions.rego

@@ -0,0 +1,42 @@
+# METADATA
+# title: Config configuration aggregator should be using all regions for source
+# description: |
+#   Sources that aren't covered by the aggregator are not include in the configuration. The configuration aggregator should be configured with all_regions for the source.
+#   This will help limit the risk of any unmonitored configuration in regions that are thought to be unused.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html
+# custom:
+#   id: AVD-AWS-0019
+#   avd_id: AVD-AWS-0019
+#   provider: aws
+#   service: config
+#   severity: HIGH
+#   short_code: aggregate-all-regions
+#   recommended_action: Set the aggregator to cover all regions
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: config
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_aggregator#all_regions
+#     good_examples: checks/cloud/aws/config/aggregate_all_regions.tf.go
+#     bad_examples: checks/cloud/aws/config/aggregate_all_regions.tf.go
+#   cloudformation:
+#     good_examples: checks/cloud/aws/config/aggregate_all_regions.cf.go
+#     bad_examples: checks/cloud/aws/config/aggregate_all_regions.cf.go
+package builtin.aws.config.aws0019
+
+import rego.v1
+
+deny contains res if {
+	cfg_aggregator := input.aws.config.configurationaggregrator
+	cfg_aggregator.__defsec_metadata.managed
+	not cfg_aggregator.sourceallregions.value
+	res := result.new("Configuration aggregation is not set to source from all regions.", cfg_aggregator.sourceallregions)
+}