refactor(checks): migrate AWS emr, kinesis, kms, lambda to Rego

Signed-off-by: Nikita Pivkin <[email protected]>

avd_docs/aws/emr/AVD-AWS-0137/docs.md

@@ -1,8 +1,9 @@
 
 Data stored within an EMR cluster should be encrypted to ensure sensitive data is kept private.
 
+
 ### Impact
-At-rest data in the EMR cluster could be compromised if accessed.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/emr/AVD-AWS-0138/docs.md

@@ -1,8 +1,9 @@
 
 Data stored within an EMR cluster should be encrypted to ensure sensitive data is kept private.
 
+
 ### Impact
-In-transit data in the EMR cluster could be compromised if accessed.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/emr/AVD-AWS-0139/docs.md

@@ -1,8 +1,9 @@
 
 Data stored within an EMR instances should be encrypted to ensure sensitive data is kept private.
 
+
 ### Impact
-Local-disk data in the EMR cluster could be compromised if accessed.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/kinesis/AVD-AWS-0064/docs.md

@@ -1,8 +1,9 @@
 
 Kinesis streams should be encrypted to ensure sensitive data is kept private. Additionally, non-default KMS keys should be used so granularity of access control can be ensured.
 
+
 ### Impact
-Intercepted data can be read in transit
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/kms/AVD-AWS-0065/docs.md

@@ -1,8 +1,9 @@
 
 You should configure your KMS keys to auto rotate to maintain security and defend against compromise.
 
+
 ### Impact
-Long life KMS keys increase the attack surface when compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/lambda/AVD-AWS-0066/docs.md

@@ -1,8 +1,9 @@
 
 X-Ray tracing enables end-to-end debugging and analysis of all function activity. This will allow for identifying bottlenecks, slow downs and timeouts.
 
+
 ### Impact
-Without full tracing enabled it is difficult to trace the flow of logs
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/lambda/AVD-AWS-0067/docs.md

@@ -1,12 +1,11 @@
 
-When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. 
-
-Without this, any resource from principal will be granted permission – even if that resource is from another account. 
-
+When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
+Without this, any resource from principal will be granted permission – even if that resource is from another account.
 For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API
 
+
 ### Impact
-Not providing the source ARN allows any resource from principal, even from other accounts
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

checks/cloud/aws/emr/enable_at_rest_encryption.go

@@ -29,7 +29,8 @@ var CheckEnableAtRestEncryption = rules.Register(
 			Links:               terraformEnableAtRestEncryptionLinks,
 			RemediationMarkdown: terraformEnableAtRestEncryptionRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, conf := range s.AWS.EMR.SecurityConfiguration {

checks/cloud/aws/emr/enable_at_rest_encryption.rego

@@ -0,0 +1,38 @@
+# METADATA
+# title: Enable at-rest encryption for EMR clusters.
+# description: |
+#   Data stored within an EMR cluster should be encrypted to ensure sensitive data is kept private.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist_800-171.html
+# custom:
+#   id: AVD-AWS-0137
+#   avd_id: AVD-AWS-0137
+#   provider: aws
+#   service: emr
+#   severity: HIGH
+#   short_code: enable-at-rest-encryption
+#   recommended_action: Enable at-rest encryption for EMR cluster
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: emr
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/emr_security_configuration
+#     good_examples: checks/cloud/aws/emr/enable_at_rest_encryption.tf.go
+#     bad_examples: checks/cloud/aws/emr/enable_at_rest_encryption.tf.go
+package builtin.aws.emr.aws0137
+
+import rego.v1
+
+deny contains res if {
+	some sec_conf in input.aws.emr.securityconfiguration
+	vars := json.unmarshal(sec_conf.configuration.value)
+	vars.EncryptionConfiguration.EnableAtRestEncryption == false
+	res := result.new("EMR cluster does not have at-rest encryption enabled.", sec_conf.configuration)
+}

checks/cloud/aws/emr/enable_at_rest_encryption_test.rego

@@ -0,0 +1,18 @@
+package builtin.aws.emr.aws0137_test
+
+import rego.v1
+
+import data.builtin.aws.emr.aws0137 as check
+import data.lib.test
+
+test_allow_with_encryption if {
+	inp := {"aws": {"emr": {"securityconfiguration": [{"configuration": {"value": json.marshal({"EncryptionConfiguration": {"EnableAtRestEncryption": true}})}}]}}}
+
+	test.assert_empty(check.deny) with input as inp
+}
+
+test_deny_without_encryption if {
+	inp := {"aws": {"emr": {"securityconfiguration": [{"configuration": {"value": json.marshal({"EncryptionConfiguration": {"EnableAtRestEncryption": false}})}}]}}}
+
+	test.assert_equal_message("EMR cluster does not have at-rest encryption enabled.", check.deny) with input as inp
+}

checks/cloud/aws/emr/enable_in_transit_encryption.go

@@ -29,7 +29,8 @@ var CheckEnableInTransitEncryption = rules.Register(
 			Links:               terraformEnableInTransitEncryptionLinks,
 			RemediationMarkdown: terraformEnableInTransitEncryptionRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, conf := range s.AWS.EMR.SecurityConfiguration {

checks/cloud/aws/emr/enable_in_transit_encryption.rego

@@ -0,0 +1,38 @@
+# METADATA
+# title: Enable in-transit encryption for EMR clusters.
+# description: |
+#   Data stored within an EMR cluster should be encrypted to ensure sensitive data is kept private.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist_800-171.html
+# custom:
+#   id: AVD-AWS-0138
+#   avd_id: AVD-AWS-0138
+#   provider: aws
+#   service: emr
+#   severity: HIGH
+#   short_code: enable-in-transit-encryption
+#   recommended_action: Enable in-transit encryption for EMR cluster
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: emr
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/emr_security_configuration
+#     good_examples: checks/cloud/aws/emr/enable_in_transit_encryption.tf.go
+#     bad_examples: checks/cloud/aws/emr/enable_in_transit_encryption.tf.go
+package builtin.aws.emr.aws0138
+
+import rego.v1
+
+deny contains res if {
+	some sec_conf in input.aws.emr.securityconfiguration
+	vars := json.unmarshal(sec_conf.configuration.value)
+	vars.EncryptionConfiguration.EnableInTransitEncryption == false
+	res := result.new("EMR cluster does not have in-transit encryption enabled.", sec_conf.configuration)
+}