aquasecurity · simar7 · Oct 16, 2024 · Oct 1, 2024
@@ -33,16 +33,24 @@ package builtin.aws.apigateway.aws0001
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some stage in input.aws.apigateway.v1.apis[_].stages
 	not logging_is_configured(stage)
-	res := result.new("Access logging is not configured.", stage.accesslogging.cloudwatchloggrouparn)
+	res := result.new(
+		"Access logging is not configured.",
+		metadata.obj_by_path(stage, ["accesslogging", "cloudwatchloggrouparn"]),
+	)
 }
 
 deny contains res if {
 	some stage in input.aws.apigateway.v2.apis[_].stages
 	not logging_is_configured(stage)
-	res := result.new("Access logging is not configured.", stage.accesslogging.cloudwatchloggrouparn)
+	res := result.new(
+		"Access logging is not configured.",
+		metadata.obj_by_path(stage, ["accesslogging", "cloudwatchloggrouparn"]),
+	)
 }
 
 logging_is_configured(stage) if {

@@ -30,6 +30,8 @@ package builtin.aws.apigateway.aws0190
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some api in input.aws.apigateway.v1.apis
 	isManaged(api)
@@ -40,6 +42,6 @@ deny contains res if {
 	not settings.cacheenabled.value
 	res := result.new(
 		"Cache data is not enabled.",
-		object.get(settings, "cacheenabled", settings),
+		metadata.obj_by_path(settings, ["cacheenabled"]),
 	)
 }
@@ -28,6 +28,8 @@ package builtin.aws.apigateway.aws0002
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some api in input.aws.apigateway.v1.apis
 	isManaged(api)
@@ -37,8 +39,9 @@ deny contains res if {
 	isManaged(settings)
 	settings.cacheenabled.value
 	not settings.cachedataencrypted.value
+
 	res := result.new(
 		"Cache data is not encrypted.",
-		object.get(settings, "cachedataencrypted", settings),
+		metadata.obj_by_path(settings, ["cachedataencrypted"]),
 	)
 }
@@ -28,6 +28,8 @@ package builtin.aws.apigateway.aws0003
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some api in input.aws.apigateway.v1.apis
 	isManaged(api)
@@ -36,6 +38,6 @@ deny contains res if {
 	not stage.xraytracingenabled.value
 	res := result.new(
 		"X-Ray tracing is not enabled.",
-		object.get(stage, "xraytracingenabled", stage),
+		metadata.obj_by_path(stage, ["xraytracingenabled"]),
 	)
 }
@@ -30,12 +30,14 @@ package builtin.aws.apigateway.aws0005
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some domain in input.aws.apigateway.v1.domainnames
 	not is_tls_1_2(domain)
 	res := result.new(
 		"Domain name is configured with an outdated TLS policy.",
-		object.get(domain, "securitypolicy", domain),
+		metadata.obj_by_path(domain, "securitypolicy"),
 	)
 }
 
@@ -44,7 +46,7 @@ deny contains res if {
 	not is_tls_1_2(domain)
 	res := result.new(
 		"Domain name is configured with an outdated TLS policy.",
-		object.get(domain, "securitypolicy", domain),
+		metadata.obj_by_path(domain, "securitypolicy"),
 	)
 }
 

@@ -34,20 +34,28 @@ package builtin.aws.athena.aws0006
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 encryption_type_none := ""
 
 deny contains res if {
 	some workgroup in input.aws.athena.workgroups
-	is_encryption_type_none(workgroup.encryption)
-	res := result.new("Workgroup does not have encryption configured.", workgroup)
+	not is_encrypted(workgroup)
+	res := result.new(
+		"Workgroup does not have encryption configured.",
+		metadata.obj_by_path(workgroup, ["encryption", "type"]),
+	)
 }
 
 deny contains res if {
 	some database in input.aws.athena.databases
-	is_encryption_type_none(database.encryption)
-	res := result.new("Database does not have encryption configured.", database)
+	not is_encrypted(database)
+	res := result.new(
+		"Database does not have encryption configured.",
+		metadata.obj_by_path(database, ["encryption", "type"]),
+	)
 }
 
-is_encryption_type_none(encryption) if {
-	encryption.type.value == encryption_type_none
+is_encrypted(obj) if {
+	obj.encryption.type.value != encryption_type_none
 }
@@ -33,8 +33,13 @@ package builtin.aws.athena.aws0007
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some workgroup in input.aws.athena.workgroups
 	not workgroup.enforceconfiguration.value
-	res := result.new("The workgroup configuration is not enforced.", workgroup.enforceconfiguration)
+	res := result.new(
+		"The workgroup configuration is not enforced.",
+		metadata.obj_by_path(workgroup, ["enforceconfiguration"]),
+	)
 }
@@ -33,12 +33,14 @@ package builtin.aws.cloudfront.aws0010
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some dist in input.aws.cloudfront.distributions
 	not has_logging_bucket(dist)
 	res := result.new(
 		"Distribution does not have logging enabled",
-		object.get(dist, ["logging", "bucket"], dist),
+		metadata.obj_by_path(dist, ["logging", "bucket"]),
 	)
 }
 

@@ -39,13 +39,15 @@ import rego.v1
 
 protocol_version_tls1_2_2021 = "TLSv1.2_2021"
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some dist in input.aws.cloudfront.distributions
 	not dist.viewercertificate.cloudfrontdefaultcertificate.value
 	not is_tls_1_2(dist)
 	res := result.new(
 		"Distribution allows unencrypted communications.",
-		object.get(dist, ["viewercertificate", "minimumprotocolversion"], dist),
+		metadata.obj_by_path(dist, ["viewercertificate", "minimumprotocolversion"]),
 	)
 }
 

@@ -38,8 +38,13 @@ package builtin.aws.cloudtrail.aws0014
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some trail in input.aws.cloudtrail.trails
 	not trail.ismultiregion.value
-	res := result.new("Trail is not enabled across all regions.", trail.ismultiregion)
+	res := result.new(
+		"Trail is not enabled across all regions.",
+		metadata.obj_by_path(trail, ["ismultiregion"]),
+	)
 }
@@ -33,8 +33,13 @@ package builtin.aws.cloudtrail.aws0016
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some trail in input.aws.cloudtrail.trails
 	not trail.enablelogfilevalidation.value
-	res := result.new("Trail does not have log validation enabled.", trail.enablelogfilevalidation)
+	res := result.new(
+		"Trail does not have log validation enabled.",
+		metadata.obj_by_path(trail, ["enablelogfilevalidation"]),
+	)
 }
@@ -36,8 +36,15 @@ package builtin.aws.cloudtrail.aws0015
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some trail in input.aws.cloudtrail.trails
-	trail.kmskeyid.value == ""
-	res := result.new("CloudTrail does not use a customer managed key to encrypt the logs.", trail.kmskeyid)
+	not use_cms(trail)
+	res := result.new(
+		"CloudTrail does not use a customer managed key to encrypt the logs.",
+		metadata.obj_by_path(trail, ["kmskeyid"]),
+	)
 }
+
+use_cms(trail) if trail.kmskeyid.value != ""
@@ -46,8 +46,15 @@ package builtin.aws.cloudtrail.aws0162
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some trail in input.aws.cloudtrail.trails
-	trail.cloudwatchlogsloggrouparn.value == ""
-	res := result.new("Trail does not have CloudWatch logging configured", trail)
+	not is_logging_configured(trail)
+	res := result.new(
+		"Trail does not have CloudWatch logging configured",
+		metadata.obj_by_path(trail, ["cloudwatchlogsloggrouparn"]),
+	)
 }
+
+is_logging_configured(trail) if trail.cloudwatchlogsloggrouparn.value != ""
@@ -42,6 +42,8 @@ package builtin.aws.cloudtrail.aws0163
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some trail in input.aws.cloudtrail.trails
 	trail.bucketname.value != ""
@@ -50,5 +52,8 @@ deny contains res if {
 	bucket.name.value == trail.bucketname.value
 	not bucket.logging.enabled.value
 
-	res := result.new("Trail S3 bucket does not have logging enabled", bucket)
+	res := result.new(
+		"Trail S3 bucket does not have logging enabled",
+		metadata.obj_by_path(bucket, ["name"]),
+	)
 }
@@ -33,8 +33,15 @@ package builtin.aws.cloudwatch.aws0017
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some group in input.aws.cloudwatch.loggroups
-	group.kmskeyid.value == ""
-	res := result.new("Log group is not encrypted.", group)
+	not has_cms(group)
+	res := result.new(
+		"Log group is not encrypted.",
+		metadata.obj_by_path(group, ["kmskeyid"]),
+	)
 }
+
+has_cms(group) if group.kmskeyid.value != ""
@@ -34,16 +34,25 @@ package builtin.aws.codebuild.aws0018
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some project in input.aws.codebuild.projects
-	encryptionenabled := project.artifactsettings.encryptionenabled
-	not encryptionenabled.value
-	res := result.new("Encryption is not enabled for project artifacts.", encryptionenabled)
+	not is_encryption_enabled(project.artifactsettings)
+	res := result.new(
+		"Encryption is not enabled for project artifacts.",
+		metadata.obj_by_path(project, ["artifactsettings", "encryptionenabled"]),
+	)
 }
 
+is_encryption_enabled(settings) if settings.encryptionenabled.value
+
 deny contains res if {
 	some project in input.aws.codebuild.projects
 	some setting in project.secondaryartifactsettings
-	not setting.encryptionenabled.value
-	res := result.new("Encryption is not enabled for secondary project artifacts.", setting.encryptionenabled)
+	not is_encryption_enabled(setting)
+	res := result.new(
+		"Encryption is not enabled for secondary project artifacts.",
+		metadata.obj_by_path(setting, ["encryptionenabled"]),
+	)
 }
@@ -34,9 +34,14 @@ package builtin.aws.config.aws0019
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	cfg_aggregator := input.aws.config.configurationaggregrator
-	cfg_aggregator.__defsec_metadata.managed
+	isManaged(cfg_aggregator)
 	not cfg_aggregator.sourceallregions.value
-	res := result.new("Configuration aggregation is not set to source from all regions.", cfg_aggregator.sourceallregions)
+	res := result.new(
+		"Configuration aggregation is not set to source from all regions.",
+		metadata.obj_by_path(cfg_aggregator, ["sourceallregions"]),
+	)
 }
@@ -33,8 +33,13 @@ package builtin.aws.documentdb.aws0021
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some cluster in input.aws.documentdb.clusters
 	not cluster.storageencrypted.value
-	res := result.new("Cluster storage does not have encryption enabled.", cluster.storageencrypted)
+	res := result.new(
+		"Cluster storage does not have encryption enabled.",
+		metadata.obj_by_path(cluster, ["storageencrypted"]),
+	)
 }
@@ -33,17 +33,27 @@ package builtin.aws.documentdb.aws0022
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
 	some cluster in input.aws.documentdb.clusters
-	cluster.kmskeyid.value == ""
-
-	res := result.new("Cluster encryption does not use a customer-managed KMS key.", cluster)
+	isManaged(cluster)
+	not has_cms(cluster)
+	res := result.new(
+		"Cluster encryption does not use a customer-managed KMS key.",
+		metadata.obj_by_path(cluster, ["kmskeyid"]),
+	)
 }
 
 deny contains res if {
 	some cluster in input.aws.documentdb.clusters
 	some instance in cluster.instances
-	instance.kmskeyid.value == ""
-
-	res := result.new("Instance encryption does not use a customer-managed KMS key.", cluster)
+	isManaged(instance)
+	not has_cms(instance)
+	res := result.new(
+		"Instance encryption does not use a customer-managed KMS key.",
+		metadata.obj_by_path(instance, ["kmskeyid"]),
+	)
 }
+
+has_cms(obj) if obj.kmskeyid.value != ""