Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableAtRestEncryption = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0023", Provider: provider.AWSProvider, Service: "dynamodb", ShortCode: "enable-at-rest-encryption", Summary: "DAX Cluster should always encrypt data at rest", Impact: "Data can be freely read if compromised", Resolution: "Enable encryption at rest for DAX Cluster", Explanation: `Amazon DynamoDB Accelerator (DAX) encryption at rest provides an additional layer of data protection by helping secure your data from unauthorized access to the underlying storage.`, Links: []string{ "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html", "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dax-cluster.html", }, Severity: severity.High, }, func(s *state.State) (results rules.Results) { for _, cluster := range s.AWS.DynamoDB.DAXClusters { if !cluster.IsManaged() { continue } if cluster.ServerSideEncryption.Enabled.IsFalse() { results.Add( "Cluster encryption is not enabled.", cluster.ServerSideEncryption.Enabled, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckEnableRecovery = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0024", Provider: provider.AWSProvider, Service: "dynamodb", ShortCode: "enable-recovery", Summary: "Point in time recovery should be enabled to protect DynamoDB table", Impact: "Accidental or malicious writes and deletes can't be rolled back", Resolution: "Enable point in time recovery", Explanation: `DynamoDB tables should be protected against accidentally or malicious write/delete actions by ensuring that there is adequate protection. By enabling point-in-time-recovery you can restore to a known point in the event of loss of data.`, Links: []string{ "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/PointInTimeRecovery.html", }, Severity: severity.Medium, }, func(s *state.State) (results rules.Results) { for _, cluster := range s.AWS.DynamoDB.DAXClusters { if !cluster.IsManaged() { continue } if cluster.PointInTimeRecovery.IsFalse() { results.Add( "Point-in-time recovery is not enabled.", cluster.PointInTimeRecovery, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckTableCustomerKey = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0025", Provider: provider.AWSProvider, Service: "dynamodb", ShortCode: "table-customer-key", Summary: "DynamoDB tables should use at rest encryption with a Customer Managed Key", Impact: "Using AWS managed keys does not allow for fine grained control", Resolution: "Enable server side encryption with a customer managed key", Explanation: `DynamoDB tables are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.`, Links: []string{ "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html", }, Severity: severity.Low, }, func(s *state.State) (results rules.Results) { for _, cluster := range s.AWS.DynamoDB.DAXClusters { if !cluster.IsManaged() { continue } if cluster.ServerSideEncryption.KMSKeyID.IsEmpty() { results.Add( "Cluster encryption does not use a customer-managed KMS key.", cluster.ServerSideEncryption.KMSKeyID, ) } else { results.AddPassed(&cluster) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.