Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableContainerInsight = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0034", Provider: providers.AWSProvider, Service: "ecs", ShortCode: "enable-container-insight", Summary: "ECS clusters should have container insights enabled", Impact: "Not all metrics and logs may be gathered for containers when Container Insights isn't enabled", Resolution: "Enable Container Insights", Explanation: `Cloudwatch Container Insights provide more metrics and logs for container based applications and micro services.`, Links: []string{ "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableContainerInsightGoodExamples, BadExamples: terraformEnableContainerInsightBadExamples, Links: terraformEnableContainerInsightLinks, RemediationMarkdown: terraformEnableContainerInsightRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableContainerInsightGoodExamples, BadExamples: cloudFormationEnableContainerInsightBadExamples, Links: cloudFormationEnableContainerInsightLinks, RemediationMarkdown: cloudFormationEnableContainerInsightRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.ECS.Clusters { if cluster.Settings.ContainerInsightsEnabled.IsFalse() { results.Add( "Cluster does not have container insights enabled.", cluster.Settings.ContainerInsightsEnabled, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckEnableInTransitEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0035", Provider: providers.AWSProvider, Service: "ecs", ShortCode: "enable-in-transit-encryption", Summary: "ECS Task Definitions with EFS volumes should use in-transit encryption", Impact: "Intercepted traffic to and from EFS may lead to data loss", Resolution: "Enable in transit encryption when using efs", Explanation: `ECS task definitions that have volumes using EFS configuration should explicitly enable in transit encryption to prevent the risk of data loss due to interception.`, Links: []string{ "https://docs.aws.amazon.com/AmazonECS/latest/userguide/efs-volumes.html", "https://docs.aws.amazon.com/efs/latest/ug/encryption-in-transit.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableInTransitEncryptionGoodExamples, BadExamples: terraformEnableInTransitEncryptionBadExamples, Links: terraformEnableInTransitEncryptionLinks, RemediationMarkdown: terraformEnableInTransitEncryptionRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableInTransitEncryptionGoodExamples, BadExamples: cloudFormationEnableInTransitEncryptionBadExamples, Links: cloudFormationEnableInTransitEncryptionLinks, RemediationMarkdown: cloudFormationEnableInTransitEncryptionRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, definition := range s.AWS.ECS.TaskDefinitions { for _, volume := range definition.Volumes { if volume.EFSVolumeConfiguration.TransitEncryptionEnabled.IsFalse() { results.Add( "Task definition includes a volume which does not have in-transit-encryption enabled.", volume.EFSVolumeConfiguration.TransitEncryptionEnabled, ) } else { results.AddPassed(&volume) } } } return }, )
View Source
var CheckNoPlaintextSecrets = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0036", Provider: providers.AWSProvider, Service: "ecs", ShortCode: "no-plaintext-secrets", Summary: "Task definition defines sensitive environment variable(s).", Impact: "Sensitive data could be exposed in the AWS Management Console", Resolution: "Use secrets for the task definition", Explanation: `You should not make secrets available to a user in plaintext in any scenario. Secrets can instead be pulled from a secure secret storage system by the service requiring them.`, Links: []string{ "https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html", "https://www.vaultproject.io/", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPlaintextSecretsGoodExamples, BadExamples: terraformNoPlaintextSecretsBadExamples, Links: terraformNoPlaintextSecretsLinks, RemediationMarkdown: terraformNoPlaintextSecretsRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationNoPlaintextSecretsGoodExamples, BadExamples: cloudFormationNoPlaintextSecretsBadExamples, Links: cloudFormationNoPlaintextSecretsLinks, RemediationMarkdown: cloudFormationNoPlaintextSecretsRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { scanner := squealer.NewStringScanner() for _, definition := range s.AWS.ECS.TaskDefinitions { vars, err := readEnvVarsFromContainerDefinitions(definition.ContainerDefinitions.Value()) if err != nil { continue } for key, val := range vars { if result := scanner.Scan(val); result.TransgressionFound || security.IsSensitiveAttribute(key) { results.Add( fmt.Sprintf("Container definition contains a potentially sensitive environment variable '%s': %s", key, result.Description), definition.ContainerDefinitions, ) } else { results.AddPassed(&definition) } } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files ¶
Click to show internal directories.
Click to hide internal directories.