Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableVolumeEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0026", Provider: providers.AWSProvider, Service: "ebs", ShortCode: "enable-volume-encryption", Summary: "EBS volumes must be encrypted", Impact: "Unencrypted sensitive data is vulnerable to compromise.", Resolution: "Enable encryption of EBS volumes", Explanation: `By enabling encryption on EBS volumes you protect the volume, the disk I/O and any derived snapshots from compromise if intercepted.`, Links: []string{"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html"}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableVolumeEncryptionGoodExamples, BadExamples: terraformEnableVolumeEncryptionBadExamples, Links: terraformEnableVolumeEncryptionLinks, RemediationMarkdown: terraformEnableVolumeEncryptionRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableVolumeEncryptionGoodExamples, BadExamples: cloudFormationEnableVolumeEncryptionBadExamples, Links: cloudFormationEnableVolumeEncryptionLinks, RemediationMarkdown: cloudFormationEnableVolumeEncryptionRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, volume := range s.AWS.EBS.Volumes { if volume.IsUnmanaged() { continue } if volume.Encryption.Enabled.IsFalse() { results.Add( "EBS volume is not encrypted.", volume.Encryption.Enabled, ) } else { results.AddPassed(&volume) } } return }, )
View Source
var CheckEncryptionCustomerKey = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0027", Provider: providers.AWSProvider, Service: "ebs", ShortCode: "encryption-customer-key", Summary: "EBS volume encryption should use Customer Managed Keys", Impact: "Using AWS managed keys does not allow for fine grained control", Resolution: "Enable encryption using customer managed keys", Explanation: `Encryption using AWS keys provides protection for your EBS volume. To increase control of the encryption and manage factors like rotation use customer managed keys.`, Links: []string{"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html"}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEncryptionCustomerKeyGoodExamples, BadExamples: terraformEncryptionCustomerKeyBadExamples, Links: terraformEncryptionCustomerKeyLinks, RemediationMarkdown: terraformEncryptionCustomerKeyRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEncryptionCustomerKeyGoodExamples, BadExamples: cloudFormationEncryptionCustomerKeyBadExamples, Links: cloudFormationEncryptionCustomerKeyLinks, RemediationMarkdown: cloudFormationEncryptionCustomerKeyRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, volume := range s.AWS.EBS.Volumes { if volume.IsUnmanaged() { continue } if volume.Encryption.KMSKeyID.IsEmpty() { results.Add( "EBS volume does not use a customer-managed KMS key.", volume.Encryption.KMSKeyID, ) } else { results.AddPassed(&volume) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.