Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableTopicEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0095", Provider: providers.AWSProvider, Service: "sns", ShortCode: "enable-topic-encryption", Summary: "Unencrypted SNS topic.", Impact: "The SNS topic messages could be read if compromised", Resolution: "Turn on SNS Topic encryption", Explanation: `Topics should be encrypted to protect their contents.`, Links: []string{ "https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableTopicEncryptionGoodExamples, BadExamples: terraformEnableTopicEncryptionBadExamples, Links: terraformEnableTopicEncryptionLinks, RemediationMarkdown: terraformEnableTopicEncryptionRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableTopicEncryptionGoodExamples, BadExamples: cloudFormationEnableTopicEncryptionBadExamples, Links: cloudFormationEnableTopicEncryptionLinks, RemediationMarkdown: cloudFormationEnableTopicEncryptionRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, topic := range s.AWS.SNS.Topics { if topic.Encryption.KMSKeyID.IsEmpty() { results.Add( "Topic does not have encryption enabled.", topic.Encryption.KMSKeyID, ) } else { results.AddPassed(&topic) } } return }, )
View Source
var CheckTopicEncryptionUsesCMK = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0136", ShortCode: "topic-encryption-use-cmk", Summary: "SNS topic not encrypted with CMK.", Explanation: `Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.`, Impact: "Key management very limited when using default keys.", Resolution: "Use a CMK for SNS Topic encryption", Provider: providers.AWSProvider, Service: "sns", Links: []string{ "https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html", }, Severity: severity.High, Terraform: &scan.EngineMetadata{ GoodExamples: terraformTopicEncryptionUsesCMKGoodExamples, BadExamples: terraformTopicEncryptionUsesCMKBadExamples, Links: terraformTopicEncryptionUsesCMKLinks, RemediationMarkdown: terraformTopicEncryptionUsesCMKRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationTopicEncryptionUsesCMKGoodExamples, BadExamples: cloudFormationTopicEncryptionUsesCMKBadExamples, Links: cloudFormationTopicEncryptionUsesCMKLinks, RemediationMarkdown: cloudFormationTopicEncryptionUsesCMKRemediationMarkdown, }, CustomChecks: scan.CustomChecks{}, RegoPackage: "", }, func(s *state.State) (results scan.Results) { for _, topic := range s.AWS.SNS.Topics { if topic.Encryption.KMSKeyID.EqualTo("alias/aws/sns") { results.Add( "Topic encryption does not use a customer managed key.", topic.Encryption.KMSKeyID, ) } else { results.AddPassed(&topic) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.