Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckAddDescriptionForSecurityGroup = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0049", Provider: providers.AWSProvider, Service: "elasticache", ShortCode: "add-description-for-security-group", Summary: "Missing description for security group/security group rule.", Impact: "Descriptions provide context for the firewall rule reasons", Resolution: "Add descriptions for all security groups and rules", Explanation: `Security groups and security group rules should include a description for auditing purposes. Simplifies auditing, debugging, and managing security groups.`, Links: []string{ "https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SecurityGroups.Creating.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformAddDescriptionForSecurityGroupGoodExamples, BadExamples: terraformAddDescriptionForSecurityGroupBadExamples, Links: terraformAddDescriptionForSecurityGroupLinks, RemediationMarkdown: terraformAddDescriptionForSecurityGroupRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationAddDescriptionForSecurityGroupGoodExamples, BadExamples: cloudFormationAddDescriptionForSecurityGroupBadExamples, Links: cloudFormationAddDescriptionForSecurityGroupLinks, RemediationMarkdown: cloudFormationAddDescriptionForSecurityGroupRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, sg := range s.AWS.ElastiCache.SecurityGroups { if sg.Description.IsEmpty() { results.Add( "Security group does not have a description.", sg.Description, ) } else { results.AddPassed(&sg) } } return }, )
View Source
var CheckEnableAtRestEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0045", Provider: providers.AWSProvider, Service: "elasticache", ShortCode: "enable-at-rest-encryption", Summary: "Elasticache Replication Group stores unencrypted data at-rest.", Impact: "At-rest data in the Replication Group could be compromised if accessed.", Resolution: "Enable at-rest encryption for replication group", Explanation: `Data stored within an Elasticache replication node should be encrypted to ensure sensitive data is kept private.`, Links: []string{ "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableAtRestEncryptionGoodExamples, BadExamples: terraformEnableAtRestEncryptionBadExamples, Links: terraformEnableAtRestEncryptionLinks, RemediationMarkdown: terraformEnableAtRestEncryptionRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, group := range s.AWS.ElastiCache.ReplicationGroups { if group.AtRestEncryptionEnabled.IsFalse() { results.Add( "Replication group does not have at-rest encryption enabled.", group.AtRestEncryptionEnabled, ) } else { results.AddPassed(&group) } } return }, )
View Source
var CheckEnableBackupRetention = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0050", Provider: providers.AWSProvider, Service: "elasticache", ShortCode: "enable-backup-retention", Summary: "Redis cluster should have backup retention turned on", Impact: "Without backups of the redis cluster recovery is made difficult", Resolution: "Configure snapshot retention for redis cluster", Explanation: `Redis clusters should have a snapshot retention time to ensure that they are backed up and can be restored if required.`, Links: []string{ "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/backups-automatic.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableBackupRetentionGoodExamples, BadExamples: terraformEnableBackupRetentionBadExamples, Links: terraformEnableBackupRetentionLinks, RemediationMarkdown: terraformEnableBackupRetentionRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableBackupRetentionGoodExamples, BadExamples: cloudFormationEnableBackupRetentionBadExamples, Links: cloudFormationEnableBackupRetentionLinks, RemediationMarkdown: cloudFormationEnableBackupRetentionRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.ElastiCache.Clusters { if !cluster.Engine.EqualTo("redis") { continue } if cluster.NodeType.EqualTo("cache.t1.micro") { continue } if cluster.SnapshotRetentionLimit.EqualTo(0) { results.Add( "Cluster snapshot retention is not enabled.", cluster.SnapshotRetentionLimit, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckEnableInTransitEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0051", Provider: providers.AWSProvider, Service: "elasticache", ShortCode: "enable-in-transit-encryption", Summary: "Elasticache Replication Group uses unencrypted traffic.", Impact: "In transit data in the Replication Group could be read if intercepted", Resolution: "Enable in transit encryption for replication group", Explanation: `Traffic flowing between Elasticache replication nodes should be encrypted to ensure sensitive data is kept private.`, Links: []string{ "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableInTransitEncryptionGoodExamples, BadExamples: terraformEnableInTransitEncryptionBadExamples, Links: terraformEnableInTransitEncryptionLinks, RemediationMarkdown: terraformEnableInTransitEncryptionRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableInTransitEncryptionGoodExamples, BadExamples: cloudFormationEnableInTransitEncryptionBadExamples, Links: cloudFormationEnableInTransitEncryptionLinks, RemediationMarkdown: cloudFormationEnableInTransitEncryptionRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, group := range s.AWS.ElastiCache.ReplicationGroups { if group.TransitEncryptionEnabled.IsFalse() { results.Add( "Replication group does not have transit encryption enabled.", group.TransitEncryptionEnabled, ) } else { results.AddPassed(&group) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
¶
- add_description_for_security_group.cf.go
- add_description_for_security_group.go
- add_description_for_security_group.tf.go
- enable_at_rest_encryption.go
- enable_at_rest_encryption.tf.go
- enable_backup_retention.cf.go
- enable_backup_retention.go
- enable_backup_retention.tf.go
- enable_in_transit_encryption.cf.go
- enable_in_transit_encryption.go
- enable_in_transit_encryption.tf.go
Click to show internal directories.
Click to hide internal directories.