Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckAddDescriptionToSecurityGroup = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0083", Provider: providers.AWSProvider, Service: "redshift", ShortCode: "add-description-to-security-group", Summary: "Missing description for security group/security group rule.", Impact: "Descriptions provide context for the firewall rule reasons", Resolution: "Add descriptions for all security groups and rules", Explanation: `Security groups and security group rules should include a description for auditing purposes. Simplifies auditing, debugging, and managing security groups.`, Links: []string{ "https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html", }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationAddDescriptionToSecurityGroupGoodExamples, BadExamples: cloudFormationAddDescriptionToSecurityGroupBadExamples, Links: cloudFormationAddDescriptionToSecurityGroupLinks, RemediationMarkdown: cloudFormationAddDescriptionToSecurityGroupRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, group := range s.AWS.Redshift.SecurityGroups { if group.Description.IsEmpty() { results.Add( "Security group has no description.", group.Description, ) } else { results.AddPassed(&group) } } return }, )
View Source
var CheckEncryptionCustomerKey = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0084", Provider: providers.AWSProvider, Service: "redshift", ShortCode: "encryption-customer-key", Summary: "Redshift clusters should use at rest encryption", Impact: "Data may be leaked if infrastructure is compromised", Resolution: "Enable encryption using CMK", Explanation: `Redshift clusters that contain sensitive data or are subject to regulation should be encrypted at rest to prevent data leakage should the infrastructure be compromised.`, Links: []string{ "https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEncryptionCustomerKeyGoodExamples, BadExamples: terraformEncryptionCustomerKeyBadExamples, Links: terraformEncryptionCustomerKeyLinks, RemediationMarkdown: terraformEncryptionCustomerKeyRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEncryptionCustomerKeyGoodExamples, BadExamples: cloudFormationEncryptionCustomerKeyBadExamples, Links: cloudFormationEncryptionCustomerKeyLinks, RemediationMarkdown: cloudFormationEncryptionCustomerKeyRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.Redshift.Clusters { if cluster.Encryption.Enabled.IsFalse() { results.Add( "Cluster does not have encryption enabled.", cluster.Encryption.Enabled, ) } else if cluster.Encryption.KMSKeyID.IsEmpty() { results.Add( "Cluster does not use a customer managed encryption key.", cluster.Encryption.KMSKeyID, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckNoClassicResources = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0085", Provider: providers.AWSProvider, Service: "redshift", ShortCode: "no-classic-resources", Summary: "AWS Classic resource usage.", Impact: "Classic resources are running in a shared environment with other customers", Resolution: "Switch to VPC resources", Explanation: `AWS Classic resources run in a shared environment with infrastructure owned by other AWS customers. You should run resources in a VPC instead.`, Links: []string{ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-classic-platform.html", }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationNoClassicResourcesGoodExamples, BadExamples: cloudFormationNoClassicResourcesBadExamples, Links: cloudFormationNoClassicResourcesLinks, RemediationMarkdown: cloudFormationNoClassicResourcesRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, group := range s.AWS.Redshift.SecurityGroups { results.Add( "Classic resources should not be used.", &group, ) } return }, )
View Source
var CheckUsesVPC = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0127", Provider: providers.AWSProvider, Service: "redshift", ShortCode: "use-vpc", Summary: "Redshift cluster should be deployed into a specific VPC", Impact: "Redshift cluster does not benefit from VPC security if it is deployed in EC2 classic mode", Resolution: "Deploy Redshift cluster into a non default VPC", Explanation: `Redshift clusters that are created without subnet details will be created in EC2 classic mode, meaning that they will be outside of a known VPC and running in tennant. In order to benefit from the additional security features achieved with using an owned VPC, the subnet should be set.`, Links: []string{ "https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformUseVpcGoodExamples, BadExamples: terraformUseVpcBadExamples, Links: terraformUseVpcLinks, RemediationMarkdown: terraformUseVpcRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationUseVpcGoodExamples, BadExamples: cloudFormationUseVpcBadExamples, Links: cloudFormationUseVpcLinks, RemediationMarkdown: cloudFormationUseVpcRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.Redshift.Clusters { if cluster.SubnetGroupName.IsEmpty() { results.Add( "Cluster is deployed outside of a VPC.", cluster.SubnetGroupName, ) } else { results.AddPassed(&cluster) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.