Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableInTransitEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0073", Provider: providers.AWSProvider, Service: "msk", ShortCode: "enable-in-transit-encryption", Summary: "A MSK cluster allows unencrypted data in transit.", Impact: "Intercepted data can be read in transit", Resolution: "Enable in transit encryption", Explanation: `Encryption should be forced for Kafka clusters, including for communication between nodes. This ensure sensitive data is kept private.`, Links: []string{ "https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableInTransitEncryptionGoodExamples, BadExamples: terraformEnableInTransitEncryptionBadExamples, Links: terraformEnableInTransitEncryptionLinks, RemediationMarkdown: terraformEnableInTransitEncryptionRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableInTransitEncryptionGoodExamples, BadExamples: cloudFormationEnableInTransitEncryptionBadExamples, Links: cloudFormationEnableInTransitEncryptionLinks, RemediationMarkdown: cloudFormationEnableInTransitEncryptionRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.MSK.Clusters { if cluster.EncryptionInTransit.ClientBroker.EqualTo(msk.ClientBrokerEncryptionPlaintext) { results.Add( "Cluster allows plaintext communication.", cluster.EncryptionInTransit.ClientBroker, ) } else if cluster.EncryptionInTransit.ClientBroker.EqualTo(msk.ClientBrokerEncryptionTLSOrPlaintext) { results.Add( "Cluster allows plaintext communication.", cluster.EncryptionInTransit.ClientBroker, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckEnableLogging = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0074", Provider: providers.AWSProvider, Service: "msk", ShortCode: "enable-logging", Summary: "Ensure MSK Cluster logging is enabled", Impact: "Without logging it is difficult to trace issues", Resolution: "Enable logging", Explanation: `Managed streaming for Kafka can log to Cloud Watch, Kinesis Firehose and S3, at least one of these locations should be logged to`, Links: []string{ "https://docs.aws.amazon.com/msk/latest/developerguide/msk-logging.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableLoggingGoodExamples, BadExamples: terraformEnableLoggingBadExamples, Links: terraformEnableLoggingLinks, RemediationMarkdown: terraformEnableLoggingRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableLoggingGoodExamples, BadExamples: cloudFormationEnableLoggingBadExamples, Links: cloudFormationEnableLoggingLinks, RemediationMarkdown: cloudFormationEnableLoggingRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.MSK.Clusters { brokerLogging := cluster.Logging.Broker if brokerLogging.S3.Enabled.IsTrue() { results.AddPassed(&cluster, "S3 Logging is enabled") continue } if brokerLogging.Firehose.Enabled.IsTrue() { results.AddPassed(&cluster, "Firehose Logging is enabled") continue } if brokerLogging.Cloudwatch.Enabled.IsTrue() { results.AddPassed(&cluster, "Cloudwatch Logging is enabled") continue } results.Add( "Cluster does not ship logs to any service.", brokerLogging.Cloudwatch.Enabled, ) } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.