Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableLogExport = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0020", Provider: providers.AWSProvider, Service: "documentdb", ShortCode: "enable-log-export", Summary: "DocumentDB logs export should be enabled", Impact: "Limited visibility of audit trail for changes to the DocumentDB", Resolution: "Enable export logs", Explanation: `Document DB does not have auditing by default. To ensure that you are able to accurately audit the usage of your DocumentDB cluster you should enable export logs.`, Links: []string{ "https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableLogExportGoodExamples, BadExamples: terraformEnableLogExportBadExamples, Links: terraformEnableLogExportLinks, RemediationMarkdown: terraformEnableLogExportRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableLogExportGoodExamples, BadExamples: cloudFormationEnableLogExportBadExamples, Links: cloudFormationEnableLogExportLinks, RemediationMarkdown: cloudFormationEnableLogExportRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.DocumentDB.Clusters { var hasAudit bool var hasProfiler bool for _, log := range cluster.EnabledLogExports { if log.EqualTo(documentdb.LogExportAudit) { hasAudit = true } if log.EqualTo(documentdb.LogExportProfiler) { hasProfiler = true } } if !hasAudit && !hasProfiler { results.Add( "Neither CloudWatch audit nor profiler log exports are enabled.", &cluster, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckEnableStorageEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0021", Provider: providers.AWSProvider, Service: "documentdb", ShortCode: "enable-storage-encryption", Summary: "DocumentDB storage must be encrypted", Impact: "Unencrypted sensitive data is vulnerable to compromise.", Resolution: "Enable storage encryption", Explanation: `Encryption of the underlying storage used by DocumentDB ensures that if their is compromise of the disks, the data is still protected.`, Links: []string{"https://docs.aws.amazon.com/documentdb/latest/developerguide/encryption-at-rest.html"}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableStorageEncryptionGoodExamples, BadExamples: terraformEnableStorageEncryptionBadExamples, Links: terraformEnableStorageEncryptionLinks, RemediationMarkdown: terraformEnableStorageEncryptionRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableStorageEncryptionGoodExamples, BadExamples: cloudFormationEnableStorageEncryptionBadExamples, Links: cloudFormationEnableStorageEncryptionLinks, RemediationMarkdown: cloudFormationEnableStorageEncryptionRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.DocumentDB.Clusters { if cluster.StorageEncrypted.IsFalse() { results.Add( "Cluster storage does not have encryption enabled.", cluster.StorageEncrypted, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckEncryptionCustomerKey = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0022", Provider: providers.AWSProvider, Service: "documentdb", ShortCode: "encryption-customer-key", Summary: "DocumentDB encryption should use Customer Managed Keys", Impact: "Using AWS managed keys does not allow for fine grained control", Resolution: "Enable encryption using customer managed keys", Explanation: `Encryption using AWS keys provides protection for your DocumentDB underlying storage. To increase control of the encryption and manage factors like rotation use customer managed keys.`, Links: []string{"https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.public-key.html"}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEncryptionCustomerKeyGoodExamples, BadExamples: terraformEncryptionCustomerKeyBadExamples, Links: terraformEncryptionCustomerKeyLinks, RemediationMarkdown: terraformEncryptionCustomerKeyRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEncryptionCustomerKeyGoodExamples, BadExamples: cloudFormationEncryptionCustomerKeyBadExamples, Links: cloudFormationEncryptionCustomerKeyLinks, RemediationMarkdown: cloudFormationEncryptionCustomerKeyRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.DocumentDB.Clusters { if cluster.IsManaged() && cluster.KMSKeyID.IsEmpty() { results.Add( "Cluster encryption does not use a customer-managed KMS key.", cluster.KMSKeyID, ) } else { results.AddPassed(&cluster) } for _, instance := range cluster.Instances { if instance.IsUnmanaged() { continue } if instance.KMSKeyID.IsEmpty() { results.Add( "Instance encryption does not use a customer-managed KMS key.", instance.KMSKeyID, ) } else { results.AddPassed(&cluster) } } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.