Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableAtRestEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0023", Provider: providers.AWSProvider, Service: "dynamodb", ShortCode: "enable-at-rest-encryption", Summary: "DAX Cluster and tables should always encrypt data at rest", Impact: "Data can be freely read if compromised", Resolution: "Enable encryption at rest for DAX Cluster", Explanation: `Amazon DynamoDB Accelerator (DAX) and table encryption at rest provides an additional layer of data protection by helping secure your data from unauthorized access to the underlying storage.`, Links: []string{ "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html", "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dax-cluster.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableAtRestEncryptionGoodExamples, BadExamples: terraformEnableAtRestEncryptionBadExamples, Links: terraformEnableAtRestEncryptionLinks, RemediationMarkdown: terraformEnableAtRestEncryptionRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableAtRestEncryptionGoodExamples, BadExamples: cloudFormationEnableAtRestEncryptionBadExamples, Links: cloudFormationEnableAtRestEncryptionLinks, RemediationMarkdown: cloudFormationEnableAtRestEncryptionRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.DynamoDB.DAXClusters { if cluster.Metadata.IsUnmanaged() { continue } if cluster.ServerSideEncryption.Enabled.IsFalse() { results.Add( "Table encryption is not enabled.", cluster.ServerSideEncryption.Enabled, ) } else { results.AddPassed(&cluster) } } for _, table := range s.AWS.DynamoDB.Tables { if table.Metadata.IsUnmanaged() { continue } if table.ServerSideEncryption.Enabled.IsFalse() { results.Add( "Table encryption is not enabled.", table.ServerSideEncryption.Enabled, ) } else { results.AddPassed(&table) } } return }, )
View Source
var CheckEnableRecovery = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0024", Provider: providers.AWSProvider, Service: "dynamodb", ShortCode: "enable-recovery", Summary: "Point in time recovery should be enabled to protect DynamoDB table", Impact: "Accidental or malicious writes and deletes can't be rolled back", Resolution: "Enable point in time recovery", Explanation: `DynamoDB tables should be protected against accidentally or malicious write/delete actions by ensuring that there is adequate protection. By enabling point-in-time-recovery you can restore to a known point in the event of loss of data.`, Links: []string{ "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/PointInTimeRecovery.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableRecoveryGoodExamples, BadExamples: terraformEnableRecoveryBadExamples, Links: terraformEnableRecoveryLinks, RemediationMarkdown: terraformEnableRecoveryRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.DynamoDB.DAXClusters { if cluster.Metadata.IsUnmanaged() { continue } if cluster.PointInTimeRecovery.IsFalse() { results.Add( "Point-in-time recovery is not enabled.", cluster.PointInTimeRecovery, ) } else { results.AddPassed(&cluster) } } for _, table := range s.AWS.DynamoDB.Tables { if table.Metadata.IsUnmanaged() { continue } if table.PointInTimeRecovery.IsFalse() { results.Add( "Point-in-time recovery is not enabled.", table.PointInTimeRecovery, ) } else { results.AddPassed(&table) } } return }, )
View Source
var CheckTableCustomerKey = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0025", Provider: providers.AWSProvider, Service: "dynamodb", ShortCode: "table-customer-key", Summary: "DynamoDB tables should use at rest encryption with a Customer Managed Key", Impact: "Using AWS managed keys does not allow for fine grained control", Resolution: "Enable server side encryption with a customer managed key", Explanation: `DynamoDB tables are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.`, Links: []string{ "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformTableCustomerKeyGoodExamples, BadExamples: terraformTableCustomerKeyBadExamples, Links: terraformTableCustomerKeyLinks, RemediationMarkdown: terraformTableCustomerKeyRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.DynamoDB.DAXClusters { if cluster.Metadata.IsUnmanaged() { continue } if cluster.ServerSideEncryption.KMSKeyID.IsEmpty() { results.Add( "Cluster encryption does not use a customer-managed KMS key.", cluster.ServerSideEncryption.KMSKeyID, ) } else if cluster.ServerSideEncryption.KMSKeyID.EqualTo(dynamodb.DefaultKMSKeyID) { results.Add( "Cluster encryption explicitly uses the default KMS key.", cluster.ServerSideEncryption.KMSKeyID, ) } else { results.AddPassed(&cluster) } } for _, table := range s.AWS.DynamoDB.Tables { if table.Metadata.IsUnmanaged() { continue } if table.ServerSideEncryption.KMSKeyID.IsEmpty() { results.Add( "Table encryption does not use a customer-managed KMS key.", table.ServerSideEncryption.KMSKeyID, ) } else if table.ServerSideEncryption.KMSKeyID.EqualTo(dynamodb.DefaultKMSKeyID) { results.Add( "Table encryption explicitly uses the default KMS key.", table.ServerSideEncryption.KMSKeyID, ) } else { results.AddPassed(&table) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.