Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableAtRestEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0179", Provider: providers.AWSProvider, Service: "msk", ShortCode: "enable-at-rest-encryption", Summary: "A MSK cluster allows unencrypted data at rest.", Impact: "Intercepted data can be read at rest", Resolution: "Enable at rest encryption", Explanation: `Encryption should be forced for Kafka clusters, including at rest. This ensures sensitive data is kept private.`, Links: []string{ "https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableAtRestEncryptionGoodExamples, BadExamples: terraformEnableAtRestEncryptionBadExamples, Links: terraformEnableAtRestEncryptionLinks, RemediationMarkdown: terraformEnableAtRestEncryptionRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableAtRestEncryptionGoodExamples, BadExamples: cloudFormationEnableAtRestEncryptionBadExamples, Links: cloudFormationEnableAtRestEncryptionLinks, RemediationMarkdown: cloudFormationEnableAtRestEncryptionRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.MSK.Clusters { if cluster.EncryptionAtRest.Enabled.IsFalse() { results.Add("The cluster is not encrypted at rest.", cluster.EncryptionAtRest.Enabled) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckEnableInTransitEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0073", Provider: providers.AWSProvider, Service: "msk", ShortCode: "enable-in-transit-encryption", Summary: "A MSK cluster allows unencrypted data in transit.", Impact: "Intercepted data can be read in transit", Resolution: "Enable in transit encryption", Explanation: `Encryption should be forced for Kafka clusters, including for communication between nodes. This ensure sensitive data is kept private.`, Links: []string{ "https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableInTransitEncryptionGoodExamples, BadExamples: terraformEnableInTransitEncryptionBadExamples, Links: terraformEnableInTransitEncryptionLinks, RemediationMarkdown: terraformEnableInTransitEncryptionRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableInTransitEncryptionGoodExamples, BadExamples: cloudFormationEnableInTransitEncryptionBadExamples, Links: cloudFormationEnableInTransitEncryptionLinks, RemediationMarkdown: cloudFormationEnableInTransitEncryptionRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.MSK.Clusters { if cluster.EncryptionInTransit.ClientBroker.EqualTo(msk.ClientBrokerEncryptionPlaintext) { results.Add( "Cluster allows plaintext communication.", cluster.EncryptionInTransit.ClientBroker, ) } else if cluster.EncryptionInTransit.ClientBroker.EqualTo(msk.ClientBrokerEncryptionTLSOrPlaintext) { results.Add( "Cluster allows plaintext communication.", cluster.EncryptionInTransit.ClientBroker, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckEnableLogging = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0074", Provider: providers.AWSProvider, Service: "msk", ShortCode: "enable-logging", Summary: "Ensure MSK Cluster logging is enabled", Impact: "Without logging it is difficult to trace issues", Resolution: "Enable logging", Explanation: `Managed streaming for Kafka can log to Cloud Watch, Kinesis Firehose and S3, at least one of these locations should be logged to`, Links: []string{ "https://docs.aws.amazon.com/msk/latest/developerguide/msk-logging.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableLoggingGoodExamples, BadExamples: terraformEnableLoggingBadExamples, Links: terraformEnableLoggingLinks, RemediationMarkdown: terraformEnableLoggingRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableLoggingGoodExamples, BadExamples: cloudFormationEnableLoggingBadExamples, Links: cloudFormationEnableLoggingLinks, RemediationMarkdown: cloudFormationEnableLoggingRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, cluster := range s.AWS.MSK.Clusters { brokerLogging := cluster.Logging.Broker if brokerLogging.S3.Enabled.IsTrue() { results.AddPassed(&cluster, "S3 Logging is enabled") continue } if brokerLogging.Firehose.Enabled.IsTrue() { results.AddPassed(&cluster, "Firehose Logging is enabled") continue } if brokerLogging.Cloudwatch.Enabled.IsTrue() { results.AddPassed(&cluster, "Cloudwatch Logging is enabled") continue } results.Add( "Cluster does not ship logs to any service.", brokerLogging.Cloudwatch.Enabled, ) } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.