Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckAclNoPublicRead = rules.Register( scan.Rule{ AVDID: "AVD-DIG-0006", Provider: providers.DigitalOceanProvider, Service: "spaces", ShortCode: "acl-no-public-read", Summary: "Spaces bucket or bucket object has public read acl set", Impact: "The contents of the space can be accessed publicly", Resolution: "Apply a more restrictive ACL", Explanation: `Space bucket and bucket object permissions should be set to deny public access unless explicitly required.`, Links: []string{ "https://docs.digitalocean.com/reference/api/spaces-api/#access-control-lists-acls", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformAclNoPublicReadGoodExamples, BadExamples: terraformAclNoPublicReadBadExamples, Links: terraformAclNoPublicReadLinks, RemediationMarkdown: terraformAclNoPublicReadRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, bucket := range s.DigitalOcean.Spaces.Buckets { if bucket.Metadata.IsUnmanaged() { continue } if bucket.ACL.EqualTo("public-read") { results.Add( "Bucket is publicly exposed.", bucket.ACL, ) } else { results.AddPassed(&bucket) } for _, object := range bucket.Objects { if object.ACL.EqualTo("public-read") { results.Add( "Object is publicly exposed.", object.ACL, ) } else { results.AddPassed(&object) } } } return }, )
View Source
var CheckDisableForceDestroy = rules.Register( scan.Rule{ AVDID: "AVD-DIG-0009", Provider: providers.DigitalOceanProvider, Service: "spaces", ShortCode: "disable-force-destroy", Summary: "Force destroy is enabled on Spaces bucket which is dangerous", Impact: "Accidental deletion of bucket objects", Resolution: "Don't use force destroy on bucket configuration", Explanation: `Enabling force destroy on a Spaces bucket means that the bucket can be deleted without the additional check that it is empty. This risks important data being accidentally deleted by a bucket removal process.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformDisableForceDestroyGoodExamples, BadExamples: terraformDisableForceDestroyBadExamples, Links: terraformDisableForceDestroyLinks, RemediationMarkdown: terraformDisableForceDestroyRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, bucket := range s.DigitalOcean.Spaces.Buckets { if bucket.Metadata.IsUnmanaged() { continue } if bucket.ForceDestroy.IsTrue() { results.Add( "Bucket has force-destroy enabled.", bucket.ForceDestroy, ) } else { results.AddPassed(&bucket) } } return }, )
View Source
var CheckVersioningEnabled = rules.Register( scan.Rule{ AVDID: "AVD-DIG-0007", Provider: providers.DigitalOceanProvider, Service: "spaces", ShortCode: "versioning-enabled", Summary: "Spaces buckets should have versioning enabled", Impact: "Deleted or modified data would not be recoverable", Resolution: "Enable versioning to protect against accidental or malicious removal or modification", Explanation: `Versioning is a means of keeping multiple variants of an object in the same bucket. You can use the Spaces (S3) Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. With versioning you can recover more easily from both unintended user actions and application failures.`, Links: []string{ "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformVersioningEnabledGoodExamples, BadExamples: terraformVersioningEnabledBadExamples, Links: terraformVersioningEnabledLinks, RemediationMarkdown: terraformVersioningEnabledRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, bucket := range s.DigitalOcean.Spaces.Buckets { if bucket.Metadata.IsUnmanaged() { continue } if bucket.Versioning.Enabled.IsFalse() { results.Add( "Bucket does not have versioning enabled.", bucket.Versioning.Enabled, ) } else { results.AddPassed(&bucket) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.