diff --git a/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json b/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json deleted file mode 100644 index 35720541050..00000000000 --- a/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "id": "309edc5b-5a59-42b4-a357-d4d098311fd4", - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "category": "Encryption", - "descriptionText": "If the master key is null, empty, or undefined, then the SSE algorithm should be AES256. Conversely, if the SSE algorithm is AES256, then the master key should be null, empty, or undefined.", - "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-encryption_key_id", - "platform": "Ansible", - "descriptionID": "4008dca4", - "cloudProvider": "aws", - "cwe": "" -} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_sse_disabled/query.rego b/assets/queries/ansible/aws/s3_bucket_sse_disabled/query.rego deleted file mode 100644 index a866097963a..00000000000 --- a/assets/queries/ansible/aws/s3_bucket_sse_disabled/query.rego +++ /dev/null @@ -1,44 +0,0 @@ -package Cx - -import data.generic.ansible as ansLib -import data.generic.common as commonLib - -modules := {"amazon.aws.s3_bucket", "s3_bucket"} - -CxPolicy[result] { - task := ansLib.tasks[id][t] - s3_bucket := task[modules[m]] - ansLib.checkState(s3_bucket) - - s3_bucket.encryption != "AES256" - not s3_bucket.encryption_key_id - - result := { - "documentId": id, - "resourceType": modules[m], - "resourceName": task.name, - "searchKey": sprintf("name={{%s}}.{{%s}}.encryption", [task.name, modules[m]]), - "issueType": "MissingAttribute", - "keyExpectedValue": "s3_bucket.encryption_key_id should be defined", - "keyActualValue": "s3_bucket.encryption_key_id is undefined", - } -} - -CxPolicy[result] { - task := ansLib.tasks[id][t] - s3_bucket := task[modules[m]] - ansLib.checkState(s3_bucket) - - s3_bucket.encryption != "AES256" - commonLib.emptyOrNull(s3_bucket.encryption_key_id) - - result := { - "documentId": id, - "resourceType": modules[m], - "resourceName": task.name, - "searchKey": sprintf("name={{%s}}.{{%s}}.encryption", [task.name, modules[m]]), - "issueType": "IncorrectValue", - "keyExpectedValue": "s3_bucket.encryption_key_id should be defined", - "keyActualValue": "s3_bucket.encryption_key_id is empty or null", - } -} diff --git a/assets/queries/ansible/aws/s3_bucket_sse_disabled/test/negative.yaml b/assets/queries/ansible/aws/s3_bucket_sse_disabled/test/negative.yaml deleted file mode 100644 index 74f20523782..00000000000 --- a/assets/queries/ansible/aws/s3_bucket_sse_disabled/test/negative.yaml +++ /dev/null @@ -1,5 +0,0 @@ -- name: mys3Bucket - amazon.aws.s3_bucket: - name: mys3bucket - state: present - encryption: AES256 diff --git a/assets/queries/ansible/aws/s3_bucket_sse_disabled/test/positive.yaml b/assets/queries/ansible/aws/s3_bucket_sse_disabled/test/positive.yaml deleted file mode 100644 index 09a2ff5114c..00000000000 --- a/assets/queries/ansible/aws/s3_bucket_sse_disabled/test/positive.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: mys3Bucket - amazon.aws.s3_bucket: - name: mys3bucket - state: present - encryption: "aws:kms" diff --git a/assets/queries/ansible/aws/s3_bucket_sse_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_sse_disabled/test/positive_expected_result.json deleted file mode 100644 index 2d193c39c62..00000000000 --- a/assets/queries/ansible/aws/s3_bucket_sse_disabled/test/positive_expected_result.json +++ /dev/null @@ -1,7 +0,0 @@ -[ - { - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "line": 6 - } -] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json deleted file mode 100644 index b38e925061e..00000000000 --- a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "id": "64ab651b-f5b2-4af0-8c89-ddd03c4d0e61", - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "category": "Encryption", - "descriptionText": "If the master key is null, empty, or undefined, then the SSE algorithm should be AES256. Conversely, if the SSE algorithm is AES256, then the master key should be null, empty, or undefined.", - "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html", - "platform": "CloudFormation", - "descriptionID": "42fd2930", - "cloudProvider": "aws", - "cwe": "" -} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/query.rego b/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/query.rego deleted file mode 100644 index 820eb86406f..00000000000 --- a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/query.rego +++ /dev/null @@ -1,121 +0,0 @@ -package Cx - -import data.generic.common as common_lib -import data.generic.cloudformation as cf_lib - -# return every bucket as result if there are no policies defined -CxPolicy[result] { - document := input.document[i] - resources := document.Resources - some resource - resources[resource].Type == "AWS::S3::Bucket" - - bucket := resources[resource].Properties - - not common_lib.valid_key(bucket,"BucketEncryption") - - result := { - "documentId": document.id, - "resourceType": resources[resource].Type, - "resourceName": cf_lib.get_resource_name(resources[resource], resource), - "searchKey": sprintf("Resources.%s.Properties", [resource]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("Resources.%s.Properties.BucketEncryption should be set", [resource]), - "keyActualValue": sprintf("Resources.%s.Properties.BucketEncryption is undefined", [resource]), - } -} - -CxPolicy[result] { - document := input.document[i] - resources := document.Resources - some resource - resources[resource].Type == "AWS::S3::Bucket" - - bucket := resources[resource].Properties - - serverEncryption := bucket.BucketEncryption.ServerSideEncryptionConfiguration - not hasServerEncryptionRules(serverEncryption) - - result := { - "documentId": document.id, - "resourceType": resources[resource].Type, - "resourceName": cf_lib.get_resource_name(resources[resource], resource), - "searchKey": sprintf("Resources.%s.Properties.BucketEncryption.ServerSideEncryptionConfiguration", [resource]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("Resources.%s.Properties.BucketEncryption.ServerSideEncryptionConfiguration has at least one ServerSideEncryptionByDefault rule", [resource]), - "keyActualValue": sprintf("Resources.%s.Properties.BucketEncryption.ServerSideEncryptionConfiguration does not have a ServerSideEncryptionByDefault rule", [resource]), - } -} - -CxPolicy[result] { - document := input.document[i] - resources := document.Resources - some resource - resources[resource].Type == "AWS::S3::Bucket" - - bucket := resources[resource].Properties - - serverEncryption := bucket.BucketEncryption.ServerSideEncryptionConfiguration - hasServerEncryptionRules(serverEncryption) - - some j - serverRule := serverEncryption[j].ServerSideEncryptionByDefault - - checkMasterKey(serverRule) - not serverRule.SSEAlgorithm == "AES256" - - result := { - "documentId": document.id, - "resourceType": resources[resource].Type, - "resourceName": cf_lib.get_resource_name(resources[resource], resource), - "searchKey": sprintf("Resources.%s.Properties.BucketEncryption.ServerSideEncryptionConfiguration.ServerSideEncryptionByDefault.SSEAlgorithm", [resource]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("Resources.%s.Properties.BucketEncryption.ServerSideEncryptionConfiguration.ServerSideEncryptionByDefault.SSEAlgorithm is 'AES256'", [resource]), - "keyActualValue": sprintf("Resources.%s.Properties.BucketEncryption.ServerSideEncryptionConfiguration.ServerSideEncryptionByDefault.SSEAlgorithm is '%s'", [resource,serverRule.SSEAlgorithm]), - } -} - -CxPolicy[result] { - document := input.document[i] - resources := document.Resources - some resource - resources[resource].Type == "AWS::S3::Bucket" - - bucket := resources[resource].Properties - - serverEncryption := bucket.BucketEncryption.ServerSideEncryptionConfiguration - hasServerEncryptionRules(serverEncryption) - - some j - serverRule := serverEncryption[j].ServerSideEncryptionByDefault - - not checkMasterKey(serverRule) - serverRule.SSEAlgorithm == "AES256" - - result := { - "documentId": document.id, - "resourceType": resources[resource].Type, - "resourceName": cf_lib.get_resource_name(resources[resource], resource), - "searchKey": sprintf("Resources.%s.Properties.BucketEncryption.ServerSideEncryptionConfiguration.ServerSideEncryptionByDefault.KMSMasterKeyID", [resource]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("Resources.%s.Properties.BucketEncryption.ServerSideEncryptionConfiguration.ServerSideEncryptionByDefault.KMSMasterKeyID should be undefined", [resource]), - "keyActualValue": sprintf("Resources.%s.Properties.BucketEncryption.ServerSideEncryptionConfiguration.ServerSideEncryptionByDefault.KMSMasterKeyID is set", [resource]), - } -} - -hasServerEncryptionRules(list) { - some i - common_lib.valid_key(list[i],"ServerSideEncryptionByDefault") -} - -checkMasterKey(assed) { - not common_lib.valid_key(assed, "KMSMasterKeyID") -} - -checkMasterKey(assed) { - assed.KMSMasterKeyID == "" -} - -checkMasterKey(assed) { - assed.KMSMasterKeyID == null -} diff --git a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/negative.json b/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/negative.json deleted file mode 100644 index 08a65b7b8bf..00000000000 --- a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/negative.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "S3 bucket with default encryption", - "Resources": { - "EncryptedS3Bucket": { - "Type": "AWS::S3::Bucket", - "Properties": { - "BucketName": { - "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" - }, - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "SSEAlgorithm": "aws:kms", - "KMSMasterKeyID": "KMS-KEY-ARN" - } - } - ] - } - }, - "DeletionPolicy": "Delete" - } - } -} diff --git a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/negative.yaml b/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/negative.yaml deleted file mode 100644 index 997c78cac61..00000000000 --- a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/negative.yaml +++ /dev/null @@ -1,14 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Description: S3 bucket with default encryption -Resources: - EncryptedS3Bucket: - Type: 'AWS::S3::Bucket' - Properties: - BucketName: - 'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: 'aws:kms' - KMSMasterKeyID: KMS-KEY-ARN - DeletionPolicy: Delete diff --git a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/positive1.json b/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/positive1.json deleted file mode 100644 index a2c5b2fa617..00000000000 --- a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/positive1.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "S3 bucket with default encryption", - "Resources": { - "EncryptedS3Bucket": { - "Type": "AWS::S3::Bucket", - "Properties": { - "BucketName": { - "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" - }, - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "SSEAlgorithm": "aws:kms" - } - } - ] - } - }, - "DeletionPolicy": "Delete" - } - } -} diff --git a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/positive1.yaml b/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/positive1.yaml deleted file mode 100644 index 27d2c9ff2b3..00000000000 --- a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/positive1.yaml +++ /dev/null @@ -1,13 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Description: S3 bucket with default encryption -Resources: - EncryptedS3Bucket: - Type: 'AWS::S3::Bucket' - Properties: - BucketName: - 'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: 'aws:kms' - DeletionPolicy: Delete diff --git a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/positive2.json b/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/positive2.json deleted file mode 100644 index d90e7f51b2c..00000000000 --- a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/positive2.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "S3 bucket with default encryption", - "Resources": { - "EncryptedS3Bucket": { - "Type": "AWS::S3::Bucket", - "Properties": { - "BucketName": { - "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" - }, - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "SSEAlgorithm": "AES256", - "KMSMasterKeyID": "KMS-KEY-ARN" - } - } - ] - } - }, - "DeletionPolicy": "Delete" - } - } -} diff --git a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/positive2.yaml b/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/positive2.yaml deleted file mode 100644 index 13d0735578a..00000000000 --- a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/positive2.yaml +++ /dev/null @@ -1,14 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Description: S3 bucket with default encryption -Resources: - EncryptedS3Bucket: - Type: 'AWS::S3::Bucket' - Properties: - BucketName: - 'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: 'AES256' - KMSMasterKeyID: KMS-KEY-ARN - DeletionPolicy: Delete diff --git a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/positive_expected_result.json deleted file mode 100644 index 859c82fafe7..00000000000 --- a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/test/positive_expected_result.json +++ /dev/null @@ -1,26 +0,0 @@ -[ - { - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "line": 12, - "fileName": "positive1.yaml" - }, - { - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "line": 15, - "fileName": "positive1.json" - }, - { - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "line": 13, - "fileName": "positive2.yaml" - }, - { - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "line": 16, - "fileName": "positive2.json" - } -] diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json b/assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json deleted file mode 100644 index b76093eda2c..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "id": "6726dcc0-5ff5-459d-b473-a780bef7665c", - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "category": "Encryption", - "descriptionText": "If the master key is null, empty, or undefined, then the SSE algorithm should be AES256. Conversely, if the SSE algorithm is AES256, then the master key should be null, empty, or undefined.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration", - "platform": "Terraform", - "descriptionID": "b386c506", - "cloudProvider": "aws", - "cwe": "" -} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/query.rego b/assets/queries/terraform/aws/s3_bucket_sse_disabled/query.rego deleted file mode 100644 index 43b4cb0acd9..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/query.rego +++ /dev/null @@ -1,203 +0,0 @@ -package Cx - -import data.generic.common as common_lib -import data.generic.terraform as tf_lib - -# version before TF AWS 4.0 -CxPolicy[result] { - bucket := input.document[i].resource.aws_s3_bucket[name] - sse := bucket.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default - - check_master_key(sse) - sse.sse_algorithm != "AES256" - - result := { - "documentId": input.document[i].id, - "resourceType": "aws_s3_bucket", - "resourceName": tf_lib.get_specific_resource_name(bucket, "aws_s3_bucket", name), - "searchKey": sprintf("aws_s3_bucket[%s].server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "'sse_algorithm' should be AES256 when key is null", - "keyActualValue": sprintf("'sse_algorithm' is %s when key is null", [sse.sse_algorithm]), - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", name, "server_side_encryption_configuration", "rule", "apply_server_side_encryption_by_default", "sse_algorithm"], []), - } -} - -CxPolicy[result] { - module := input.document[i].module[name] - keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "server_side_encryption_configuration") - - ssec := module[keyToCheck] - algorithm := ssec.rule.apply_server_side_encryption_by_default - - check_master_key(algorithm) - algorithm.sse_algorithm != "AES256" - - result := { - "documentId": input.document[i].id, - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": sprintf("module[%s].server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "'sse_algorithm' should be AES256 when key is null", - "keyActualValue": sprintf("'sse_algorithm' is %s when key is null", [algorithm.sse_algorithm]), - "searchLine": common_lib.build_search_line(["module", name, "server_side_encryption_configuration", "rule", "apply_server_side_encryption_by_default", "sse_algorithm"], []), - } -} - -# version before TF AWS 4.0 -CxPolicy[result] { - resource := input.document[i].resource.aws_s3_bucket[name] - ssec := resource.server_side_encryption_configuration - algorithm := ssec.rule.apply_server_side_encryption_by_default - - not check_master_key(algorithm) - algorithm.sse_algorithm == "AES256" - - result := { - "documentId": input.document[i].id, - "resourceType": "aws_s3_bucket", - "resourceName": tf_lib.get_specific_resource_name(resource, "aws_s3_bucket", name), - "searchKey": sprintf("aws_s3_bucket[%s].server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "'kms_master_key_id' should be null when algorithm is 'AES256'", - "keyActualValue": "'kms_master_key_id'is not null when algorithm is 'AES256'", - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", name, "server_side_encryption_configuration", "rule", "apply_server_side_encryption_by_default", "kms_master_key_id"], []), - } -} - -CxPolicy[result] { - module := input.document[i].module[name] - keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "server_side_encryption_configuration") - - ssec := module[keyToCheck] - algorithm := ssec.rule.apply_server_side_encryption_by_default - - not check_master_key(algorithm) - algorithm.sse_algorithm == "AES256" - - result := { - "documentId": input.document[i].id, - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": sprintf("module[%s].server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "'kms_master_key_id' should be null when algorithm is 'AES256'", - "keyActualValue": "'kms_master_key_id'is not null when algorithm is 'AES256'", - "searchLine": common_lib.build_search_line(["module", name, "server_side_encryption_configuration", "rule", "apply_server_side_encryption_by_default", "kms_master_key_id"], []), - } -} - -CxPolicy[result] { - module := input.document[i].module[name] - keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_s3_bucket", "server_side_encryption_configuration") - - not common_lib.valid_key(module, keyToCheck) - - result := { - "documentId": input.document[i].id, - "resourceType": "n/a", - "resourceName": "n/a", - "searchKey": sprintf("module[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "'server_side_encryption_configuration' should be defined and not null", - "keyActualValue": "'server_side_encryption_configuration' is undefined or null", - "searchLine": common_lib.build_search_line(["module", name], []), - } -} - -CxPolicy[result] { - bucket := input.document[i].resource.aws_s3_bucket[bucketName] - - not is_associated(bucketName, input.document[i]) - not tf_lib.has_target_resource(bucketName, "aws_s3_bucket_server_side_encryption_configuration") # version after TF AWS 4.0 - not common_lib.valid_key(bucket, "server_side_encryption_configuration") # version before TF AWS 4.0 - - result := { - "documentId": input.document[i].id, - "resourceType": "aws_s3_bucket", - "resourceName": tf_lib.get_specific_resource_name(bucket, "aws_s3_bucket", bucketName), - "searchKey": sprintf("aws_s3_bucket[%s]", [bucketName]), - "issueType": "MissingAttribute", - "keyExpectedValue": "'aws_s3_bucket' to have 'server_side_encryption_configuration' associated", - "keyActualValue": "'aws_s3_bucket' does not have 'server_side_encryption_configuration' associated", - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket", bucketName], []), - } -} - -# version after TF AWS 4.0 -CxPolicy[result] { - input.document[_].resource.aws_s3_bucket[bucketName] - - sse := input.document[i].resource.aws_s3_bucket_server_side_encryption_configuration[name] - split(sse.bucket, ".")[1] == bucketName - not common_lib.valid_key(sse.rule, "apply_server_side_encryption_by_default") - - result := { - "documentId": input.document[i].id, - "resourceType": "aws_s3_bucket_server_side_encryption_configuration", - "resourceName": tf_lib.get_resource_name(sse, name), - "searchKey": sprintf("aws_s3_bucket_server_side_encryption_configuration[%s].rule", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "'apply_server_side_encryption_by_default' should be defined and not null", - "keyActualValue": "'apply_server_side_encryption_by_default' is undefined or null", - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_server_side_encryption_configuration", name, "rule"], []), - } -} - -# version after TF AWS 4.0 -CxPolicy[result] { - input.document[_].resource.aws_s3_bucket[bucketName] - - sse := input.document[i].resource.aws_s3_bucket_server_side_encryption_configuration[name] - split(sse.bucket, ".")[1] == bucketName - algorithm := sse.rule.apply_server_side_encryption_by_default - not check_master_key(algorithm) - algorithm.sse_algorithm == "AES256" - - result := { - "documentId": input.document[i].id, - "resourceType": "aws_s3_bucket_server_side_encryption_configuration", - "resourceName": tf_lib.get_resource_name(sse, name), - "searchKey": sprintf("aws_s3_bucket_server_side_encryption_configuration[%s].rule.apply_server_side_encryption_by_default.kms_master_key_id", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "'kms_master_key_id' should be null when algorithm is 'AES256'", - "keyActualValue": "'kms_master_key_id' is not null when algorithm is 'AES256'", - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_server_side_encryption_configuration", name, "rule", "apply_server_side_encryption_by_default", "kms_master_key_id"], []), - } -} - -# version after TF AWS 4.0 -CxPolicy[result] { - input.document[_].resource.aws_s3_bucket[bucketName] - - sse := input.document[i].resource.aws_s3_bucket_server_side_encryption_configuration[name] - split(sse.bucket, ".")[1] == bucketName - - rule := sse.rule.apply_server_side_encryption_by_default - check_master_key(rule) - rule.sse_algorithm != "AES256" - - result := { - "documentId": input.document[i].id, - "resourceType": "aws_s3_bucket_server_side_encryption_configuration", - "resourceName": tf_lib.get_resource_name(sse, name), - "searchKey": sprintf("aws_s3_bucket_server_side_encryption_configuration[%s].rule.apply_server_side_encryption_by_default.sse_algorithm", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "'sse_algorithm' should be AES256 when key is null", - "keyActualValue": sprintf("'sse_algorithm' is %s when key is null", [rule.sse_algorithm]), - "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_server_side_encryption_configuration", name, "rule", "apply_server_side_encryption_by_default", "sse_algorithm"], []), - } -} - -check_master_key(assed) { - not common_lib.valid_key(assed, "kms_master_key_id") -} else { - common_lib.emptyOrNull(assed.kms_master_key_id) -} - -is_associated(aws_s3_bucket_name, doc) { - [_, value] := walk(doc) - sse_configurations := value.aws_s3_bucket_server_side_encryption_configuration[_] - contains(sse_configurations.bucket, sprintf("aws_s3_bucket.%s", [aws_s3_bucket_name])) -} diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/negative1.tf b/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/negative1.tf deleted file mode 100644 index e4c43defe58..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/negative1.tf +++ /dev/null @@ -1,35 +0,0 @@ -provider "aws" { - region = "us-east-1" -} - -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 3.0" - } - } -} - -resource "aws_s3_bucket" "negative1" { - bucket = "my-tf-test-bucket" - acl = "private" - - tags = { - Name = "My bucket" - Environment = "Dev" - } - - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = aws_kms_key.mykey.arn - sse_algorithm = "aws:kms" - } - } - } - - versioning { - mfa_delete = true - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/negative2.tf b/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/negative2.tf deleted file mode 100644 index bdba45d6587..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/negative2.tf +++ /dev/null @@ -1,20 +0,0 @@ -module "s3_bucket" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "3.7.0" - - bucket = "my-s3-bucket" - acl = "private" - - versioning = { - enabled = true - } - - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = aws_kms_key.mykey.arn - sse_algorithm = "aws:kms" - } - } - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/negative3.tf b/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/negative3.tf deleted file mode 100644 index 2b438620373..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/negative3.tf +++ /dev/null @@ -1,27 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "4.2.0" - } - } -} - -provider "aws" { - # Configuration options -} - -resource "aws_s3_bucket" "mybucket" { - bucket = "my-tf-example-bucket" -} - -resource "aws_s3_bucket_server_side_encryption_configuration" "example" { - bucket = aws_s3_bucket.mybucket.bucket - - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = aws_kms_key.mykey.arn - sse_algorithm = "aws:kms" - } - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/negative4.tf b/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/negative4.tf deleted file mode 100644 index c140d17eba2..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/negative4.tf +++ /dev/null @@ -1,28 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "4.2.0" - } - } -} - -provider "aws" { - # Configuration options -} - -resource "aws_s3_bucket" "mybucket22" { - count = 1 - bucket = "my-tf-example-bucket" -} - -resource "aws_s3_bucket_server_side_encryption_configuration" "example33" { - count = 1 - bucket = aws_s3_bucket.mybucket22[count.index].bucket - - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive1.tf b/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive1.tf deleted file mode 100644 index d871bd767a2..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive1.tf +++ /dev/null @@ -1,26 +0,0 @@ -provider "aws" { - region = "us-east-1" -} - -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 3.0" - } - } -} - -resource "aws_s3_bucket" "positive1" { - bucket = "my-tf-test-bucket" - acl = "private" - - tags = { - Name = "My bucket" - Environment = "Dev" - } - - versioning { - mfa_delete = true - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive10.tf b/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive10.tf deleted file mode 100644 index c7520e00dc0..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive10.tf +++ /dev/null @@ -1,24 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "4.2.0" - } - } -} - -provider "aws" { - # Configuration options -} - -resource "aws_s3_bucket" "mybucket22" { - bucket = "my-tf-example-bucket" -} - -resource "aws_s3_bucket_server_side_encryption_configuration" "example33" { - bucket = aws_s3_bucket.mybucket22.bucket - - rule { - bucket_key_enabled = false - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive2.tf b/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive2.tf deleted file mode 100644 index 3cc4d29a9c9..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive2.tf +++ /dev/null @@ -1,35 +0,0 @@ -provider "aws" { - region = "us-east-1" -} - -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 3.0" - } - } -} - -resource "aws_s3_bucket" "positive1" { - bucket = "my-tf-test-bucket" - acl = "private" - - tags = { - Name = "My bucket" - Environment = "Dev" - } - - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = "some-key" - sse_algorithm = "AES256" - } - } - } - - versioning { - mfa_delete = true - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive3.tf b/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive3.tf deleted file mode 100644 index 2120d30031a..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive3.tf +++ /dev/null @@ -1,34 +0,0 @@ -provider "aws" { - region = "us-east-1" -} - -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 3.0" - } - } -} - -resource "aws_s3_bucket" "positive1" { - bucket = "my-tf-test-bucket" - acl = "private" - - tags = { - Name = "My bucket" - Environment = "Dev" - } - - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "aws:kms" - } - } - } - - versioning { - mfa_delete = true - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive4.tf b/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive4.tf deleted file mode 100644 index 5521126f00c..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive4.tf +++ /dev/null @@ -1,12 +0,0 @@ -module "s3_bucket" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "3.7.0" - - bucket = "my-s3-bucket" - acl = "private" - - versioning = { - enabled = true - } - -} diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive5.tf b/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive5.tf deleted file mode 100644 index 76d6e687f3b..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive5.tf +++ /dev/null @@ -1,20 +0,0 @@ -module "s3_bucket" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "3.7.0" - - bucket = "my-s3-bucket" - acl = "private" - - versioning = { - enabled = true - } - - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = "some-key" - sse_algorithm = "AES256" - } - } - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive6.tf b/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive6.tf deleted file mode 100644 index 0f73324d0e0..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive6.tf +++ /dev/null @@ -1,19 +0,0 @@ -module "s3_bucket" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "3.7.0" - - bucket = "my-s3-bucket" - acl = "private" - - versioning = { - enabled = true - } - - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "aws:kms" - } - } - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive7.tf b/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive7.tf deleted file mode 100644 index e01b4e3a8fa..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive7.tf +++ /dev/null @@ -1,17 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "4.2.0" - } - } -} - -provider "aws" { - # Configuration options -} - -resource "aws_s3_bucket" "mybucket0" { - bucket = "my-tf-example-bucket" -} - diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive8.tf b/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive8.tf deleted file mode 100644 index 60cf993393f..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive8.tf +++ /dev/null @@ -1,27 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "4.2.0" - } - } -} - -provider "aws" { - # Configuration options -} - -resource "aws_s3_bucket" "mybucket1" { - bucket = "my-tf-example-bucket" -} - -resource "aws_s3_bucket_server_side_encryption_configuration" "example2" { - bucket = aws_s3_bucket.mybucket1.bucket - - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = "some-key" - sse_algorithm = "AES256" - } - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive9.tf b/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive9.tf deleted file mode 100644 index c627b08b7b0..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive9.tf +++ /dev/null @@ -1,26 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "4.2.0" - } - } -} - -provider "aws" { - # Configuration options -} - -resource "aws_s3_bucket" "mybucket2" { - bucket = "my-tf-example-bucket" -} - -resource "aws_s3_bucket_server_side_encryption_configuration" "example3" { - bucket = aws_s3_bucket.mybucket2.bucket - - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "aws:kms" - } - } -} diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive_expected_result.json deleted file mode 100644 index a2d3215c385..00000000000 --- a/assets/queries/terraform/aws/s3_bucket_sse_disabled/test/positive_expected_result.json +++ /dev/null @@ -1,62 +0,0 @@ -[ - { - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "line": 14, - "fileName": "positive1.tf" - }, - { - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "line": 26, - "fileName": "positive2.tf" - }, - { - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "line": 26, - "fileName": "positive3.tf" - }, - { - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "line": 1, - "fileName": "positive4.tf" - }, - { - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "line": 15, - "fileName": "positive5.tf" - }, - { - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "line": 15, - "fileName": "positive6.tf" - }, - { - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "line": 14, - "fileName": "positive7.tf" - }, - { - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "line": 23, - "fileName": "positive8.tf" - }, - { - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "line": 23, - "fileName": "positive9.tf" - }, - { - "queryName": "S3 Bucket SSE Disabled", - "severity": "HIGH", - "line": 21, - "fileName": "positive10.tf" - } -]