This repository has been archived by the owner on Jun 1, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
b9f1124
commit caa673d
Showing
30 changed files
with
781 additions
and
99 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,154 @@ | ||
package rds | ||
|
||
import ( | ||
"github.com/aquasecurity/cfsec/internal/app/cfsec/parser" | ||
"github.com/aquasecurity/defsec/provider/aws/rds" | ||
"github.com/aquasecurity/defsec/types" | ||
) | ||
|
||
func Adapt(cfFile parser.FileContext) rds.RDS { | ||
clusters, orphans := getClustersAndInstances(cfFile) | ||
return rds.RDS{ | ||
Instances: orphans, | ||
Clusters: clusters, | ||
Classic: getClassic(cfFile), | ||
} | ||
} | ||
|
||
func getClustersAndInstances(ctx parser.FileContext) (clusters []rds.Cluster, | ||
orphans []rds.Instance) { | ||
|
||
clusterMap := getClusters(ctx) | ||
|
||
for _, instanceResource := range ctx.GetResourceByType("AWS::RDS::DBInstance") { | ||
|
||
var instance rds.Instance | ||
instance.Metadata = instanceResource.Metadata() | ||
|
||
if backupProp := instanceResource.GetProperty("BackupRetentionPeriod"); backupProp.IsInt() { | ||
instance.BackupRetentionPeriodDays = backupProp.AsIntValue() | ||
} else { | ||
instance.BackupRetentionPeriodDays = types.IntDefault(1, instanceResource.Metadata()) | ||
} | ||
|
||
if replicaProp := instanceResource.GetProperty("SourceDBInstanceIdentifier"); replicaProp.IsString() { | ||
instance.ReplicationSourceARN = replicaProp.AsStringValue() | ||
} else { | ||
instance.ReplicationSourceARN = types.StringDefault("", instanceResource.Metadata()) | ||
} | ||
|
||
if piProp := instanceResource.GetProperty("EnablePerformanceInsights"); piProp.IsBool() { | ||
instance.PerformanceInsights.Enabled = piProp.AsBoolValue() | ||
} else { | ||
instance.PerformanceInsights.Enabled = types.BoolDefault(false, instanceResource.Metadata()) | ||
} | ||
|
||
if insightsKeyProp := instanceResource.GetProperty("PerformanceInsightsKMSKeyId"); insightsKeyProp.IsString() { | ||
instance.PerformanceInsights.KMSKeyID = insightsKeyProp.AsStringValue() | ||
} else { | ||
instance.PerformanceInsights.KMSKeyID = types.StringDefault("", instanceResource.Metadata()) | ||
} | ||
|
||
if publicProp := instanceResource.GetProperty("PubliclyAccessible"); publicProp.IsBool() { | ||
instance.PublicAccess = publicProp.AsBoolValue() | ||
} else { | ||
instance.PublicAccess = types.BoolDefault(true, instanceResource.Metadata()) | ||
} | ||
|
||
if encryptedProp := instanceResource.GetProperty("StorageEncrypted"); encryptedProp.IsBool() { | ||
instance.Encryption.EncryptStorage = encryptedProp.AsBoolValue() | ||
} else { | ||
instance.Encryption.EncryptStorage = types.BoolDefault(false, instanceResource.Metadata()) | ||
} | ||
|
||
if keyProp := instanceResource.GetProperty("KmsKeyId"); keyProp.IsString() { | ||
instance.Encryption.KMSKeyID = keyProp.AsStringValue() | ||
} else { | ||
instance.Encryption.KMSKeyID = types.StringDefault("", instanceResource.Metadata()) | ||
} | ||
|
||
if clusterID := instanceResource.GetProperty("DBClusterIdentifier"); clusterID.IsString() { | ||
var found bool | ||
for key, cluster := range clusterMap { | ||
if key == clusterID.AsString() { | ||
cluster.Instances = append(cluster.Instances, rds.ClusterInstance(instance)) | ||
clusterMap[key] = cluster | ||
found = true | ||
break | ||
} | ||
} | ||
if found { | ||
continue | ||
} | ||
} | ||
|
||
orphans = append(orphans, instance) | ||
} | ||
|
||
for _, cluster := range clusterMap { | ||
clusters = append(clusters, cluster) | ||
} | ||
|
||
return clusters, orphans | ||
} | ||
|
||
func getClusters(ctx parser.FileContext) (clusters map[string]rds.Cluster) { | ||
clusters = make(map[string]rds.Cluster) | ||
for _, clusterResource := range ctx.GetResourceByType("AWS::RDS::DBCluster") { | ||
var cluster rds.Cluster | ||
cluster.Metadata = clusterResource.Metadata() | ||
if backupProp := clusterResource.GetProperty("BackupRetentionPeriod"); backupProp.IsInt() { | ||
cluster.BackupRetentionPeriodDays = backupProp.AsIntValue() | ||
} else { | ||
cluster.BackupRetentionPeriodDays = types.IntDefault(1, clusterResource.Metadata()) | ||
} | ||
|
||
if replicaProp := clusterResource.GetProperty("SourceDBInstanceIdentifier"); replicaProp.IsString() { | ||
cluster.ReplicationSourceARN = replicaProp.AsStringValue() | ||
} else { | ||
cluster.ReplicationSourceARN = types.StringDefault("", clusterResource.Metadata()) | ||
} | ||
|
||
if piProp := clusterResource.GetProperty("EnablePerformanceInsights"); piProp.IsBool() { | ||
cluster.PerformanceInsights.Enabled = piProp.AsBoolValue() | ||
} else { | ||
cluster.PerformanceInsights.Enabled = types.BoolDefault(false, clusterResource.Metadata()) | ||
} | ||
|
||
if insightsKeyProp := clusterResource.GetProperty("PerformanceInsightsKMSKeyId"); insightsKeyProp.IsString() { | ||
cluster.PerformanceInsights.KMSKeyID = insightsKeyProp.AsStringValue() | ||
} else { | ||
cluster.PerformanceInsights.KMSKeyID = types.StringDefault("", clusterResource.Metadata()) | ||
} | ||
|
||
if encryptedProp := clusterResource.GetProperty("StorageEncrypted"); encryptedProp.IsBool() { | ||
cluster.Encryption.EncryptStorage = encryptedProp.AsBoolValue() | ||
} else { | ||
cluster.Encryption.EncryptStorage = types.BoolDefault(false, clusterResource.Metadata()) | ||
} | ||
|
||
if keyProp := clusterResource.GetProperty("KmsKeyId"); keyProp.IsString() { | ||
cluster.Encryption.KMSKeyID = keyProp.AsStringValue() | ||
} else { | ||
cluster.Encryption.KMSKeyID = types.StringDefault("", clusterResource.Metadata()) | ||
} | ||
|
||
clusters[clusterResource.ID()] = cluster | ||
} | ||
return clusters | ||
} | ||
|
||
func getClassic(ctx parser.FileContext) rds.Classic { | ||
return rds.Classic{ | ||
DBSecurityGroups: getClassicSecurityGroups(ctx), | ||
} | ||
} | ||
|
||
func getClassicSecurityGroups(ctx parser.FileContext) (groups []rds.DBSecurityGroup) { | ||
for _, dbsgResource := range ctx.GetResourceByType("AWS::RDS::DBSecurityGroup") { | ||
var group rds.DBSecurityGroup | ||
group.Metadata = dbsgResource.Metadata() | ||
groups = append(groups, group) | ||
} | ||
return groups | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
40 changes: 40 additions & 0 deletions
40
internal/app/cfsec/rules/aws/rds/enable_performance_insights_rule.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
package rds | ||
|
||
import ( | ||
"github.com/aquasecurity/cfsec/internal/app/cfsec/rule" | ||
"github.com/aquasecurity/cfsec/internal/app/cfsec/scanner" | ||
"github.com/aquasecurity/defsec/rules/aws/rds" | ||
) | ||
|
||
func init() { | ||
scanner.RegisterCheckRule(rule.Rule{ | ||
|
||
BadExample: []string{ | ||
`--- | ||
AWSTemplateFormatVersion: 2010-09-09 | ||
Description: Bad example | ||
Resources: | ||
Queue: | ||
Type: AWS::RDS::DBInstance | ||
Properties: | ||
EnablePerformanceInsights: false | ||
`, | ||
}, | ||
|
||
GoodExample: []string{ | ||
`--- | ||
AWSTemplateFormatVersion: 2010-09-09 | ||
Description: Good example | ||
Resources: | ||
Queue: | ||
Type: AWS::RDS::DBInstance | ||
Properties: | ||
EnablePerformanceInsights: true | ||
PerformanceInsightsKMSKeyId: "something" | ||
`, | ||
}, | ||
Base: rds.CheckEnablePerformanceInsights, | ||
}) | ||
} |
17 changes: 17 additions & 0 deletions
17
internal/app/cfsec/rules/aws/rds/enable_performance_insights_rule_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
package rds | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/aquasecurity/cfsec/internal/app/cfsec/test" | ||
) | ||
|
||
func Test_RDS_EnablePI_FailureExamples(t *testing.T) { | ||
expectedCode := "aws-rds-enable-performance-insights" | ||
test.RunFailureExamplesTest(t, expectedCode) | ||
} | ||
|
||
func Test_RDS_EnablePI_SuccessExamples(t *testing.T) { | ||
expectedCode := "aws-rds-enable-performance-insights" | ||
test.RunPassingExamplesTest(t, expectedCode) | ||
} |
40 changes: 40 additions & 0 deletions
40
internal/app/cfsec/rules/aws/rds/encrypt_cluster_storage_data_rule.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
package rds | ||
|
||
import ( | ||
"github.com/aquasecurity/cfsec/internal/app/cfsec/rule" | ||
"github.com/aquasecurity/cfsec/internal/app/cfsec/scanner" | ||
"github.com/aquasecurity/defsec/rules/aws/rds" | ||
) | ||
|
||
func init() { | ||
scanner.RegisterCheckRule(rule.Rule{ | ||
|
||
BadExample: []string{ | ||
`--- | ||
AWSTemplateFormatVersion: 2010-09-09 | ||
Description: Bad example of rds sgr | ||
Resources: | ||
Cluster: | ||
Type: AWS::RDS::DBCluster | ||
Properties: | ||
StorageEncrypted: false | ||
`, | ||
}, | ||
|
||
GoodExample: []string{ | ||
`--- | ||
AWSTemplateFormatVersion: 2010-09-09 | ||
Description: Good example of rds sgr | ||
Resources: | ||
Cluster: | ||
Type: AWS::RDS::DBCluster | ||
Properties: | ||
StorageEncrypted: true | ||
KmsKeyId: "something" | ||
`, | ||
}, | ||
Base: rds.CheckEncryptClusterStorageData, | ||
}) | ||
} |
17 changes: 17 additions & 0 deletions
17
internal/app/cfsec/rules/aws/rds/encrypt_cluster_storage_data_rule_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
package rds | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/aquasecurity/cfsec/internal/app/cfsec/test" | ||
) | ||
|
||
func Test_RDS_EncryptCluster_FailureExamples(t *testing.T) { | ||
expectedCode := "aws-rds-encrypt-cluster-storage-data" | ||
test.RunFailureExamplesTest(t, expectedCode) | ||
} | ||
|
||
func Test_RDS_EncryptCluster_SuccessExamples(t *testing.T) { | ||
expectedCode := "aws-rds-encrypt-cluster-storage-data" | ||
test.RunPassingExamplesTest(t, expectedCode) | ||
} |
Oops, something went wrong.