refactor(checks): migrate AWS elasticache, elasticsearch, elb to Rego (…

…#227)

* refactor(checks): migrate AWS elasticache, elasticsearch, elb to Rego

Signed-off-by: Nikita Pivkin <[email protected]>

* test: initialise tests in each test file

Signed-off-by: Nikita Pivkin <[email protected]>

---------

Signed-off-by: Nikita Pivkin <[email protected]>
Co-authored-by: simar7 <[email protected]>

avd_docs/aws/elasticache/AVD-AWS-0045/docs.md

@@ -1,8 +1,9 @@
 
 Data stored within an Elasticache replication node should be encrypted to ensure sensitive data is kept private.
 
+
 ### Impact
-At-rest data in the Replication Group could be compromised if accessed.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/elasticache/AVD-AWS-0049/docs.md

@@ -1,10 +1,10 @@
 
 Security groups and security group rules should include a description for auditing purposes.
-
 Simplifies auditing, debugging, and managing security groups.
 
+
 ### Impact
-Descriptions provide context for the firewall rule reasons
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/elasticache/AVD-AWS-0050/docs.md

@@ -1,8 +1,9 @@
 
 Redis clusters should have a snapshot retention time to ensure that they are backed up and can be restored if required.
 
+
 ### Impact
-Without backups of the redis cluster recovery is made difficult
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/elasticache/AVD-AWS-0051/docs.md

@@ -1,8 +1,9 @@
 
 Traffic flowing between Elasticache replication nodes should be encrypted to ensure sensitive data is kept private.
 
+
 ### Impact
-In transit data in the Replication Group could be read if intercepted
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/elasticsearch/AVD-AWS-0042/docs.md

@@ -1,14 +1,12 @@
 
-Amazon ES exposes four Elasticsearch logs through Amazon CloudWatch Logs: error logs, search slow logs, index slow logs, and audit logs. 
-
-Search slow logs, index slow logs, and error logs are useful for troubleshooting performance and stability issues. 
-
-Audit logs track user activity for compliance purposes. 
-
+Amazon ES exposes four Elasticsearch logs through Amazon CloudWatch Logs: error logs, search slow logs, index slow logs, and audit logs.
+Search slow logs, index slow logs, and error logs are useful for troubleshooting performance and stability issues.
+Audit logs track user activity for compliance purposes.
 All the logs are disabled by default.
 
+
 ### Impact
-Logging provides vital information about access and usage
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/elasticsearch/AVD-AWS-0043/docs.md

@@ -1,8 +1,9 @@
 
 Traffic flowing between Elasticsearch nodes should be encrypted to ensure sensitive data is kept private.
 
+
 ### Impact
-In transit data between nodes could be read if intercepted
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/elasticsearch/AVD-AWS-0046/docs.md

@@ -1,10 +1,10 @@
 
 Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.
-
 You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.
 
+
 ### Impact
-HTTP traffic can be intercepted and the contents read
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/elasticsearch/AVD-AWS-0048/docs.md

@@ -1,8 +1,9 @@
 
 You should ensure your Elasticsearch data is encrypted at rest to help prevent sensitive information from being read by unauthorised users.
 
+
 ### Impact
-Data will be readable if compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/elasticsearch/AVD-AWS-0126/docs.md

@@ -1,8 +1,9 @@
 
 You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
 
+
 ### Impact
-Outdated SSL policies increase exposure to known vulnerabilities
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/elb/AVD-AWS-0047/docs.md

@@ -1,8 +1,9 @@
 
 You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
 
+
 ### Impact
-The SSL policy is outdated and has known vulnerabilities
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/elb/AVD-AWS-0052/docs.md

@@ -1,10 +1,10 @@
 
-Passing unknown or invalid headers through to the target poses a potential risk of compromise. 
-
+Passing unknown or invalid headers through to the target poses a potential risk of compromise.
 By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.
 
+
 ### Impact
-Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/elb/AVD-AWS-0053/docs.md

@@ -1,8 +1,9 @@
 
 There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
 
+
 ### Impact
-The load balancer is exposed on the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/elb/AVD-AWS-0054/docs.md

@@ -1,10 +1,10 @@
 
 Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.
-
 You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.
 
+
 ### Impact
-Your traffic is not protected
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

checks/cloud/aws/elasticache/add_description_for_security_group.go

@@ -35,7 +35,8 @@ Simplifies auditing, debugging, and managing security groups.`,
 			Links:               cloudFormationAddDescriptionForSecurityGroupLinks,
 			RemediationMarkdown: cloudFormationAddDescriptionForSecurityGroupRemediationMarkdown,
 		},
-		Severity: severity.Low,
+		Severity:   severity.Low,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, sg := range s.AWS.ElastiCache.SecurityGroups {

checks/cloud/aws/elasticache/add_description_for_security_group.rego

@@ -0,0 +1,41 @@
+# METADATA
+# title: Missing description for security group/security group rule.
+# description: |
+#   Security groups and security group rules should include a description for auditing purposes.
+#   Simplifies auditing, debugging, and managing security groups.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SecurityGroups.Creating.html
+# custom:
+#   id: AVD-AWS-0049
+#   avd_id: AVD-AWS-0049
+#   provider: aws
+#   service: elasticache
+#   severity: LOW
+#   short_code: add-description-for-security-group
+#   recommended_action: Add descriptions for all security groups and rules
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: elasticache
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_security_group#description
+#     good_examples: checks/cloud/aws/elasticache/add_description_for_security_group.tf.go
+#     bad_examples: checks/cloud/aws/elasticache/add_description_for_security_group.tf.go
+#   cloudformation:
+#     good_examples: checks/cloud/aws/elasticache/add_description_for_security_group.cf.go
+#     bad_examples: checks/cloud/aws/elasticache/add_description_for_security_group.cf.go
+package builtin.aws.elasticache.aws0049
+
+import rego.v1
+
+deny contains res if {
+	some secgroup in input.aws.elasticache.securitygroups
+	secgroup.description.value == ""
+	res := result.new("Security group does not have a description.", secgroup.description)
+}

checks/cloud/aws/elasticache/add_description_for_security_group_test.rego

@@ -0,0 +1,18 @@
+package builtin.aws.elasticache.aws0049_test
+
+import rego.v1
+
+import data.builtin.aws.elasticache.aws0049 as check
+import data.lib.test
+
+test_allow_sg_with_description if {
+	inp := {"aws": {"elasticache": {"securitygroups": [{"description": {"value": "sg description"}}]}}}
+
+	test.assert_empty(check.deny) with input as inp
+}
+
+test_deny_sg_without_description if {
+	inp := {"aws": {"elasticache": {"securitygroups": [{"description": {"value": ""}}]}}}
+
+	test.assert_equal_message("Security group does not have a description.", check.deny) with input as inp
+}

checks/cloud/aws/elasticache/enable_at_rest_encryption.go

@@ -27,7 +27,8 @@ var CheckEnableAtRestEncryption = rules.Register(
 			Links:               terraformEnableAtRestEncryptionLinks,
 			RemediationMarkdown: terraformEnableAtRestEncryptionRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, group := range s.AWS.ElastiCache.ReplicationGroups {

checks/cloud/aws/elasticache/enable_at_rest_encryption.rego

@@ -0,0 +1,37 @@
+# METADATA
+# title: Elasticache Replication Group stores unencrypted data at-rest.
+# description: |
+#   Data stored within an Elasticache replication node should be encrypted to ensure sensitive data is kept private.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html
+# custom:
+#   id: AVD-AWS-0045
+#   avd_id: AVD-AWS-0045
+#   provider: aws
+#   service: elasticache
+#   severity: HIGH
+#   short_code: enable-at-rest-encryption
+#   recommended_action: Enable at-rest encryption for replication group
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: elasticache
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group#at_rest_encryption_enabled
+#     good_examples: checks/cloud/aws/elasticache/enable_at_rest_encryption.tf.go
+#     bad_examples: checks/cloud/aws/elasticache/enable_at_rest_encryption.tf.go
+package builtin.aws.elasticache.aws0045
+
+import rego.v1
+
+deny contains res if {
+	some group in input.aws.elasticache.replicationgroups
+	group.atrestencryptionenabled.value == false
+	res := result.new("Replication group does not have at-rest encryption enabled.", group.atrestencryptionenabled)
+}

checks/cloud/aws/elasticache/enable_at_rest_encryption_test.rego

@@ -0,0 +1,18 @@
+package builtin.aws.elasticache.aws0045_test
+
+import rego.v1
+
+import data.builtin.aws.elasticache.aws0045 as check
+import data.lib.test
+
+test_allow_with_encryption_enabled if {
+	inp := {"aws": {"elasticache": {"replicationgroups": [{"atrestencryptionenabled": {"value": true}}]}}}
+
+	test.assert_empty(check.deny) with input as inp
+}
+
+test_deny_with_encryption_disabled if {
+	inp := {"aws": {"elasticache": {"replicationgroups": [{"atrestencryptionenabled": {"value": false}}]}}}
+
+	test.assert_equal_message("Replication group does not have at-rest encryption enabled.", check.deny) with input as inp
+}

checks/cloud/aws/elasticache/enable_backup_retention.go

@@ -33,7 +33,8 @@ var CheckEnableBackupRetention = rules.Register(
 			Links:               cloudFormationEnableBackupRetentionLinks,
 			RemediationMarkdown: cloudFormationEnableBackupRetentionRemediationMarkdown,
 		},
-		Severity: severity.Medium,
+		Severity:   severity.Medium,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, cluster := range s.AWS.ElastiCache.Clusters {