FS-Azure/mysqlCmk

aquasecurity · Jul 14, 2024 · 69e81c4 · 69e81c4
1 parent 3d86c5d
commit 69e81c4
Show file tree

Hide file tree

Showing 3 changed files with 157 additions and 0 deletions.
diff --git a/exports.js b/exports.js
@@ -867,6 +867,7 @@ module.exports = {
         'mysqlFlexibleServersMinTls'    : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServersMinTls.js'),
         'mysqlFlexibleServerVersion'    : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerVersion.js'),
         'mysqlServerHasTags'            : require(__dirname + '/plugins/azure/mysqlserver/mysqlServerHasTags.js'),
+        'mysqlFlexibleServerCMKEncrypted': require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js'),
         'mysqlFlexibleServerPublicAccess': require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js'),
         'mysqlFlexibleServerDignosticLogs': require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerDignosticLogs.js'),
         'mysqlFlexibleServerIdentity'   : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerIdentity.js'),

diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js b/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js
@@ -0,0 +1,53 @@
+const async = require('async');
+const helpers = require('../../../helpers/azure');
+
+module.exports = {
+    title: 'MySQL Flexible Server CMK Encrypted',
+    category: 'MySQL Server',
+    domain: 'Databases',
+    severity: 'High',
+    description: 'Ensures that MySQL flexible servers are encrypted using CMK.',
+    more_info: 'MySQL flexible server allows you to encrypt data using customer-managed keys (CMK) instead of using platform-managed keys, which are enabled by default. Using CMK encryption offers enhanced security and compliance, allowing centralized management and control of encryption keys through Azure Key Vault.',
+    recommended_action: 'Modify MySQL flexible server and disable public network access.',
+    link: 'https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-customer-managed-key',
+    apis: ['servers:listMysqlFlexibleServer'],   
+    realtime_triggers: ['microsoftdbformysql:flexibleservers:write','microsoftdbformysql:flexibleservers:delete'],
+
+    run: function(cache, settings, callback) {
+        const results = [];
+        const source = {};
+        const locations = helpers.locations(settings.govcloud);
+
+        async.each(locations.servers, (location, rcb) => {
+            const servers = helpers.addSource(cache, source,
+                ['servers', 'listMysqlFlexibleServer', location]);
+
+            if (!servers) return rcb();
+
+            if (servers.err || !servers.data) {
+                helpers.addResult(results, 3,
+                    'Unable to query for MySQL flexible servers: ' + helpers.addError(servers), location);
+                return rcb();
+            }
+
+            if (!servers.data.length) {
+                helpers.addResult(results, 0, 'No existing MySQL flexible servers found', location);
+                return rcb();
+            }
+
+            for (var flexibleServer of servers.data) {
+                if (!flexibleServer.id) continue;
+
+                if (flexibleServer.dataEncryption && flexibleServer.dataEncryption.primaryKeyURI ) {
+                    helpers.addResult(results, 0, 'MySQL flexible server is encrypted using CMK', location, flexibleServer.id);
+                } else {
+                    helpers.addResult(results, 2, 'MySQL flexible server is not encrypted using CMK', location, flexibleServer.id);
+                }
+            }
+            rcb();
+        }, function() {
+            // Global checking goes here
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.spec.js b/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.spec.js
@@ -0,0 +1,103 @@
+var assert = require('assert');
+var expect = require('chai').expect;
+var auth = require('./mysqlFlexibleServerCMKEncrypted');
+
+const createCache = (err, list) => {
+    return {
+        servers: {
+            listMysqlFlexibleServer: {
+                'eastus': {
+                    err: err,
+                    data: list
+                }
+            }
+        }
+    }
+};
+
+describe('mysqlFlexibleServerManagedIdentity', function() {
+    describe('run', function() {
+        it('should PASS if no existing servers found', function(done) {
+            const callback = (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No existing MySQL flexible servers found');
+                expect(results[0].region).to.equal('eastus');
+                done()
+            };
+
+            const cache = createCache(
+                null,
+                [],
+                {}
+            );
+
+            auth.run(cache, {}, callback);
+        });
+
+        it('should FAIL if MySQL server is not CMK encrypted', function(done) {
+            const callback = (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('MySQL flexible server is not encrypted using CMK');
+                expect(results[0].region).to.equal('eastus');
+                done()
+            };
+
+            const cache = createCache(
+                null,
+                [
+                    {
+                        "id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforMySQL/flexibleServers/test-server",
+                        "type": "Microsoft.DBforMySQL/flexibleServers",
+                        "version": '5.8'
+                    }
+                ],
+            );
+
+            auth.run(cache, {}, callback);
+        });
+
+        it('should PASS if MySQL server is CMK encrypted', function(done) {
+            const callback = (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('MySQL flexible server is encrypted using CMK');
+                expect(results[0].region).to.equal('eastus');
+                done()
+            };
+
+            const cache = createCache(
+                null,
+                [
+                    {
+                        "id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforMySQL/flexibleServers/test-server",
+                        "type": "Microsoft.DBforMySQL/flexibleServers",
+                        "version": "8.0",
+                        "dataEncryption": {
+                            "primaryKeyURI" : "https://test.vault.azure.net/keys/test2/9e0e3453676456e"
+                        }
+                    }
+                ]
+            );
+
+            auth.run(cache, {}, callback);
+        });
+
+        it('should UNKNOWN if unable to query for server', function(done) {
+            const callback = (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for MySQL flexible servers: ');
+                expect(results[0].region).to.equal('eastus');
+                done()
+            };
+
+            const cache = createCache(
+                null, null
+            );
+
+            auth.run(cache, {}, callback);
+        });
+    })
+})