Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added policy to check enable storage encryption for documentdb #1073

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
13 changes: 13 additions & 0 deletions avd_docs/aws/documentdb/AVD-AWS-0189/docs.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@

Ensure documentDB storage must be encrypted

### Impact
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}

### Links
- https://docs.aws.amazon.com/documentdb/latest/developerguide/encryption-at-rest.html


2 changes: 1 addition & 1 deletion avd_docs/kubernetes/general/AVD-KSV-0109/docs.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Storing secrets in configMaps is unsafe

### Impact
Unsafe storage of secret content in configMaps could lead to the information being compromised.
<!-- Add Impact here -->
SanaaYousaf marked this conversation as resolved.
Show resolved Hide resolved

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# METADATA
# title: "Documentdb Storage Encrypted"
# description: "Ensure documentDB storage must be encrypted"
# scope: package
# schemas:
# - input: schema.input
# related_resources:
# - https://docs.aws.amazon.com/documentdb/latest/developerguide/encryption-at-rest.html
# custom:
# avd_id: AVD-AWS-0189
# provider: aws
# service: documentdb
# severity: HIGH
# short_code: enable-storage-encryption
# recommended_action: "Encryption of the underlying storage used by DocumentDB ensures that if their is compromise of the disks, the data is still protected."
# input:
# selector:
# - type: cloud
package builtin.aws.documentdb.aws0189

deny[res] {
cluster := input.aws.documentdb.clusters[_]
not cluster.storageencrypted.value
res := result.new("Cluster storage does not have encryption enabled.", cluster.storageencrypted)
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
package builtin.aws.documentdb.aws0189

test_detects_when_decrypted {
r := deny with input as {"aws": {"documentdb": {"clusters": [{"storageencrypted": {"value": false}}]}}}
count(r) == 1
}

test_when_encrypted {
r := deny with input as {"aws": {"documentdb": {"clusters": [{"storageencrypted": {"value": true}}]}}}
count(r) == 0
}