Merge pull request #6619 from Checkmarx/kics-785-cloudformation

feat(query): cloudformation DynamoDB Table Not Encrypted

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/metadata.json

@@ -0,0 +1,11 @@
+{
+  "id": "0f04217d-488f-4e7a-bec8-f16159686cd6",
+  "queryName": "DynamoDB Table Point In Time Recovery Disabled",
+  "severity": "MEDIUM",
+  "category": "Best Practices",
+  "descriptionText": "It's considered a best practice to have point in time recovery enabled for DynamoDB Table",
+  "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-pointintimerecoveryspecification.html",
+  "platform": "CloudFormation",
+  "descriptionID": "a0a51171",
+  "cloudProvider": "aws"
+}

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/query.rego

@@ -0,0 +1,62 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.cloudformation as cf_lib
+
+CxPolicy[result] {
+	document := input.document[i]
+	resource := document.Resources[key]
+	resource.Type == "AWS::DynamoDB::Table"
+	properties := resource.Properties
+
+	properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled == false
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, key),
+		"searchKey": sprintf("Resources.%s.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", [key]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("Resources[%s].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", [key]),
+		"keyActualValue": sprintf("Resources[%s].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'", [key]),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document[i]
+	resource := document.Resources[key]
+	resource.Type == "AWS::DynamoDB::Table"
+	properties := resource.Properties
+
+	not common_lib.valid_key(properties, "PointInTimeRecoverySpecification")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, key),
+		"searchKey": sprintf("Resources.%s.Properties", [key]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources[%s].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", [key]),
+		"keyActualValue": sprintf("Resources[%s].Properties.PointInTimeRecoverySpecification is not defined", [key]),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document[i]
+	resource := document.Resources[key]
+	resource.Type == "AWS::DynamoDB::Table"
+	properties := resource.Properties
+	specification := properties.PointInTimeRecoverySpecification
+
+	not common_lib.valid_key(specification, "PointInTimeRecoveryEnabled")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, key),
+		"searchKey": sprintf("Resources.%s.Properties.PointInTimeRecoverySpecification", [key]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources[%s].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", [key]),
+		"keyActualValue": sprintf("Resources[%s].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined", [key]),
+	}
+}

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/negative1.yaml

@@ -0,0 +1,6 @@
+Resources:
+  MyDynamoDBTable:
+    Type: AWS::DynamoDB::Table
+    Properties:
+      PointInTimeRecoverySpecification: 
+        PointInTimeRecoveryEnabled: true

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/negative2.json

@@ -0,0 +1,15 @@
+{
+  "Resources": {
+    "DynamoDBOnDemandTable1": {
+      "Type": "AWS::DynamoDB::Table",
+      "Properties": {
+        "BillingMode": "PAY_PER_REQUEST",
+        "PointInTimeRecoverySpecification" : {
+          "PointInTimeRecoveryEnabled" : true
+        }
+      }
+    },
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Sample CloudFormation template for DynamoDB with customer managed CMK"
+  }
+}

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive1.yaml

@@ -0,0 +1,6 @@
+Resources:
+  MyDynamoDBTable:
+    Type: AWS::DynamoDB::Table
+    Properties:
+      PointInTimeRecoverySpecification: 
+        PointInTimeRecoveryEnabled: false

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive2.yaml

@@ -0,0 +1,5 @@
+Resources:
+  MyDynamoDBTable:
+    Type: AWS::DynamoDB::Table
+    Properties:
+      TableName: my-table

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive3.json

@@ -0,0 +1,15 @@
+{
+  "Resources": {
+    "DynamoDBOnDemandTable1": {
+      "Type": "AWS::DynamoDB::Table",
+      "Properties": {
+        "BillingMode": "PAY_PER_REQUEST",
+        "PointInTimeRecoverySpecification" : {
+          "PointInTimeRecoveryEnabled" : false
+        }
+      }
+    },
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Sample CloudFormation template for DynamoDB with customer managed CMK"
+  }
+}

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive4.json

@@ -0,0 +1,12 @@
+{
+  "Resources": {
+    "DynamoDBOnDemandTable1": {
+      "Type": "AWS::DynamoDB::Table",
+      "Properties": {
+        "BillingMode": "PAY_PER_REQUEST"
+      }
+    },
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Sample CloudFormation template for DynamoDB with customer managed CMK"
+  }
+}

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive5.yaml

@@ -0,0 +1,5 @@
+Resources:
+  MyDynamoDBTable:
+    Type: AWS::DynamoDB::Table
+    Properties:
+      PointInTimeRecoverySpecification: {}

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive6.json

@@ -0,0 +1,13 @@
+{
+  "Resources": {
+    "DynamoDBOnDemandTable1": {
+      "Type": "AWS::DynamoDB::Table",
+      "Properties": {
+        "BillingMode": "PAY_PER_REQUEST",
+        "PointInTimeRecoverySpecification" : {}
+      }
+    },
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Sample CloudFormation template for DynamoDB with customer managed CMK"
+  }
+}

assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json

@@ -0,0 +1,38 @@
+[
+  {
+    "queryName": "DynamoDB Table Point In Time Recovery Disabled",
+    "severity": "MEDIUM",
+    "line": 6,
+    "filename": "positive1.yaml"
+  },
+  {
+    "queryName": "DynamoDB Table Point In Time Recovery Disabled",
+    "severity": "MEDIUM",
+    "line": 4,
+    "filename": "positive2.yaml"
+  },
+  {
+    "queryName": "DynamoDB Table Point In Time Recovery Disabled",
+    "severity": "MEDIUM",
+    "line": 8,
+    "filename": "positive3.json"
+  },
+  {
+    "queryName": "DynamoDB Table Point In Time Recovery Disabled",
+    "severity": "MEDIUM",
+    "line": 5,
+    "filename": "positive4.json"
+  },
+  {
+    "queryName": "DynamoDB Table Point In Time Recovery Disabled",
+    "severity": "MEDIUM",
+    "line": 5,
+    "filename": "positive5.yaml"
+  },
+  {
+    "queryName": "DynamoDB Table Point In Time Recovery Disabled",
+    "severity": "MEDIUM",
+    "line": 7,
+    "filename": "positive6.json"
+  }
+]