From 139668d97fb724ad932841af19a3b82fd7fc486c Mon Sep 17 00:00:00 2001
From: sanaayousaf <sanayousaf012@gmail.com>
Date: Thu, 24 Nov 2022 10:53:42 +0000
Subject: [PATCH 1/2] added policy to check encyption enable for efs

---
 avd_docs/aws/efs/AVD-AWS-0194/docs.md         | 13 ++++++++++
 .../kubernetes/general/AVD-KSV-01010/docs.md  |  2 +-
 .../kubernetes/general/AVD-KSV-0107/docs.md   |  5 +++-
 .../kubernetes/general/AVD-KSV-0108/docs.md   |  4 +--
 .../kubernetes/general/AVD-KSV-0109/docs.md   |  2 +-
 .../aws/efs/enable_at_rest_encryption.rego    | 25 +++++++++++++++++++
 .../efs/enable_at_rest_encryption_test.rego   | 11 ++++++++
 7 files changed, 57 insertions(+), 5 deletions(-)
 create mode 100644 avd_docs/aws/efs/AVD-AWS-0194/docs.md
 create mode 100644 internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption.rego
 create mode 100644 internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption_test.rego

diff --git a/avd_docs/aws/efs/AVD-AWS-0194/docs.md b/avd_docs/aws/efs/AVD-AWS-0194/docs.md
new file mode 100644
index 000000000..e00635ac8
--- /dev/null
+++ b/avd_docs/aws/efs/AVD-AWS-0194/docs.md
@@ -0,0 +1,13 @@
+
+Ensures that EFS volumes are encrypted at rest
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/efs/latest/ug/encryption.html
+
+
diff --git a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md
index 1cee68f20..f69f12cad 100644
--- a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md
+++ b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md
@@ -2,7 +2,7 @@
 Storing sensitive content such as usernames and email addresses in configMaps is unsafe
 
 ### Impact
-Unsafe storage of sensitive content in configMaps could lead to the information being compromised.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
diff --git a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md
index e8258523c..6af76b2a2 100644
--- a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md
+++ b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md
@@ -1,5 +1,5 @@
 
-apiVersion and kind has been deprecated
+apiVersion '' and kind '' has been deprecated on: '' and planned for removal on:''
 
 ### Impact
 <!-- Add Impact here -->
@@ -7,4 +7,7 @@ apiVersion and kind has been deprecated
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
+### Links
+- 
+
 
diff --git a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md
index 8d55a3498..9c1e77234 100644
--- a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md
+++ b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md
@@ -2,8 +2,8 @@
 Services with external IP addresses allows direct access from the internet and might expose risk for CVE-2020-8554
 
 ### Impact
-Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
-https://www.cvedetails.com/cve/CVE-2020-8554/
+<!-- Add Impact here -->
+
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
diff --git a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md
index d215353f0..70bba0fb1 100644
--- a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md
+++ b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md
@@ -2,7 +2,7 @@
 Storing secrets in configMaps is unsafe
 
 ### Impact
-Unsafe storage of secret content in configMaps could lead to the information being compromised.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
diff --git a/internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption.rego b/internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption.rego
new file mode 100644
index 000000000..009a0ad46
--- /dev/null
+++ b/internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption.rego
@@ -0,0 +1,25 @@
+# METADATA
+# title: "EFS Encryption Enabled"
+# description: "Ensures that EFS volumes are encrypted at rest"
+# scope: package
+# schemas:
+# - input: schema.input
+# related_resources:
+# - https://docs.aws.amazon.com/efs/latest/ug/encryption.html
+# custom:
+#   avd_id: AVD-AWS-0194
+#   provider: aws
+#   service: efs
+#   severity: HIGH
+#   short_code: enable-at-rest-encryption
+#   recommended_action: "Encryption of data at rest can only be enabled during file system creation. Encryption of data in transit is configured when mounting your file system. 1. Backup your data in not encrypted efs 2. Recreate the EFS and select \'Enable encryption of data at rest\'"
+#   input:
+#     selector:
+#     - type: cloud
+package builtin.aws.efs.aws0193
+
+deny[res] {
+	fs := input.aws.efs.filesystems[_]
+	not fs.encrypted.value
+	res := result.new("File system is not encrypted.", fs.encrypted)
+}
\ No newline at end of file
diff --git a/internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption_test.rego b/internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption_test.rego
new file mode 100644
index 000000000..f54505dc2
--- /dev/null
+++ b/internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption_test.rego
@@ -0,0 +1,11 @@
+package builtin.aws.efs.aws0193
+
+test_detects_when_decrypted {
+	r := deny with input as {"aws": {"efs": {"filesystems": [{"encrypted": {"value": false}}]}}}
+	count(r) == 1
+}
+
+test_when_encrypted {
+	r := deny with input as {"aws": {"efs": {"filesystems": [{"encrypted": {"value": true}}]}}}
+	count(r) == 0
+}
\ No newline at end of file

From 4c30692b1e65f23b09179e1d3d4c6c79eb9c17ad Mon Sep 17 00:00:00 2001
From: sanaayousaf <sanayousaf012@gmail.com>
Date: Fri, 25 Nov 2022 14:43:06 +0000
Subject: [PATCH 2/2] ammend

---
 .../cloud/policies/aws/efs/enable_at_rest_encryption.rego       | 2 +-
 .../cloud/policies/aws/efs/enable_at_rest_encryption_test.rego  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption.rego b/internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption.rego
index 009a0ad46..314b624d5 100644
--- a/internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption.rego
+++ b/internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption.rego
@@ -16,7 +16,7 @@
 #   input:
 #     selector:
 #     - type: cloud
-package builtin.aws.efs.aws0193
+package builtin.aws.efs.aws0194
 
 deny[res] {
 	fs := input.aws.efs.filesystems[_]
diff --git a/internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption_test.rego b/internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption_test.rego
index f54505dc2..a6d734b46 100644
--- a/internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption_test.rego
+++ b/internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption_test.rego
@@ -1,4 +1,4 @@
-package builtin.aws.efs.aws0193
+package builtin.aws.efs.aws0194
 
 test_detects_when_decrypted {
 	r := deny with input as {"aws": {"efs": {"filesystems": [{"encrypted": {"value": false}}]}}}