From 8cbac0e17b75e869bdb3ad3b9f90cb0b20b89d05 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Tue, 11 Mar 2025 19:47:20 +0600 Subject: [PATCH] fix: not to check DB instances in AVD-AWS-0022 Signed-off-by: Nikita Pivkin --- .../documentdb/encryption_customer_key.rego | 11 -------- .../encryption_customer_key_test.rego | 12 --------- test/rego/aws_document_db_test.go | 26 +------------------ 3 files changed, 1 insertion(+), 48 deletions(-) diff --git a/checks/cloud/aws/documentdb/encryption_customer_key.rego b/checks/cloud/aws/documentdb/encryption_customer_key.rego index d8b852cc..cd2e5e94 100644 --- a/checks/cloud/aws/documentdb/encryption_customer_key.rego +++ b/checks/cloud/aws/documentdb/encryption_customer_key.rego @@ -39,17 +39,6 @@ deny contains res if { ) } -deny contains res if { - some cluster in input.aws.documentdb.clusters - some instance in cluster.instances - isManaged(instance) - without_cmk(instance) - res := result.new( - "Instance encryption does not use a customer-managed KMS key.", - metadata.obj_by_path(instance, ["kmskeyid"]), - ) -} - without_cmk(obj) if value.is_empty(obj.kmskeyid) without_cmk(obj) if not obj.kmskeyid diff --git a/checks/cloud/aws/documentdb/encryption_customer_key_test.rego b/checks/cloud/aws/documentdb/encryption_customer_key_test.rego index 18e1f3bd..a785b588 100644 --- a/checks/cloud/aws/documentdb/encryption_customer_key_test.rego +++ b/checks/cloud/aws/documentdb/encryption_customer_key_test.rego @@ -11,20 +11,8 @@ test_allow_cluster_with_kms_key if { test.assert_empty(check.deny) with input as inp } -test_allow_instance_with_kms_key if { - inp := {"aws": {"documentdb": {"clusters": [{"kmskeyid": {"value": "test"}, "instances": [{"kmskeyid": {"value": "test"}}]}]}}} - - test.assert_empty(check.deny) with input as inp -} - test_disallow_cluster_without_kms_key if { inp := {"aws": {"documentdb": {"clusters": [{"kmskeyid": {"value": ""}}]}}} test.assert_equal_message("Cluster encryption does not use a customer-managed KMS key.", check.deny) with input as inp } - -test_disallow_instance_without_kms_key if { - inp := {"aws": {"documentdb": {"clusters": [{"kmskeyid": {"value": "test"}, "instances": [{"kmskeyid": {"value": ""}}]}]}}} - - test.assert_equal_message("Instance encryption does not use a customer-managed KMS key.", check.deny) with input as inp -} diff --git a/test/rego/aws_document_db_test.go b/test/rego/aws_document_db_test.go index a8ae49eb..797f9574 100644 --- a/test/rego/aws_document_db_test.go +++ b/test/rego/aws_document_db_test.go @@ -96,36 +96,12 @@ var awsDocumentDBTestCases = testCases{ expected: true, }, { - name: "DocDB Instance encryption missing KMS key", + name: "DocDB Cluster encrypted with proper KMS keys", input: state.State{AWS: aws.AWS{DocumentDB: documentdb.DocumentDB{ Clusters: []documentdb.Cluster{ { Metadata: trivyTypes.NewTestMetadata(), KMSKeyID: trivyTypes.String("kms-key", trivyTypes.NewTestMetadata()), - Instances: []documentdb.Instance{ - { - Metadata: trivyTypes.NewTestMetadata(), - KMSKeyID: trivyTypes.String("", trivyTypes.NewTestMetadata()), - }, - }, - }, - }, - }}}, - expected: true, - }, - { - name: "DocDB Cluster and Instance encrypted with proper KMS keys", - input: state.State{AWS: aws.AWS{DocumentDB: documentdb.DocumentDB{ - Clusters: []documentdb.Cluster{ - { - Metadata: trivyTypes.NewTestMetadata(), - KMSKeyID: trivyTypes.String("kms-key", trivyTypes.NewTestMetadata()), - Instances: []documentdb.Instance{ - { - Metadata: trivyTypes.NewTestMetadata(), - KMSKeyID: trivyTypes.String("kms-key", trivyTypes.NewTestMetadata()), - }, - }, }, }, }}},