refactor(checks): improve metadata retrieval

Signed-off-by: Nikita Pivkin <[email protected]>
aquasecurity · Oct 16, 2024 · 4809e39 · 4809e39
1 parent 9a8d5ab
commit 4809e39
Show file tree

Hide file tree

Showing 81 changed files with 491 additions and 182 deletions.
diff --git a/checks/cloud/aws/apigateway/enable_access_logging.rego b/checks/cloud/aws/apigateway/enable_access_logging.rego
@@ -33,16 +33,24 @@ package builtin.aws.apigateway.aws0001
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some stage in input.aws.apigateway.v1.apis[_].stages
  not logging_is_configured(stage)
- res := result.new("Access logging is not configured.", stage.accesslogging.cloudwatchloggrouparn)
+ res := result.new(
+ "Access logging is not configured.",
+ metadata.obj_by_path(stage, ["accesslogging", "cloudwatchloggrouparn"]),
+ )
 }
 
 deny contains res if {
  some stage in input.aws.apigateway.v2.apis[_].stages
  not logging_is_configured(stage)
- res := result.new("Access logging is not configured.", stage.accesslogging.cloudwatchloggrouparn)
+ res := result.new(
+ "Access logging is not configured.",
+ metadata.obj_by_path(stage, ["accesslogging", "cloudwatchloggrouparn"]),
+ )
 }
 
 logging_is_configured(stage) if {

diff --git a/checks/cloud/aws/apigateway/enable_cache.rego b/checks/cloud/aws/apigateway/enable_cache.rego
@@ -30,6 +30,8 @@ package builtin.aws.apigateway.aws0190
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some api in input.aws.apigateway.v1.apis
  isManaged(api)
@@ -40,6 +42,6 @@ deny contains res if {
  not settings.cacheenabled.value
  res := result.new(
  "Cache data is not enabled.",
- object.get(settings, "cacheenabled", settings),
+ metadata.obj_by_path(settings, ["cacheenabled"]),
  )
 }
diff --git a/checks/cloud/aws/apigateway/enable_cache_encryption.rego b/checks/cloud/aws/apigateway/enable_cache_encryption.rego
@@ -28,6 +28,8 @@ package builtin.aws.apigateway.aws0002
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some api in input.aws.apigateway.v1.apis
  isManaged(api)
@@ -37,8 +39,9 @@ deny contains res if {
  isManaged(settings)
  settings.cacheenabled.value
  not settings.cachedataencrypted.value
+
  res := result.new(
  "Cache data is not encrypted.",
- object.get(settings, "cachedataencrypted", settings),
+ metadata.obj_by_path(settings, ["cachedataencrypted"]),
  )
 }
diff --git a/checks/cloud/aws/apigateway/enable_tracing.rego b/checks/cloud/aws/apigateway/enable_tracing.rego
@@ -28,6 +28,8 @@ package builtin.aws.apigateway.aws0003
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some api in input.aws.apigateway.v1.apis
  isManaged(api)
@@ -36,6 +38,6 @@ deny contains res if {
  not stage.xraytracingenabled.value
  res := result.new(
  "X-Ray tracing is not enabled.",
- object.get(stage, "xraytracingenabled", stage),
+ metadata.obj_by_path(stage, ["xraytracingenabled"]),
  )
 }
diff --git a/checks/cloud/aws/apigateway/use_secure_tls_policy.rego b/checks/cloud/aws/apigateway/use_secure_tls_policy.rego
@@ -30,12 +30,14 @@ package builtin.aws.apigateway.aws0005
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some domain in input.aws.apigateway.v1.domainnames
  not is_tls_1_2(domain)
  res := result.new(
  "Domain name is configured with an outdated TLS policy.",
- object.get(domain, "securitypolicy", domain),
+ metadata.obj_by_path(domain, "securitypolicy"),
  )
 }
 
@@ -44,7 +46,7 @@ deny contains res if {
  not is_tls_1_2(domain)
  res := result.new(
  "Domain name is configured with an outdated TLS policy.",
- object.get(domain, "securitypolicy", domain),
+ metadata.obj_by_path(domain, "securitypolicy"),
  )
 }
 

diff --git a/checks/cloud/aws/athena/enable_at_rest_encryption.rego b/checks/cloud/aws/athena/enable_at_rest_encryption.rego
@@ -34,20 +34,28 @@ package builtin.aws.athena.aws0006
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 encryption_type_none := ""
 
 deny contains res if {
  some workgroup in input.aws.athena.workgroups
- is_encryption_type_none(workgroup.encryption)
- res := result.new("Workgroup does not have encryption configured.", workgroup)
+ not is_encrypted(workgroup)
+ res := result.new(
+ "Workgroup does not have encryption configured.",
+ metadata.obj_by_path(workgroup, ["encryption", "type"]),
+ )
 }
 
 deny contains res if {
  some database in input.aws.athena.databases
- is_encryption_type_none(database.encryption)
- res := result.new("Database does not have encryption configured.", database)
+ not is_encrypted(database)
+ res := result.new(
+ "Database does not have encryption configured.",
+ metadata.obj_by_path(database, ["encryption", "type"]),
+ )
 }
 
-is_encryption_type_none(encryption) if {
- encryption.type.value == encryption_type_none
+is_encrypted(obj) if {
+ obj.encryption.type.value != encryption_type_none
 }
diff --git a/checks/cloud/aws/athena/no_encryption_override.rego b/checks/cloud/aws/athena/no_encryption_override.rego
@@ -33,8 +33,13 @@ package builtin.aws.athena.aws0007
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some workgroup in input.aws.athena.workgroups
  not workgroup.enforceconfiguration.value
- res := result.new("The workgroup configuration is not enforced.", workgroup.enforceconfiguration)
+ res := result.new(
+ "The workgroup configuration is not enforced.",
+ metadata.obj_by_path(workgroup, ["enforceconfiguration"]),
+ )
 }
diff --git a/checks/cloud/aws/cloudfront/enable_logging.rego b/checks/cloud/aws/cloudfront/enable_logging.rego
@@ -33,12 +33,14 @@ package builtin.aws.cloudfront.aws0010
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some dist in input.aws.cloudfront.distributions
  not has_logging_bucket(dist)
  res := result.new(
  "Distribution does not have logging enabled",
- object.get(dist, ["logging", "bucket"], dist),
+ metadata.obj_by_path(dist, ["logging", "bucket"]),
  )
 }
 

diff --git a/checks/cloud/aws/cloudfront/use_secure_tls_policy.rego b/checks/cloud/aws/cloudfront/use_secure_tls_policy.rego
@@ -39,13 +39,15 @@ import rego.v1
 
 protocol_version_tls1_2_2021 = "TLSv1.2_2021"
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some dist in input.aws.cloudfront.distributions
  not dist.viewercertificate.cloudfrontdefaultcertificate.value
  not is_tls_1_2(dist)
  res := result.new(
  "Distribution allows unencrypted communications.",
- object.get(dist, ["viewercertificate", "minimumprotocolversion"], dist),
+ metadata.obj_by_path(dist, ["viewercertificate", "minimumprotocolversion"]),
  )
 }
 

diff --git a/checks/cloud/aws/cloudtrail/enable_all_regions.rego b/checks/cloud/aws/cloudtrail/enable_all_regions.rego
@@ -38,8 +38,13 @@ package builtin.aws.cloudtrail.aws0014
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some trail in input.aws.cloudtrail.trails
  not trail.ismultiregion.value
- res := result.new("Trail is not enabled across all regions.", trail.ismultiregion)
+ res := result.new(
+ "Trail is not enabled across all regions.",
+ metadata.obj_by_path(trail, ["ismultiregion"]),
+ )
 }
diff --git a/checks/cloud/aws/cloudtrail/enable_log_validation.rego b/checks/cloud/aws/cloudtrail/enable_log_validation.rego
@@ -33,8 +33,13 @@ package builtin.aws.cloudtrail.aws0016
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some trail in input.aws.cloudtrail.trails
  not trail.enablelogfilevalidation.value
- res := result.new("Trail does not have log validation enabled.", trail.enablelogfilevalidation)
+ res := result.new(
+ "Trail does not have log validation enabled.",
+ metadata.obj_by_path(trail, ["enablelogfilevalidation"]),
+ )
 }
diff --git a/checks/cloud/aws/cloudtrail/encryption_customer_key.rego b/checks/cloud/aws/cloudtrail/encryption_customer_key.rego
@@ -36,8 +36,15 @@ package builtin.aws.cloudtrail.aws0015
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some trail in input.aws.cloudtrail.trails
- trail.kmskeyid.value == ""
- res := result.new("CloudTrail does not use a customer managed key to encrypt the logs.", trail.kmskeyid)
+ not use_cms(trail)
+ res := result.new(
+ "CloudTrail does not use a customer managed key to encrypt the logs.",
+ metadata.obj_by_path(trail, ["kmskeyid"]),
+ )
 }
+
+use_cms(trail) if trail.kmskeyid.value != ""
diff --git a/checks/cloud/aws/cloudtrail/ensure_cloudwatch_integration.rego b/checks/cloud/aws/cloudtrail/ensure_cloudwatch_integration.rego
@@ -46,8 +46,15 @@ package builtin.aws.cloudtrail.aws0162
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some trail in input.aws.cloudtrail.trails
- trail.cloudwatchlogsloggrouparn.value == ""
- res := result.new("Trail does not have CloudWatch logging configured", trail)
+ not is_logging_configured(trail)
+ res := result.new(
+ "Trail does not have CloudWatch logging configured",
+ metadata.obj_by_path(trail, ["cloudwatchlogsloggrouparn"]),
+ )
 }
+
+is_logging_configured(trail) if trail.cloudwatchlogsloggrouparn.value != ""
diff --git a/checks/cloud/aws/cloudtrail/require_bucket_access_logging.rego b/checks/cloud/aws/cloudtrail/require_bucket_access_logging.rego
@@ -42,6 +42,8 @@ package builtin.aws.cloudtrail.aws0163
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some trail in input.aws.cloudtrail.trails
  trail.bucketname.value != ""
@@ -50,5 +52,8 @@ deny contains res if {
  bucket.name.value == trail.bucketname.value
  not bucket.logging.enabled.value
 
- res := result.new("Trail S3 bucket does not have logging enabled", bucket)
+ res := result.new(
+ "Trail S3 bucket does not have logging enabled",
+ metadata.obj_by_path(bucket, ["name"]),
+ )
 }
diff --git a/checks/cloud/aws/cloudwatch/log_group_customer_key.rego b/checks/cloud/aws/cloudwatch/log_group_customer_key.rego
@@ -33,8 +33,15 @@ package builtin.aws.cloudwatch.aws0017
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some group in input.aws.cloudwatch.loggroups
- group.kmskeyid.value == ""
- res := result.new("Log group is not encrypted.", group)
+ not has_cms(group)
+ res := result.new(
+ "Log group is not encrypted.",
+ metadata.obj_by_path(group, ["kmskeyid"]),
+ )
 }
+
+has_cms(group) if group.kmskeyid.value != ""
diff --git a/checks/cloud/aws/codebuild/enable_encryption.rego b/checks/cloud/aws/codebuild/enable_encryption.rego
@@ -34,16 +34,25 @@ package builtin.aws.codebuild.aws0018
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some project in input.aws.codebuild.projects
- encryptionenabled := project.artifactsettings.encryptionenabled
- not encryptionenabled.value
- res := result.new("Encryption is not enabled for project artifacts.", encryptionenabled)
+ not is_encryption_enabled(project.artifactsettings)
+ res := result.new(
+ "Encryption is not enabled for project artifacts.",
+ metadata.obj_by_path(project, ["artifactsettings", "encryptionenabled"]),
+ )
 }
 
+is_encryption_enabled(settings) if settings.encryptionenabled.value
+
 deny contains res if {
  some project in input.aws.codebuild.projects
  some setting in project.secondaryartifactsettings
- not setting.encryptionenabled.value
- res := result.new("Encryption is not enabled for secondary project artifacts.", setting.encryptionenabled)
+ not is_encryption_enabled(setting)
+ res := result.new(
+ "Encryption is not enabled for secondary project artifacts.",
+ metadata.obj_by_path(setting, ["encryptionenabled"]),
+ )
 }
diff --git a/checks/cloud/aws/config/aggregate_all_regions.rego b/checks/cloud/aws/config/aggregate_all_regions.rego
@@ -34,9 +34,14 @@ package builtin.aws.config.aws0019
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  cfg_aggregator := input.aws.config.configurationaggregrator
- cfg_aggregator.__defsec_metadata.managed
+ isManaged(cfg_aggregator)
  not cfg_aggregator.sourceallregions.value
- res := result.new("Configuration aggregation is not set to source from all regions.", cfg_aggregator.sourceallregions)
+ res := result.new(
+ "Configuration aggregation is not set to source from all regions.",
+ metadata.obj_by_path(cfg_aggregator, ["sourceallregions"]),
+ )
 }
diff --git a/checks/cloud/aws/documentdb/enable_storage_encryption.rego b/checks/cloud/aws/documentdb/enable_storage_encryption.rego
@@ -33,8 +33,13 @@ package builtin.aws.documentdb.aws0021
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some cluster in input.aws.documentdb.clusters
  not cluster.storageencrypted.value
- res := result.new("Cluster storage does not have encryption enabled.", cluster.storageencrypted)
+ res := result.new(
+ "Cluster storage does not have encryption enabled.",
+ metadata.obj_by_path(cluster, ["storageencrypted"]),
+ )
 }
diff --git a/checks/cloud/aws/documentdb/encryption_customer_key.rego b/checks/cloud/aws/documentdb/encryption_customer_key.rego
@@ -33,17 +33,27 @@ package builtin.aws.documentdb.aws0022
 
 import rego.v1
 
+import data.lib.cloud.metadata
+
 deny contains res if {
  some cluster in input.aws.documentdb.clusters
- cluster.kmskeyid.value == ""
-
- res := result.new("Cluster encryption does not use a customer-managed KMS key.", cluster)
+ isManaged(cluster)
+ not has_cms(cluster)
+ res := result.new(
+ "Cluster encryption does not use a customer-managed KMS key.",
+ metadata.obj_by_path(cluster, ["kmskeyid"]),
+ )
 }
 
 deny contains res if {
  some cluster in input.aws.documentdb.clusters
  some instance in cluster.instances
- instance.kmskeyid.value == ""
-
- res := result.new("Instance encryption does not use a customer-managed KMS key.", cluster)
+ isManaged(instance)
+ not has_cms(instance)
+ res := result.new(
+ "Instance encryption does not use a customer-managed KMS key.",
+ metadata.obj_by_path(instance, ["kmskeyid"]),
+ )
 }
+
+has_cms(obj) if obj.kmskeyid.value != ""