Merge branch 'main' of github.com:krumIO/raid-rds into strike-messages

cmd/root.go

@@ -26,16 +26,17 @@ var (
 			Strikes.SQLFeatures,
 			Strikes.AutomatedBackups,
 			Strikes.MultiRegion,
+			Strikes.Encryption,
 		},
 		"CCC-Taxonomy": {
 			Strikes.SQLFeatures,
 			Strikes.AutomatedBackups,
 			Strikes.MultiRegion,
+			Strikes.Encryption,
+			Strikes.RBAC,
 			// Strikes.VerticalScaling,
 			// Strikes.Replication,
 			// Strikes.BackupRecovery,
-			// Strikes.Encryption,
-			// Strikes.RBAC,
 			// Strikes.Logging,
 			// Strikes.Monitoring,
 			// Strikes.Alerting,

strikes/Encryption.go

@@ -0,0 +1,75 @@
+package strikes
+
+import (
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/privateerproj/privateer-sdk/raidengine"
+	"github.com/privateerproj/privateer-sdk/utils"
+)
+
+// Todo/Roadmap: Features to evaluate implementing
+// Encryption.go - AWS CLI
+
+// This creates a database table
+func (a *Strikes) Encryption() (strikeName string, result raidengine.StrikeResult) {
+	strikeName = "Encryption"
+	result = raidengine.StrikeResult{
+		Passed:      false,
+		Description: "Check if storage is encrypted on the specified RDS instance",
+		DocsURL:     "https://www.github.com/krumIO/raid-rds",
+		ControlID:   "CCC-Taxonomy-1",
+		Movements:   make(map[string]raidengine.MovementResult),
+	}
+
+	// Get Configuration
+	cfg, err := getAWSConfig()
+	if err != nil {
+		result.Message = err.Error()
+		return
+	}
+
+	rdsInstanceMovement := checkRDSInstanceMovement(cfg)
+	result.Movements["CheckForDBInstance"] = rdsInstanceMovement
+	if !rdsInstanceMovement.Passed {
+		result.Message = rdsInstanceMovement.Message
+		return
+	}
+
+	storageEncryptedMovement := checkIfStorageIsEncryptedMovement(cfg)
+	result.Movements["CheckForStorageEncryption"] = storageEncryptedMovement
+	if !storageEncryptedMovement.Passed {
+		result.Message = storageEncryptedMovement.Message
+		return
+	}
+
+	result.Passed = true
+	result.Message = "Completed Successfully"
+	return
+}
+
+func checkIfStorageIsEncryptedMovement(cfg aws.Config) (result raidengine.MovementResult) {
+
+	result = raidengine.MovementResult{
+		Description: "Check if the instance has storage encryption enabled",
+		Function:    utils.CallerPath(0),
+	}
+
+	instanceIdentifier, _ := getHostDBInstanceIdentifier()
+
+	instance, err := getRDSInstanceFromIdentifier(cfg, instanceIdentifier)
+	if err != nil {
+		// Handle error
+		result.Message = err.Error()
+		result.Passed = false
+		return
+	}
+
+	if !instance.DBInstances[0].StorageEncrypted {
+		result.Message = "Storage encryption is not enabled"
+		result.Passed = false
+		return
+	}
+
+	// Loop through the instances and print information
+	result.Passed = true
+	return
+}

strikes/Encryption_test.go

@@ -0,0 +1,32 @@
+package strikes
+
+import (
+	"encoding/json"
+	"fmt"
+	"testing"
+
+	"github.com/spf13/viper"
+)
+
+func TestEncryption(t *testing.T) {
+	viper.AddConfigPath("../")
+	viper.SetConfigName("config")
+	viper.SetConfigType("yaml")
+	err := viper.ReadInConfig()
+
+	if err != nil {
+		fmt.Println("Config file not found...")
+		return
+	}
+
+	strikes := Strikes{}
+	strikeName, result := strikes.Encryption()
+
+	fmt.Println(strikeName)
+	b, err := json.MarshalIndent(result, "", "  ")
+	if err != nil {
+		fmt.Println(err)
+	}
+	fmt.Print(string(b))
+	fmt.Println()
+}

strikes/RBAC.go

@@ -0,0 +1,75 @@
+package strikes
+
+import (
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/privateerproj/privateer-sdk/raidengine"
+	"github.com/privateerproj/privateer-sdk/utils"
+)
+
+// Todo/Roadmap: Features to evaluate implementing
+// RBAC.go - AWS CLI
+
+// This creates a database table
+func (a *Strikes) RBAC() (strikeName string, result raidengine.StrikeResult) {
+	strikeName = "RBAC"
+	result = raidengine.StrikeResult{
+		Passed:      false,
+		Description: "Check if database IAM authentication is enabled on the specified RDS instance",
+		DocsURL:     "https://www.github.com/krumIO/raid-rds",
+		ControlID:   "CCC-Taxonomy-1",
+		Movements:   make(map[string]raidengine.MovementResult),
+	}
+
+	// Get Configuration
+	cfg, err := getAWSConfig()
+	if err != nil {
+		result.Message = err.Error()
+		return
+	}
+
+	rdsInstanceMovement := checkRDSInstanceMovement(cfg)
+	result.Movements["CheckForDBInstance"] = rdsInstanceMovement
+	if !rdsInstanceMovement.Passed {
+		result.Message = rdsInstanceMovement.Message
+		return
+	}
+
+	iamDatabaseAuthMovement := checkForIAMDatabaseAuthMovement(cfg)
+	result.Movements["CheckForIAMDatabaseAuth"] = iamDatabaseAuthMovement
+	if !iamDatabaseAuthMovement.Passed {
+		result.Message = iamDatabaseAuthMovement.Message
+		return
+	}
+
+	result.Passed = true
+	result.Message = "Completed Successfully"
+	return
+}
+
+func checkForIAMDatabaseAuthMovement(cfg aws.Config) (result raidengine.MovementResult) {
+
+	result = raidengine.MovementResult{
+		Description: "Check if the instance has IAM Database Authentication enabled",
+		Function:    utils.CallerPath(0),
+	}
+
+	instanceIdentifier, _ := getHostDBInstanceIdentifier()
+
+	instance, err := getRDSInstanceFromIdentifier(cfg, instanceIdentifier)
+	if err != nil {
+		// Handle error
+		result.Message = err.Error()
+		result.Passed = false
+		return
+	}
+
+	if !instance.DBInstances[0].IAMDatabaseAuthenticationEnabled {
+		result.Message = "IAM Database Authentication is not enabled"
+		result.Passed = false
+		return
+	}
+
+	// Loop through the instances and print information
+	result.Passed = true
+	return
+}

strikes/RBAC_test.go

@@ -0,0 +1,32 @@
+package strikes
+
+import (
+	"encoding/json"
+	"fmt"
+	"testing"
+
+	"github.com/spf13/viper"
+)
+
+func TestRBAC(t *testing.T) {
+	viper.AddConfigPath("../")
+	viper.SetConfigName("config")
+	viper.SetConfigType("yaml")
+	err := viper.ReadInConfig()
+
+	if err != nil {
+		fmt.Println("Config file not found...")
+		return
+	}
+
+	strikes := Strikes{}
+	strikeName, result := strikes.RBAC()
+
+	fmt.Println(strikeName)
+	b, err := json.MarshalIndent(result, "", "  ")
+	if err != nil {
+		fmt.Println(err)
+	}
+	fmt.Print(string(b))
+	fmt.Println()
+}