Merge pull request #26 from aquasecurity/dedupe-avd-aws-0180

chore(rules): dedupe AVD-AWS-0180
aquasecurity · Oct 24, 2023 · d9abb81 · d9abb81
2 parents 0572a07 + 2f852d6
commit d9abb81
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 139 deletions.
diff --git a/...olicies/aws/rds/no_public_db_access.cf.go → ...icies/aws/rds/disable_public_access.cf.go b/...olicies/aws/rds/no_public_db_access.cf.go → ...icies/aws/rds/disable_public_access.cf.go
diff --git a/rules/cloud/policies/aws/rds/disable_public_access.rego b/rules/cloud/policies/aws/rds/disable_public_access.rego
@@ -1,6 +1,6 @@
 # METADATA
 # title: "RDS Publicly Accessible"
-# description: "Ensures RDS instances are not launched into the public cloud."
+# description: "Ensures RDS instances and RDS Cluster instances are not launched into the public cloud."
 # scope: package
 # schemas:
 # - input: schema["cloud"]
@@ -12,17 +12,17 @@
 #   service: rds
 #   severity: HIGH
 #   short_code: enable-public-access
-#   recommended_action: "Remove the public endpoint from the RDS instance'"
+#   recommended_action: "Remove the public endpoint from the RDS instance."
 #   input:
 #     selector:
 #     - type: cloud
 #       subtypes:
 #         - service: rds
 #           provider: aws
 #   terraform:
-#       good_examples: "rules/cloud/policies/aws/rds/no_public_db_access.tf.go"
+#       good_examples: "rules/cloud/policies/aws/rds/disable_public_access.tf.go"
 #   cloud_formation:
-#       good_examples: "rules/cloud/policies/aws/rds/no_public_db_access.cf.go"
+#       good_examples: "rules/cloud/policies/aws/rds/disable_public_access.cf.go"
 
 package builtin.aws.rds.aws0180
 
@@ -31,3 +31,9 @@ deny[res] {
 	instance.publicaccess.value
 	res := result.new("Instance has Public Access enabled", instance.publicaccess)
 }
+
+deny[res] {
+	instance := input.aws.rds.clusters[_].instances[_].instance
+	instance.publicaccess.value
+	res := result.new("Cluster instance has Public Access enabled", instance.publicaccess)
+}
diff --git a/...olicies/aws/rds/no_public_db_access.tf.go → ...icies/aws/rds/disable_public_access.tf.go b/...olicies/aws/rds/no_public_db_access.tf.go → ...icies/aws/rds/disable_public_access.tf.go
diff --git a/rules/cloud/policies/aws/rds/disable_public_access_test.rego b/rules/cloud/policies/aws/rds/disable_public_access_test.rego
@@ -9,3 +9,13 @@ test_when_enabled {
 	r := deny with input as {"aws": {"rds": {"instances": [{"publicaccess": {"value": true}}]}}}
 	count(r) == 1
 }
+
+test_when_cluster_disabled {
+	r := deny with input as {"aws": {"rds": {"clusters": [{"instances": [{"instance": {"publicaccess": {"value": false}}}]}]}}}
+	count(r) == 0
+}
+
+test_when_cluster_enabled {
+	r := deny with input as {"aws": {"rds": {"clusters": [{"instances": [{"instance": {"publicaccess": {"value": true}}}]}]}}}
+	count(r) == 1
+}
diff --git a/rules/cloud/policies/aws/rds/no_public_db_access.go b/rules/cloud/policies/aws/rds/no_public_db_access.go
diff --git a/rules/cloud/policies/aws/rds/no_public_db_access_test.go b/rules/cloud/policies/aws/rds/no_public_db_access_test.go