Add query to check if there isnt a ConfigRule for Encrypted Volumes C…

…heckmarx#2496 (Checkmarx#2504)

assets/libraries/cloudformation/library.rego

@@ -1 +1,5 @@
 package generic.cloudformation
+
+getResourcesByType(resources, type) = list {
+    list = [resource | resources[i].Type == type; resource := resources[i]]
+}

assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json

@@ -1,6 +1,6 @@
 {
   "id": "7674a686-e4b1-4a95-83d4-1fd53c623d84",
-  "queryName": "Config Rule For Encrypted Volumes Is Disabled",
+  "queryName": "Config Rule For Encrypted Volumes Disabled",
   "severity": "MEDIUM",
   "category": "Encryption",
   "descriptionText": "Check if AWS config rules do not identify Encrypted Volumes as a source.",

assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json

@@ -1,6 +1,6 @@
 [
   {
-    "queryName": "Config Rule For Encrypted Volumes Is Disabled",
+    "queryName": "Config Rule For Encrypted Volumes Disabled",
     "severity": "MEDIUM",
     "line": 2
   }

assets/queries/cloudFormation/config_rule_for_encryption_volumes_disabled/metadata.json

@@ -0,0 +1,9 @@
+{
+	"id": "1b6322d9-c755-4f8c-b804-32c19250f2d9",
+	"queryName": "Config Rule For Encrypted Volumes Disabled",
+	"severity": "MEDIUM",
+	"category": "Encryption",
+	"descriptionText": "Check if AWS config rules do not identify Encrypted Volumes as a source.",
+	"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configrule.html#cfn-config-configrule-source",
+	"platform": "CloudFormation"
+}

assets/queries/cloudFormation/config_rule_for_encryption_volumes_disabled/query.rego

@@ -0,0 +1,29 @@
+package Cx
+
+import data.generic.cloudformation as cfLib
+
+CxPolicy[result] {
+	resources := input.document[i].Resources
+    configRules := cfLib.getResourcesByType(resources, "AWS::Config::ConfigRule")
+
+    count(configRules) > 0
+    not hasEncryptedVolsRule(configRules)
+
+    firstRule := resources[name]
+    firstRule.Type == "AWS::Config::ConfigRule"
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("Resources.%s", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "There is a ConfigRule for encrypted volumes.",
+		"keyActualValue": "There isn't a ConfigRule for encrypted volumes."
+	}
+}
+
+hasEncryptedVolsRule(configRules) {
+    configRule := configRules[_]
+    source := configRule.Properties.Source
+    source_id := source.SourceIdentifier
+    source_id == "ENCRYPTED_VOLUMES"
+}

assets/queries/cloudFormation/config_rule_for_encryption_volumes_disabled/test/negative1.yaml

@@ -0,0 +1,12 @@
+Resources:
+  ConfigRule:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: access-keys-rotated
+      InputParameters:
+        maxAccessKeyAge: 90
+      Source:
+        Owner: AWS
+        SourceIdentifier: ENCRYPTED_VOLUMES
+      MaximumExecutionFrequency: TwentyFour_Hours
+

assets/queries/cloudFormation/config_rule_for_encryption_volumes_disabled/test/negative2.json

@@ -0,0 +1,18 @@
+{
+  "Resources": {
+    "ConfigRule": {
+      "Type": "AWS::Config::ConfigRule",
+      "Properties": {
+        "MaximumExecutionFrequency": "TwentyFour_Hours",
+        "ConfigRuleName": "access-keys-rotated",
+        "InputParameters": {
+          "maxAccessKeyAge": 90
+        },
+        "Source": {
+          "SourceIdentifier": "ENCRYPTED_VOLUMES",
+          "Owner": "AWS"
+        }
+      }
+    }
+  }
+}

assets/queries/cloudFormation/config_rule_for_encryption_volumes_disabled/test/positive1.yaml

@@ -0,0 +1,12 @@
+Resources:
+  ConfigRule:
+    Type: AWS::Config::ConfigRule
+    Properties:
+      ConfigRuleName: access-keys-rotated
+      InputParameters:
+        maxAccessKeyAge: 100
+      Source:
+        Owner: AWS
+        SourceIdentifier: ACCESS_KEYS_ROTATED
+      MaximumExecutionFrequency: TwentyFour_Hours
+

assets/queries/cloudFormation/config_rule_for_encryption_volumes_disabled/test/positive2.json

@@ -0,0 +1,18 @@
+{
+  "Resources": {
+    "ConfigRule": {
+      "Type": "AWS::Config::ConfigRule",
+      "Properties": {
+        "ConfigRuleName": "access-keys-rotated",
+        "InputParameters": {
+          "maxAccessKeyAge": 100
+        },
+        "Source": {
+          "Owner": "AWS",
+          "SourceIdentifier": "ACCESS_KEYS_ROTATED"
+        },
+        "MaximumExecutionFrequency": "TwentyFour_Hours"
+      }
+    }
+  }
+}

assets/queries/cloudFormation/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json

@@ -0,0 +1,14 @@
+[
+  {
+    "queryName": "Config Rule For Encrypted Volumes Disabled",
+    "severity": "MEDIUM",
+    "line": 2,
+    "fileName": "positive1.yaml"
+  },
+  {
+    "fileName": "positive2.json",
+    "queryName": "Config Rule For Encrypted Volumes Disabled",
+    "severity": "MEDIUM",
+    "line": 3
+  }
+]

assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/metadata.json

@@ -1,6 +1,6 @@
 {
   "id": "abdb29d4-5ca1-4e91-800b-b3569bbd788c",
-  "queryName": "Config Rule For Encrypted Volumes Is Disabled",
+  "queryName": "Config Rule For Encrypted Volumes Disabled",
   "severity": "MEDIUM",
   "category": "Encryption",
   "descriptionText": "Check if AWS config rules do not identify Encrypted Volumes as a source.",

assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json

@@ -1,6 +1,6 @@
 [
   {
-    "queryName": "Config Rule For Encrypted Volumes Is Disabled",
+    "queryName": "Config Rule For Encrypted Volumes Disabled",
     "severity": "MEDIUM",
     "line": 1
   }