checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

Added OSS Bucket Encryption Check for Alibaba Cloud

Open simon-rb opened this issue 1 year ago • 1 comments

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

feat(terraform): add CKV_ALI_1374 to ensure OSS buckets have server-side encryption enabled

This PR introduces a new custom policy for Alibaba Cloud OSS buckets. The policy ensures that server-side encryption is enabled for all OSS buckets, which is a critical security practice. This policy checks the server_side_encryption_rule in the Terraform configuration and will pass or fail based on whether this rule is properly configured.

This check ensures that all Alibaba Cloud OSS buckets have server-side encryption enabled. Not enabling server-side encryption on storage buckets can lead to sensitive data being stored in plain text, increasing the risk of unauthorized access in the event of a data breach. Server-side encryption protects data at rest by encrypting it with a managed key (e.g., KMS), which is a best practice for securing cloud storage.

Fix

To fix this issue in your Terraform configuration, ensure that each OSS bucket resource has the server_side_encryption_rule block configured. Here’s an example of how to configure it:

resource "alicloud_oss_bucket" "example" {
  bucket = "example-bucket"

  server_side_encryption_rule {
    sse_algorithm = "KMS"
  }
}

Checklist:

  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation
  • [x] I have added tests that prove my feature, policy, or fix is effective and works
  • [x] New and existing tests pass locally with my changes

Generated description

Dear maintainer, below is a concise technical summary of the changes proposed in this PR:

Introduce a new check OSSBucketEncryptionCheck to ensure Alibaba Cloud OSS buckets have server-side encryption enabled. Implement the check in OSSBucketEncryptionCheck.py, which verifies the presence of server_side_encryption_rule in Terraform configurations. Add test cases in test_OSSBucketEncryptionCheck.py to validate the check's functionality, ensuring it correctly identifies configurations with and without encryption.

TopicDetails
OSS Encryption Check Ensure Alibaba Cloud OSS buckets have server-side encryption enabled.
Modified files (2)
  • checkov/terraform/checks/resource/alicloud/OSSBucketEncryptionCheck.py
  • tests/terraform/checks/resource/alicloud/example_OSSBucketEncryptionCheck/OSSBucketEncryptionCheck.tf
Latest Contributors(0)
EmailCommitDate
OSS Encryption Test Validate the functionality of the OSS bucket encryption check.
Modified files (1)
  • tests/terraform/checks/resource/alicloud/test_OSSBucketEncryptionCheck.py
Latest Contributors(0)
EmailCommitDate
This pull request is reviewed by Baz. Join @simon-rb and the rest of your team on (Baz).

simon-rb avatar Aug 15 '24 15:08 simon-rb

Hi @simon-rb. please make sure to fix the suggestions above from @tsmithv11 (:

itai1357 avatar Sep 19 '24 05:09 itai1357