Checkmarx · joaoReigota1 · Dec 27, 2021 · Dec 22, 2021
@@ -343,6 +343,10 @@ get_encryption_if_exists(resource) = encryption {
 } else = encryption {
 	valid_key(resource.encryption_info, "encryption_at_rest_kms_key_arn")
 	encryption := "encrypted"
+} else = encryption {
+	fields := {"sqs_managed_sse_enabled", "kms_master_key_id", "encryption_options", "server_side_encryption_configuration"}
+	valid_key(resource, fields[_])
+	encryption := "encrypted"
 } else = encryption {
 	encryption := "unencrypted"
 }

@@ -8,7 +8,8 @@ CxPolicy[result] {
 	bom_output = {
 		"resource_type": "aws_ebs_volume",
 		"resource_name": common_lib.get_tag_name_if_exists(ebs_volume),
-		"resource_accessibility": common_lib.get_encryption_if_exists(ebs_volume),
+		"resource_accessibility": "unknown",
+		"resource_encryption": common_lib.get_encryption_if_exists(ebs_volume),
 		"resource_vendor": "AWS",
 		"resource_category": "Storage",
 	}

@@ -1,16 +1,21 @@
 package Cx
 
 import data.generic.common as common_lib
+import data.generic.terraform as terra_lib
 
 CxPolicy[result] {
 	efs_file_system := input.document[i].resource.aws_efs_file_system[name]
 
+	info := terra_lib.get_accessibility(efs_file_system, name, "aws_efs_file_system_policy", "file_system_id")
+
 	bom_output = {
 		"resource_type": "aws_efs_file_system",
 		"resource_name": common_lib.get_tag_name_if_exists(efs_file_system),
-		"resource_accessibility": common_lib.get_encryption_if_exists(efs_file_system),
+		"resource_accessibility": info.accessibility,
+		"resource_encryption": common_lib.get_encryption_if_exists(efs_file_system),
 		"resource_vendor": "AWS",
 		"resource_category": "Storage",
+		"policy": info.policy,
 	}
 
 	result := {

@@ -0,0 +1,40 @@
+resource "aws_efs_file_system" "positive2" {
+  creation_token = "my-product"
+  encrypted = true
+
+  tags = {
+    Name = "MyProduct"
+  }
+}
+
+resource "aws_efs_file_system_policy" "policy" {
+  file_system_id = aws_efs_file_system.positive2.id
+
+  bypass_policy_lockout_safety_check = true
+
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Id": "ExamplePolicy01",
+    "Statement": [
+        {
+            "Sid": "ExampleStatement01",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Resource": "${aws_efs_file_system.test.arn}",
+            "Action": [
+                "elasticfilesystem:ClientMount",
+                "elasticfilesystem:ClientWrite"
+            ],
+            "Condition": {
+                "Bool": {
+                    "aws:SecureTransport": "true"
+                }
+            }
+        }
+    ]
+}
+POLICY
+}
@@ -4,5 +4,11 @@
     "severity": "TRACE",
     "line": 1,
     "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "BOM - AWS EFS",
+    "severity": "TRACE",
+    "line": 1,
+    "fileName": "positive2.tf"
   }
 ]
@@ -11,6 +11,7 @@ CxPolicy[result] {
 		# memcached or redis
 		"resource_engine": get_engine_type(elasticache),
 		"resource_accessibility": get_accessibility(elasticache),
+		"resource_encryption": "unknown",
 		"resource_vendor": "AWS",
 		"resource_category": "In Memory Data Structure",
 	}

@@ -12,6 +12,7 @@ CxPolicy[result] {
 		# RabbitMQ or ActiveMQ
 		"resource_engine": aws_mq_broker_resource.engine_type,
 		"resource_accessibility": check_publicly_accessible(aws_mq_broker_resource),
+		"resource_encryption": common_lib.get_encryption_if_exists(aws_mq_broker_resource),
 		"resource_vendor": "AWS",
 		"resource_category": "Queues",
 		"user_name": aws_mq_broker_resource.user.username,

@@ -15,4 +15,8 @@ resource "aws_mq_broker" "positive2" {
     username = "ExampleUser"
     password = "111111111111"
   }
+
+  encryption_options {
+    kms_key_id = var.encryption_options.kms_key_id
+  }
 }
@@ -8,7 +8,8 @@ CxPolicy[result] {
 	bom_output = {
 		"resource_type": "aws_msk_cluster",
 		"resource_name": aws_msk_cluster_resource.cluster_name,
-		"resource_accessibility": common_lib.get_encryption_if_exists(aws_msk_cluster_resource),
+		"resource_accessibility": "unknown",
+		"resource_encryption": common_lib.get_encryption_if_exists(aws_msk_cluster_resource),
 		"resource_vendor": "AWS",
 		"resource_category": "Streaming",
 	}

@@ -10,6 +10,7 @@ CxPolicy[result] {
 		"resource_type": "aws_s3_bucket",
 		"resource_name": get_bucket_name(bucket_resource),
 		"resource_accessibility": get_accessibility(bucket_resource, name),
+		"resource_encryption": common_lib.get_encryption_if_exists(bucket_resource),
 		"resource_vendor": "AWS",
 		"resource_category": "Storage",
 		"acl": get_bucket_acl(bucket_resource),

@@ -18,6 +18,15 @@ resource "aws_s3_bucket" "positive8" {
   versioning {
     mfa_delete = true
   }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.mykey.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
 }
 
 resource "aws_s3_bucket_policy" "positive8" {

@@ -12,6 +12,7 @@ CxPolicy[result] {
 		"resource_type": "aws_sns_topic",
 		"resource_name": get_queue_name(aws_sns_topic_resource),
 		"resource_accessibility": info.accessibility,
+		"resource_encryption": common_lib.get_encryption_if_exists(aws_sns_topic_resource),
 		"resource_vendor": "AWS",
 		"resource_category": "Messaging",
 		"policy": info.policy,

@@ -1,6 +1,8 @@
 resource "aws_sns_topic" "positive5" {
   name = "user-updates-topic"
 
+  kms_master_key_id = "alias/aws/sns"
+
   policy = <<EOF
 {
   "Version": "2012-10-17",

@@ -12,6 +12,7 @@ CxPolicy[result] {
 		"resource_type": "aws_sqs_queue",
 		"resource_name": get_queue_name(aws_sqs_queue_resource),
 		"resource_accessibility": info.accessibility,
+		"resource_encryption": common_lib.get_encryption_if_exists(aws_sqs_queue_resource),
 		"resource_vendor": "AWS",
 		"resource_category": "Queues",
 		"policy": info.policy,

@@ -12,4 +12,6 @@ resource "aws_sqs_queue" "positive5" {
   tags = {
     Environment = "production"
   }
+
+  sqs_managed_sse_enabled = true
 }
@@ -237,6 +237,7 @@ func validateQueryResultFields(tb testing.TB, vulnerabilies []model.Vulnerabilit
 				"resource_vendor":        true,
 				"resource_category":      true,
 				"user_name":              false,
+				"resource_encryption":    true,
 			}
 			for key := range bomOutputRequiredFields {
 				_, ok := bomResult[key]