From acbfeb8b187d43e44e5f7252ba4f035b3f5e8c5e Mon Sep 17 00:00:00 2001
From: sanaayousaf <sanayousaf012@gmail.com>
Date: Fri, 25 Nov 2022 09:24:45 +0000
Subject: [PATCH 1/5] added policy to check in_transit encryption enable or not
 for elasticache

---
 avd_docs/aws/elasticache/AVD-AWS-0198/docs.md | 13 ++++++++++
 .../kubernetes/general/AVD-KSV-01010/docs.md  |  2 +-
 .../kubernetes/general/AVD-KSV-0108/docs.md   |  4 +--
 .../kubernetes/general/AVD-KSV-0109/docs.md   |  2 +-
 .../enable_in_transit_encryption.rego         | 25 +++++++++++++++++++
 .../enable_in_transit_encryption_test.rego    | 11 ++++++++
 6 files changed, 53 insertions(+), 4 deletions(-)
 create mode 100644 avd_docs/aws/elasticache/AVD-AWS-0198/docs.md
 create mode 100644 internal/rules/policies/cloud/policies/aws/elasticache/enable_in_transit_encryption.rego
 create mode 100644 internal/rules/policies/cloud/policies/aws/elasticache/enable_in_transit_encryption_test.rego

diff --git a/avd_docs/aws/elasticache/AVD-AWS-0198/docs.md b/avd_docs/aws/elasticache/AVD-AWS-0198/docs.md
new file mode 100644
index 000000000..87c4daf37
--- /dev/null
+++ b/avd_docs/aws/elasticache/AVD-AWS-0198/docs.md
@@ -0,0 +1,13 @@
+
+Ensure that your AWS ElastiCache Redis clusters have encryption in-transit enabled.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html
+
+
diff --git a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md
index 1cee68f20..f69f12cad 100644
--- a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md
+++ b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md
@@ -2,7 +2,7 @@
 Storing sensitive content such as usernames and email addresses in configMaps is unsafe
 
 ### Impact
-Unsafe storage of sensitive content in configMaps could lead to the information being compromised.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
diff --git a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md
index 8d55a3498..9c1e77234 100644
--- a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md
+++ b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md
@@ -2,8 +2,8 @@
 Services with external IP addresses allows direct access from the internet and might expose risk for CVE-2020-8554
 
 ### Impact
-Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
-https://www.cvedetails.com/cve/CVE-2020-8554/
+<!-- Add Impact here -->
+
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
diff --git a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md
index d215353f0..70bba0fb1 100644
--- a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md
+++ b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md
@@ -2,7 +2,7 @@
 Storing secrets in configMaps is unsafe
 
 ### Impact
-Unsafe storage of secret content in configMaps could lead to the information being compromised.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
diff --git a/internal/rules/policies/cloud/policies/aws/elasticache/enable_in_transit_encryption.rego b/internal/rules/policies/cloud/policies/aws/elasticache/enable_in_transit_encryption.rego
new file mode 100644
index 000000000..9f3a9691b
--- /dev/null
+++ b/internal/rules/policies/cloud/policies/aws/elasticache/enable_in_transit_encryption.rego
@@ -0,0 +1,25 @@
+# METADATA
+# title: "ElastiCache Redis Cluster Encryption In-Transit"
+# description: "Ensure that your AWS ElastiCache Redis clusters have encryption in-transit enabled."
+# scope: package
+# schemas:
+# - input: schema.input
+# related_resources:
+# - https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html
+# custom:
+#   avd_id: AVD-AWS-0198
+#   provider: aws
+#   service: elasticache
+#   severity: HIGH
+#   short_code: enable-in-transit-encryption
+#   recommended_action: "Enable in-transit encryption for ElastiCache clusters"
+#   input:
+#     selector:
+#     - type: cloud
+package builtin.aws.elasticache.aws0198
+
+deny[res] {
+	group := input.aws.elasticache.replicationgroups[_]
+	not group.transitencryptionenabled.value
+	res := result.new("Replication group does not have transit encryption enabled.", group.transitencryptionenabled)
+}
\ No newline at end of file
diff --git a/internal/rules/policies/cloud/policies/aws/elasticache/enable_in_transit_encryption_test.rego b/internal/rules/policies/cloud/policies/aws/elasticache/enable_in_transit_encryption_test.rego
new file mode 100644
index 000000000..8111b454d
--- /dev/null
+++ b/internal/rules/policies/cloud/policies/aws/elasticache/enable_in_transit_encryption_test.rego
@@ -0,0 +1,11 @@
+package builtin.aws.elasticache.aws0198
+
+test_detects_when_disabled {
+	r := deny with input as {"aws": {"elasticache": {"replicationgroups": [{"transitencryptionenabled": {"value": false}}]}}}
+	count(r) == 1
+}
+
+test_when_enabled {
+	r := deny with input as {"aws": {"elasticache": {"replicationgroups": [{"transitencryptionenabled": {"value": true}}]}}}
+	count(r) == 0
+}
\ No newline at end of file

From b3428007143bfd3cd9c6879b3ac151bd015be61b Mon Sep 17 00:00:00 2001
From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com>
Date: Fri, 25 Nov 2022 14:28:07 +0000
Subject: [PATCH 2/5] Update avd_docs/kubernetes/general/AVD-KSV-0109/docs.md

---
 avd_docs/kubernetes/general/AVD-KSV-0109/docs.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md
index 70bba0fb1..d215353f0 100644
--- a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md
+++ b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md
@@ -2,7 +2,7 @@
 Storing secrets in configMaps is unsafe
 
 ### Impact
-<!-- Add Impact here -->
+Unsafe storage of secret content in configMaps could lead to the information being compromised.
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

From 5496be734c493e4808087aac3060d053d2f67e60 Mon Sep 17 00:00:00 2001
From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com>
Date: Fri, 25 Nov 2022 14:28:41 +0000
Subject: [PATCH 3/5] Update avd_docs/kubernetes/general/AVD-KSV-0108/docs.md

---
 avd_docs/kubernetes/general/AVD-KSV-0108/docs.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md
index 9c1e77234..58feb86a3 100644
--- a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md
+++ b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md
@@ -2,7 +2,8 @@
 Services with external IP addresses allows direct access from the internet and might expose risk for CVE-2020-8554
 
 ### Impact
-<!-- Add Impact here -->
+Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
+https://www.cvedetails.com/cve/CVE-2020-8554/
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

From 3c5bf1501c67621a079daeac5ecb504f650046dc Mon Sep 17 00:00:00 2001
From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com>
Date: Fri, 25 Nov 2022 14:29:09 +0000
Subject: [PATCH 4/5] Update avd_docs/kubernetes/general/AVD-KSV-0108/docs.md

---
 avd_docs/kubernetes/general/AVD-KSV-0108/docs.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md
index 58feb86a3..8d55a3498 100644
--- a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md
+++ b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md
@@ -4,7 +4,6 @@ Services with external IP addresses allows direct access from the internet and m
 ### Impact
 Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
 https://www.cvedetails.com/cve/CVE-2020-8554/
-
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 

From a7efd637d5e45c52935b6fd4dfd7927329c5dd91 Mon Sep 17 00:00:00 2001
From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com>
Date: Fri, 25 Nov 2022 14:29:41 +0000
Subject: [PATCH 5/5] Update avd_docs/kubernetes/general/AVD-KSV-01010/docs.md

---
 avd_docs/kubernetes/general/AVD-KSV-01010/docs.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md
index f69f12cad..1cee68f20 100644
--- a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md
+++ b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md
@@ -2,7 +2,7 @@
 Storing sensitive content such as usernames and email addresses in configMaps is unsafe
 
 ### Impact
-<!-- Add Impact here -->
+Unsafe storage of sensitive content in configMaps could lead to the information being compromised.
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}