checks(aws): change the wording of AVD-AWS-0015

avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md

@@ -1,5 +1,5 @@
 
-Enable encryption at rest
+Use Customer managed key
 
 ```yaml---
 Resources:
@@ -15,4 +15,6 @@ Resources:
 
 ```
 
+#### Remediation Links
+ - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-kmskeyid
 

avd_docs/aws/cloudtrail/AVD-AWS-0015/Terraform.md

@@ -1,5 +1,5 @@
 
-Enable encryption at rest
+Use Customer managed key
 
 ```hcl
  resource "aws_cloudtrail" "good_example" {

avd_docs/aws/cloudtrail/AVD-AWS-0015/docs.md

@@ -1,13 +1,15 @@
 
-Cloudtrail logs should be encrypted at rest to secure the sensitive data. Cloudtrail logs record all activity that occurs in the the account through API calls and would be one of the first places to look when reacting to a breach.
+Using Customer managed keys provides comprehensive control over cryptographic keys, enabling management of policies, permissions, and rotation, thus enhancing security and compliance measures for sensitive data and systems.
 
 ### Impact
-Data can be freely read if compromised
+Using AWS managed keys does not allow for fine grained control
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
 ### Links
 - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
 
+- https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt
+
 

checks/cloud/aws/cloudtrail/enable_at_rest_encryption.cf.go → checks/cloud/aws/cloudtrail/encryption_customer_key.cf.go

@@ -1,6 +1,6 @@
 package cloudtrail
 
-var cloudFormationEnableAtRestEncryptionGoodExamples = []string{
+var cloudFormationEncryptionCustomerManagedKeyGoodExamples = []string{
 	`---
 Resources:
   BadExample:
@@ -15,7 +15,7 @@ Resources:
 `,
 }
 
-var cloudFormationEnableAtRestEncryptionBadExamples = []string{
+var cloudFormationEncryptionCustomerManagedKeyBadExamples = []string{
 	`---
 Resources:
   BadExample:
@@ -29,6 +29,6 @@ Resources:
 `,
 }
 
-var cloudFormationEnableAtRestEncryptionLinks = []string{}
-
-var cloudFormationEnableAtRestEncryptionRemediationMarkdown = ``
+var cloudFormationEncryptionCustomerManagedKeyLinks = []string{
+	"https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-kmskeyid",
+}

checks/cloud/aws/cloudtrail/encryption_customer_key.go

@@ -0,0 +1,52 @@
+package cloudtrail
+
+import (
+	"github.com/aquasecurity/trivy-policies/pkg/rules"
+	"github.com/aquasecurity/trivy/pkg/iac/providers"
+	"github.com/aquasecurity/trivy/pkg/iac/scan"
+	"github.com/aquasecurity/trivy/pkg/iac/severity"
+	"github.com/aquasecurity/trivy/pkg/iac/state"
+)
+
+var EncryptionCustomerManagedKey = rules.Register(
+	scan.Rule{
+		AVDID:       "AVD-AWS-0015",
+		Provider:    providers.AWSProvider,
+		Service:     "cloudtrail",
+		ShortCode:   "encryption-customer-managed-key",
+		Summary:     "CloudTrail should use Customer managed keys to encrypt the logs",
+		Impact:      "Using AWS managed keys does not allow for fine grained control",
+		Resolution:  "Use Customer managed key",
+		Explanation: `Using Customer managed keys provides comprehensive control over cryptographic keys, enabling management of policies, permissions, and rotation, thus enhancing security and compliance measures for sensitive data and systems.`,
+		Links: []string{
+			"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html",
+			"https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt",
+		},
+		Terraform: &scan.EngineMetadata{
+			GoodExamples:        terraformEncryptionCustomerManagedKeyGoodExamples,
+			BadExamples:         terraformEncryptionCustomerManagedKeyBadExamples,
+			Links:               terraformEncryptionCustomerManagedKeyLinks,
+			RemediationMarkdown: ``,
+		},
+		CloudFormation: &scan.EngineMetadata{
+			GoodExamples:        cloudFormationEncryptionCustomerManagedKeyGoodExamples,
+			BadExamples:         cloudFormationEncryptionCustomerManagedKeyBadExamples,
+			Links:               cloudFormationEncryptionCustomerManagedKeyLinks,
+			RemediationMarkdown: ``,
+		},
+		Severity: severity.High,
+	},
+	func(s *state.State) (results scan.Results) {
+		for _, trail := range s.AWS.CloudTrail.Trails {
+			if trail.KMSKeyID.IsEmpty() {
+				results.Add(
+					"CloudTrail does not use a customer managed key to encrypt the logs.",
+					trail.KMSKeyID,
+				)
+			} else {
+				results.AddPassed(&trail)
+			}
+		}
+		return
+	},
+)

checks/cloud/aws/cloudtrail/enable_at_rest_encryption.tf.go → checks/cloud/aws/cloudtrail/encryption_customer_key.tf.go

@@ -1,6 +1,6 @@
 package cloudtrail
 
-var terraformEnableAtRestEncryptionGoodExamples = []string{
+var terraformEncryptionCustomerManagedKeyGoodExamples = []string{
 	`
  resource "aws_cloudtrail" "good_example" {
    is_multi_region_trail = true
@@ -20,7 +20,7 @@ var terraformEnableAtRestEncryptionGoodExamples = []string{
  `,
 }
 
-var terraformEnableAtRestEncryptionBadExamples = []string{
+var terraformEncryptionCustomerManagedKeyBadExamples = []string{
 	`
  resource "aws_cloudtrail" "bad_example" {
    is_multi_region_trail = true
@@ -38,8 +38,6 @@ var terraformEnableAtRestEncryptionBadExamples = []string{
  `,
 }
 
-var terraformEnableAtRestEncryptionLinks = []string{
+var terraformEncryptionCustomerManagedKeyLinks = []string{
 	`https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#kms_key_id`,
 }
-
-var terraformEnableAtRestEncryptionRemediationMarkdown = ``

checks/cloud/aws/cloudtrail/enable_at_rest_encryption_test.go → checks/cloud/aws/cloudtrail/encryption_customer_key_test.go

@@ -3,24 +3,22 @@ package cloudtrail
 import (
 	"testing"
 
-	trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types"
-
-	"github.com/aquasecurity/trivy/pkg/iac/state"
+	"github.com/stretchr/testify/assert"
 
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/cloudtrail"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
-
-	"github.com/stretchr/testify/assert"
+	"github.com/aquasecurity/trivy/pkg/iac/state"
+	trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 )
 
-func TestCheckEnableAtRestEncryption(t *testing.T) {
+func TestEncryptionCustomerManagedKey(t *testing.T) {
 	tests := []struct {
 		name     string
 		input    cloudtrail.CloudTrail
 		expected bool
 	}{
 		{
-			name: "AWS CloudTrail unencrypted",
+			name: "AWS CloudTrail without CMK",
 			input: cloudtrail.CloudTrail{
 				Trails: []cloudtrail.Trail{
 					{
@@ -32,7 +30,7 @@ func TestCheckEnableAtRestEncryption(t *testing.T) {
 			expected: true,
 		},
 		{
-			name: "AWS CloudTrail encrypted with KMS key",
+			name: "AWS CloudTrail with CMK",
 			input: cloudtrail.CloudTrail{
 				Trails: []cloudtrail.Trail{
 					{
@@ -48,10 +46,10 @@ func TestCheckEnableAtRestEncryption(t *testing.T) {
 		t.Run(test.name, func(t *testing.T) {
 			var testState state.State
 			testState.AWS.CloudTrail = test.input
-			results := CheckEnableAtRestEncryption.Evaluate(&testState)
+			results := EncryptionCustomerManagedKey.Evaluate(&testState)
 			var found bool
 			for _, result := range results {
-				if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckEnableAtRestEncryption.LongID() {
+				if result.Status() == scan.StatusFailed && result.Rule().LongID() == EncryptionCustomerManagedKey.LongID() {
 					found = true
 				}
 			}