From fdf8dae0b30fe3cbd64019f327a8df974c0cc8cf Mon Sep 17 00:00:00 2001 From: harkirat22 Date: Sun, 17 Jan 2021 20:43:06 -0500 Subject: [PATCH] solves issue #382, and improved policy to relate disk with the instance --- .../vmEncryptedwithCsek.rego | 8 ++++- .../accurics.gcp.EKM.132.json | 2 +- .../encryptedwithCsek.rego | 32 +++++++++++++++++-- 3 files changed, 37 insertions(+), 5 deletions(-) diff --git a/pkg/policies/opa/rego/gcp/google_compute_disk/vmEncryptedwithCsek.rego b/pkg/policies/opa/rego/gcp/google_compute_disk/vmEncryptedwithCsek.rego index c59a04e62..f735f6ba7 100755 --- a/pkg/policies/opa/rego/gcp/google_compute_disk/vmEncryptedwithCsek.rego +++ b/pkg/policies/opa/rego/gcp/google_compute_disk/vmEncryptedwithCsek.rego @@ -3,5 +3,11 @@ package accurics vmEncryptedwithCsek[api.id] { api := input.google_compute_disk[_] - not api.config.disk_encryption_key == null + not api.config.disk_encryption_key } + +vmEncryptedwithCsek[api.id] +{ + api := input.google_compute_disk[_] + api.config.disk_encryption_key == null +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json b/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json index 11b10f41c..19817f097 100755 --- a/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json +++ b/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json @@ -3,7 +3,7 @@ "file": "encryptedwithCsek.rego", "template_args": null, "severity": "MEDIUM", - "description": "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) .", + "description": "VM disks attached to a compute instance should be encrypted with Customer Supplied Encryption Keys (CSEK) .", "reference_id": "accurics.gcp.EKM.132", "category": "Encryption \u0026 Key Management", "version": 1 diff --git a/pkg/policies/opa/rego/gcp/google_compute_instance/encryptedwithCsek.rego b/pkg/policies/opa/rego/gcp/google_compute_instance/encryptedwithCsek.rego index 99774c09f..02cf0b6fd 100755 --- a/pkg/policies/opa/rego/gcp/google_compute_instance/encryptedwithCsek.rego +++ b/pkg/policies/opa/rego/gcp/google_compute_instance/encryptedwithCsek.rego @@ -1,7 +1,33 @@ package accurics -encryptedwithCsek[api.id] +encryptedwithCsek[retVal] { - api := input.google_compute_disk[_] - not api.config.disk_encryption_key == null + api := input.google_compute_disk[_] + not api.config.disk_encryption_key + + association := input.google_compute_attached_disk[_] + diskName := split(association.config.disk, ".")[1] + + api.name == diskName + instanceName := split(association.config.instance, ".")[1] + + instance := input.google_compute_instance[_] + instanceName == instance.name + retVal := instance.id } + +encryptedwithCsek[retVal] +{ + api := input.google_compute_disk[_] + api.config.disk_encryption_key == null + + association := input.google_compute_attached_disk[_] + diskName := split(association.config.disk, ".")[1] + + api.name == diskName + instanceName := split(association.config.instance, ".")[1] + + instance := input.google_compute_instance[_] + instanceName == instance.name + retVal := instance.id +} \ No newline at end of file