feat(queries): query IAM DB Cluster Auth Not Enabled implemented for terraform/aws and cloudFormation/aws

assets/libraries/common.rego

@@ -581,7 +581,8 @@ weakCipher(aux) {
 valid_for_iam_engine_and_version_check(resource, engineVar, engineVersionVar, instanceClassVar) {
 	key_list := [engineVar, engineVersionVar]
 	contains(lower(resource[engineVar]), "mariadb")
-	version_check := {x | x := resource[key_list[_]]; contains(x, "10.6")}
+	supported_versions := {"10.6", "10.11", "11.4"}
+	version_check := {x | x := resource[key_list[_]]; contains(x, supported_versions[_])}
 	count(version_check) > 0
 } else {
 	engines_that_supports_iam := ["aurora-postgresql", "postgres", "mysql", "mariadb"]

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/metadata.json

@@ -0,0 +1,12 @@
+{
+  "id": "6282794f-def8-4d6f-9df6-289318aa42b8",
+  "queryName": "IAM DB Cluster Auth Not Enabled",
+  "severity": "MEDIUM",
+  "category": "Access Control",
+  "descriptionText": "IAM Authentication should be enabled to verify the access of users and applications to your databases by enabling IAM policies and multi-factor authentication. This is a safety measure to ensure the protection of newly created databases without the proper IAM policies or in the change of policies in existing databases.",
+  "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbcluster.html#cfn-rds-dbcluster-enableiamdatabaseauthentication",
+  "platform": "CloudFormation",
+  "descriptionID": "6282794f",
+  "cloudProvider": "aws",
+  "cwe": "311"
+}

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/query.rego

@@ -0,0 +1,62 @@
+package Cx
+
+import data.generic.cloudformation as cf_lib
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+    docs := input.document[i]
+    [path, Resources] := walk(docs)
+    resource := Resources[name]
+    resource.Type == "AWS::RDS::DBCluster"
+
+    not common_lib.valid_key(resource.Properties, "EnableIAMDatabaseAuthentication")
+    valid_for_iam_engine_and_version_check_edited(resource.Properties, "Engine", "EngineVersion")
+
+    result := {
+        "documentId": input.document[i].id,
+        "resourceType": resource.Type,
+        "resourceName": cf_lib.get_resource_name(resource, name),
+        "searchKey": sprintf("Resources.%s.Properties", [name]),
+        "issueType": "MissingAttribute",
+        "keyExpectedValue": sprintf("'Resources.%s.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", [name]),
+        "keyActualValue": sprintf("'Resources.%s.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", [name]),
+        "searchLine": common_lib.build_search_line(["Resources", name, "Properties"], []),
+    }
+}
+
+CxPolicy[result] {
+    docs := input.document[i]
+    [path, Resources] := walk(docs)
+    resource := Resources[name]
+    resource.Type == "AWS::RDS::DBCluster"
+
+    common_lib.valid_key(resource.Properties, "EnableIAMDatabaseAuthentication")
+    cf_lib.isCloudFormationFalse(resource.Properties.EnableIAMDatabaseAuthentication)
+    valid_for_iam_engine_and_version_check_edited(resource.Properties, "Engine", "EngineVersion")
+
+    result := {
+        "documentId": input.document[i].id,
+        "resourceType": resource.Type,
+        "resourceName": cf_lib.get_resource_name(resource, name),
+        "searchKey": sprintf("Resources.%s.Properties.EnableIAMDatabaseAuthentication", [name]),
+        "issueType": "IncorrectValue",
+        "keyExpectedValue": sprintf("'Resources.%s.Properties.EnableIAMDatabaseAuthentication' should be defined to true", [name]),
+        "keyActualValue": sprintf("'Resources.%s.Properties.EnableIAMDatabaseAuthentication' is defined to false", [name]),
+        "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "EnableIAMDatabaseAuthentication"], [])
+    }
+}
+
+valid_for_iam_engine_and_version_check_edited(resource, engineVar, engineVersionVar) {
+    key_list := [engineVar, engineVersionVar]
+    contains(lower(resource[engineVar]), "mariadb")
+    supported_versions := {"10.6", "10.11", "11.4"}
+    version_check := {x | x := resource[key_list[_]]; contains(x, supported_versions[_])}
+    count(version_check) > 0
+} else {
+    engines_that_support_iam := ["aurora-postgresql", "postgres", "mysql", "mariadb"]
+    contains(lower(resource[engineVar]), engines_that_support_iam[_])
+    not common_lib.valid_key(resource, engineVersionVar)
+} else {
+    engines_that_supports_iam := ["aurora-postgresql", "postgres", "mysql"]
+	contains(lower(resource[engineVar]), engines_that_supports_iam[_])
+} 

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/negative1.yaml

@@ -0,0 +1,15 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  sample:
+    Type: 'AWS::RDS::DBCluster'
+    Properties:
+      MasterUsername: !Ref DBUsername
+      MasterUserPassword: !Ref DBPassword
+      StorageEncrypted: true
+      DBClusterIdentifier: aurora-postgresql-cluster
+      Engine: aurora-postgresql
+      EngineVersion: '10.7'
+      DBClusterParameterGroupName: default.aurora-postgresql10
+      EnableCloudwatchLogsExports:
+        - postgresql
+      EnableIAMDatabaseAuthentication: true

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/negative10.json

@@ -0,0 +1,25 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+    "Resources": {
+        "PostgresDBCluster": {
+            "Type": "AWS::RDS::DBCluster",
+            "Properties": {
+                "MasterUsername": {
+                    "Ref": "DBUsername"
+                },
+                "MasterUserPassword": {
+                    "Ref": "DBPassword"
+                },
+                "StorageEncrypted": true,
+                "DBClusterIdentifier": "postgres-db-cluster",
+                "Engine": "postgres",
+                "EngineVersion": "15.5",
+                "DBClusterParameterGroupName": "default.postgres15",
+                "EnableCloudwatchLogsExports": [
+                    "postgresql"
+                ],
+                "EnableIAMDatabaseAuthentication": true
+            }
+        }
+    }
+}

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/negative11.yaml

@@ -0,0 +1,15 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  PostgresDBCluster:
+    Type: "AWS::RDS::DBCluster"
+    Properties:
+      MasterUsername: !Ref DBUsername
+      MasterUserPassword: !Ref DBPassword
+      StorageEncrypted: "true"
+      DBClusterIdentifier: postgres-db-cluster
+      Engine: postgres
+      EngineVersion: "15.5" 
+      DBClusterParameterGroupName: default.postgres15
+      EnableCloudwatchLogsExports:
+        - postgresql
+      EnableIAMDatabaseAuthentication: "true"

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/negative12.json

@@ -0,0 +1,25 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+    "Resources": {
+        "PostgresDBCluster": {
+            "Type": "AWS::RDS::DBCluster",
+            "Properties": {
+                "MasterUsername": {
+                    "Ref": "DBUsername"
+                },
+                "MasterUserPassword": {
+                    "Ref": "DBPassword"
+                },
+                "StorageEncrypted": "true",
+                "DBClusterIdentifier": "postgres-db-cluster",
+                "Engine": "postgres",
+                "EngineVersion": "15.5",
+                "DBClusterParameterGroupName": "default.postgres15",
+                "EnableCloudwatchLogsExports": [
+                    "postgresql"
+                ],
+                "EnableIAMDatabaseAuthentication": "true"
+            }
+        }
+    }
+}

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/negative13.yaml

@@ -0,0 +1,14 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  PostgresDBCluster:
+    Type: "AWS::RDS::DBCluster"
+    Properties:
+      MasterUsername: !Ref DBUsername
+      MasterUserPassword: !Ref DBPassword
+      StorageEncrypted: true
+      DBClusterIdentifier: postgres-db-cluster
+      Engine: postgres
+      DBClusterParameterGroupName: default.postgres15
+      EnableCloudwatchLogsExports:
+        - postgresql
+      EnableIAMDatabaseAuthentication: true

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/negative14.json

@@ -0,0 +1,24 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+    "Resources": {
+        "PostgresDBCluster": {
+            "Type": "AWS::RDS::DBCluster",
+            "Properties": {
+                "MasterUsername": {
+                    "Ref": "DBUsername"
+                },
+                "MasterUserPassword": {
+                    "Ref": "DBPassword"
+                },
+                "StorageEncrypted": true,
+                "DBClusterIdentifier": "postgres-db-cluster",
+                "Engine": "postgres",
+                "DBClusterParameterGroupName": "default.postgres15",
+                "EnableCloudwatchLogsExports": [
+                    "postgresql"
+                ],
+                "EnableIAMDatabaseAuthentication": true
+            }
+        }
+    }
+}

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/negative15.yaml

@@ -0,0 +1,14 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  PostgresDBCluster:
+    Type: "AWS::RDS::DBCluster"
+    Properties:
+      MasterUsername: !Ref DBUsername
+      MasterUserPassword: !Ref DBPassword
+      StorageEncrypted: "true"
+      DBClusterIdentifier: postgres-db-cluster
+      Engine: postgres
+      DBClusterParameterGroupName: default.postgres15
+      EnableCloudwatchLogsExports:
+        - postgresql
+      EnableIAMDatabaseAuthentication: "true"

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/negative16.json

@@ -0,0 +1,24 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+    "Resources": {
+        "PostgresDBCluster": {
+            "Type": "AWS::RDS::DBCluster",
+            "Properties": {
+                "MasterUsername": {
+                    "Ref": "DBUsername"
+                },
+                "MasterUserPassword": {
+                    "Ref": "DBPassword"
+                },
+                "StorageEncrypted": "true",
+                "DBClusterIdentifier": "postgres-db-cluster",
+                "Engine": "postgres",
+                "DBClusterParameterGroupName": "default.postgres15",
+                "EnableCloudwatchLogsExports": [
+                    "postgresql"
+                ],
+                "EnableIAMDatabaseAuthentication": "true"
+            }
+        }
+    }
+}

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/negative2.json

@@ -0,0 +1,25 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+    "Resources": {
+        "sample": {
+            "Type": "AWS::RDS::DBCluster",
+            "Properties": {
+                "MasterUsername": {
+                    "Ref": "DBUsername"
+                },
+                "MasterUserPassword": {
+                    "Ref": "DBPassword"
+                },
+                "StorageEncrypted": true,
+                "DBClusterIdentifier": "aurora-postgresql-cluster",
+                "Engine": "aurora-postgresql",
+                "EngineVersion": "10.7",
+                "DBClusterParameterGroupName": "default.aurora-postgresql10",
+                "EnableCloudwatchLogsExports": [
+                    "postgresql"
+                ],
+                "EnableIAMDatabaseAuthentication": true
+            }
+        }
+    }
+}

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/negative3.yaml

@@ -0,0 +1,15 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  sample:
+    Type: 'AWS::RDS::DBCluster'
+    Properties:
+      MasterUsername: !Ref DBUsername
+      MasterUserPassword: !Ref DBPassword
+      StorageEncrypted: true
+      DBClusterIdentifier: aurora-postgresql-cluster
+      Engine: aurora-postgresql
+      EngineVersion: '10.7'
+      DBClusterParameterGroupName: default.aurora-postgresql10
+      EnableCloudwatchLogsExports:
+        - postgresql
+      EnableIAMDatabaseAuthentication: "true"

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/negative4.json

@@ -0,0 +1,25 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+    "Resources": {
+        "sample": {
+            "Type": "AWS::RDS::DBCluster",
+            "Properties": {
+                "MasterUsername": {
+                    "Ref": "DBUsername"
+                },
+                "MasterUserPassword": {
+                    "Ref": "DBPassword"
+                },
+                "StorageEncrypted": true,
+                "DBClusterIdentifier": "aurora-postgresql-cluster",
+                "Engine": "aurora-postgresql",
+                "EngineVersion": "10.7",
+                "DBClusterParameterGroupName": "default.aurora-postgresql10",
+                "EnableCloudwatchLogsExports": [
+                    "postgresql"
+                ],
+                "EnableIAMDatabaseAuthentication": "true"
+            }
+        }
+    }
+}

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/negative5.yaml

@@ -0,0 +1,15 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  sample:
+    Type: 'AWS::RDS::DBCluster'
+    Properties:
+      MasterUsername: !Ref DBUsername
+      MasterUserPassword: !Ref DBPassword
+      StorageEncrypted: true
+      DBClusterIdentifier: !Ref SourceDBInstanceIdentifier
+      Engine: mariadb
+      EngineVersion: '10.5'
+      DBClusterParameterGroupName: default.aurora-postgresql10
+      EnableCloudwatchLogsExports:
+        - postgresql
+      EnableIAMDatabaseAuthentication: true

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/negative6.json

@@ -0,0 +1,27 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+    "Resources": {
+        "sample": {
+            "Type": "AWS::RDS::DBCluster",
+            "Properties": {
+                "MasterUsername": {
+                    "Ref": "DBUsername"
+                },
+                "MasterUserPassword": {
+                    "Ref": "DBPassword"
+                },
+                "StorageEncrypted": true,
+                "DBClusterIdentifier": {
+                    "Ref": "SourceDBInstanceIdentifier"
+                },
+                "Engine": "mariadb",
+                "EngineVersion": "10.5",
+                "DBClusterParameterGroupName": "default.aurora-postgresql10",
+                "EnableCloudwatchLogsExports": [
+                    "postgresql"
+                ],
+                "EnableIAMDatabaseAuthentication": true
+            }
+        }
+    }
+}

assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/negative7.yaml

@@ -0,0 +1,15 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  sample:
+    Type: 'AWS::RDS::DBCluster'
+    Properties:
+      MasterUsername: !Ref DBUsername
+      MasterUserPassword: !Ref DBPassword
+      StorageEncrypted: "true"
+      DBClusterIdentifier: !Ref SourceDBInstanceIdentifier
+      Engine: mariadb
+      EngineVersion: '10.5'
+      DBClusterParameterGroupName: default.aurora-postgresql10
+      EnableCloudwatchLogsExports:
+        - postgresql
+      EnableIAMDatabaseAuthentication: "true"