aquasecurity · SanaaYousaf · Feb 13, 2023 · Mar 2, 2023 · Mar 27, 2023 · Mar 27, 2023
@@ -9,7 +9,7 @@ require (
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/aquasecurity/go-mock-aws v0.0.0-20220726154943-99847deb62b0
 	github.com/aws/aws-sdk-go v1.44.131
-	github.com/aws/aws-sdk-go-v2 v1.17.3
+	github.com/aws/aws-sdk-go-v2 v1.17.4
 	github.com/aws/aws-sdk-go-v2/config v1.17.8
 	github.com/aws/aws-sdk-go-v2/credentials v1.13.8
 	github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.16.0
@@ -103,10 +103,11 @@ require (
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.21 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.28 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.22 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/dax v1.12.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.10 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.18 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.19 // indirect

@@ -138,6 +138,8 @@ github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUY
 github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw=
 github.com/aws/aws-sdk-go-v2 v1.17.3 h1:shN7NlnVzvDUgPQ+1rLMSxY8OWRNDRYtiqe0p/PgrhY=
 github.com/aws/aws-sdk-go-v2 v1.17.3/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
+github.com/aws/aws-sdk-go-v2 v1.17.4 h1:wyC6p9Yfq6V2y98wfDsj6OnNQa4w2BLGCLIxzNhwOGY=
+github.com/aws/aws-sdk-go-v2 v1.17.4/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8 h1:tcFliCWne+zOuUfKNRn8JdFBuWPDuISDH08wD2ULkhk=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8/go.mod h1:JTnlBSot91steJeti4ryyu/tLd4Sk84O5W22L7O2EQU=
 github.com/aws/aws-sdk-go-v2/config v1.17.8 h1:b9LGqNnOdg9vR4Q43tBTVWk4J6F+W774MSchvKJsqnE=
@@ -152,10 +154,14 @@ github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23/go.mod h1:2DFxAQ9pfI
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25/go.mod h1:Zb29PYkf42vVYQY6pvSyJCJcFHlPIiY+YKdPtwnvMkY=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27 h1:I3cakv2Uy1vNmmhRQmFptYDxOvBnwCdNwyw63N0RaRU=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27/go.mod h1:a1/UpzeyBBerajpnP5nGZa9mGzsBn5cOKxm6NWQsvoI=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.28 h1:r+XwaCLpIvCKjBIYy/HVZujQS9tsz5ohHG3ZIe0wKoE=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.28/go.mod h1:3lwChorpIM/BhImY/hy+Z6jekmN92cXGPI1QJasVPYY=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17/go.mod h1:pRwaTYCJemADaqCbUAxltMoHKata7hmB5PjEXeu0kfg=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21 h1:5NbbMrIzmUn/TXFqAle6mgrH5m9cOvMLRGL7pnG8tRE=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21/go.mod h1:+Gxn8jYn5k9ebfHEqlhrMirFjSW0v0C9fI+KN5vk2kE=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.22 h1:7AwGYXDdqRQYsluvKFmWoqpcOQJ4bH634SkYf3FNj/A=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.22/go.mod h1:EqK7gVrIGAHyZItrD1D8B0ilgwMD1GiWAmbU4u/JHNk=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24 h1:wj5Rwc05hvUSvKuOF29IYb9QrCLjU+rHAy/x/o0DK2c=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24/go.mod h1:jULHjqqjDlbyTa7pfM7WICATnOv+iOhjletM3N0Xbu8=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14 h1:ZSIPAkAsCCjYrhqfw2+lNzWDzxzHXEckFkTePL5RSWQ=
@@ -178,6 +184,8 @@ github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.20 h1:yPyXdrZaB4SW+pn2
 github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.20/go.mod h1:p2i2jyYZzFBJeOOQ5ji2k/Yc6IvlQsG/CuHRwEi8whs=
 github.com/aws/aws-sdk-go-v2/service/codebuild v1.19.17 h1:Phl0QyhBW8mzNpQxin1Dyp+rXBultaQqkGEsmDCWYGQ=
 github.com/aws/aws-sdk-go-v2/service/codebuild v1.19.17/go.mod h1:jwvgRGwqsF5vN4xQo2WcRaQLUJTP0RjV8laURrBaLxk=
+github.com/aws/aws-sdk-go-v2/service/dax v1.12.1 h1:oTih8VLUPXtDLp+/18DHouXBVpwihrzVGu8feE0y7ug=
+github.com/aws/aws-sdk-go-v2/service/dax v1.12.1/go.mod h1:SXDWJH3/4U7Zt/zxbi/H0Ryf11nHVBLxKvsotyXDEoU=
 github.com/aws/aws-sdk-go-v2/service/docdb v1.19.11 h1:+jNOF3BdrSwCHWHU+lXYR78DCItCwSn4T90CCGKjQx4=
 github.com/aws/aws-sdk-go-v2/service/docdb v1.19.11/go.mod h1:p2/C5LVvGstUjTb0z0qQNDf356iVEDrAMOvFJAkJQbA=
 github.com/aws/aws-sdk-go-v2/service/dynamodb v1.17.6 h1:Ds0X66T0K1++l79cUD309YwrEcOHgA77O6EZy1vp0hg=

@@ -7,13 +7,16 @@ import (
 	"github.com/aquasecurity/defsec/pkg/state"
 	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
 	"github.com/aws/aws-sdk-go-v2/aws"
+	daxApi "github.com/aws/aws-sdk-go-v2/service/dax"
+	daxtype "github.com/aws/aws-sdk-go-v2/service/dax/types"
 	dynamodbApi "github.com/aws/aws-sdk-go-v2/service/dynamodb"
 	dynamodbTypes "github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
 )
 
 type adapter struct {
 	*aws2.RootAdapter
-	client *dynamodbApi.Client
+	client  *dynamodbApi.Client
+	client2 *daxApi.Client
 }
 
 func init() {
@@ -38,6 +41,16 @@ func (a *adapter) Adapt(root *aws2.RootAdapter, state *state.State) error {
 		return err
 	}
 
+	state.AWS.DynamoDB.Backups, err = a.getBackups()
+	if err != nil {
+		return err
+	}
+
+	state.AWS.DynamoDB.DAXClusters, err = a.getcluster()
+	if err == nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -94,17 +107,97 @@ func (a *adapter) adaptTable(tableName string) (*dynamodb.Table, error) {
 	continuousBackup, err := a.client.DescribeContinuousBackups(a.Context(), &dynamodbApi.DescribeContinuousBackupsInput{
 		TableName: aws.String(tableName),
 	})
-
+	var status string
 	if err != nil && continuousBackup != nil && continuousBackup.ContinuousBackupsDescription != nil &&
 		continuousBackup.ContinuousBackupsDescription.PointInTimeRecoveryDescription != nil {
 		if continuousBackup.ContinuousBackupsDescription.PointInTimeRecoveryDescription.PointInTimeRecoveryStatus == dynamodbTypes.PointInTimeRecoveryStatusEnabled {
 			pitRecovery = defsecTypes.BoolDefault(true, tableMetadata)
 		}
+		status = string(continuousBackup.ContinuousBackupsDescription.ContinuousBackupsStatus)
 
 	}
 	return &dynamodb.Table{
-		Metadata:             tableMetadata,
+		Metadata:               tableMetadata,
+		ServerSideEncryption:   encryption,
+		PointInTimeRecovery:    pitRecovery,
+		ContinuousBackupStatus: defsecTypes.String(status, tableMetadata),
+	}, nil
+}
+
+func (a *adapter) getBackups() (Backup []dynamodb.Backup, err error) {
+
+	a.Tracker().SetServiceLabel("Discovering DynamoDB backups...")
+
+	var apiBackup []dynamodbTypes.BackupSummary
+	var input dynamodbApi.ListBackupsInput
+	for {
+		output, err := a.client.ListBackups(a.Context(), &input)
+		if err != nil {
+			return nil, err
+		}
+		apiBackup = append(apiBackup, output.BackupSummaries...)
+		a.Tracker().SetTotalResources(len(apiBackup))
+		if output.LastEvaluatedBackupArn == nil {
+			break
+		}
+
+	}
+
+	a.Tracker().SetServiceLabel("Adapting DynamoDB backups..")
+	return concurrency.Adapt(apiBackup, a.RootAdapter, a.adaptbackup), nil
+
+}
+
+func (a *adapter) adaptbackup(backup dynamodbTypes.BackupSummary) (*dynamodb.Backup, error) {
+
+	metadata := a.CreateMetadataFromARN(*backup.BackupArn)
+	return &dynamodb.Backup{
+		Metadata: metadata,
+	}, nil
+}
+
+func (a *adapter) getcluster() (clusters []dynamodb.DAXCluster, err error) {
+
+	a.Tracker().SetServiceLabel("Discovering DynamoDB clusters...")
+
+	var apiclusters []daxtype.Cluster
+	var input daxApi.DescribeClustersInput
+	for {
+		output, err := a.client2.DescribeClusters(a.Context(), &input)
+		if err != nil {
+			return nil, err
+		}
+		apiclusters = append(apiclusters, output.Clusters...)
+		a.Tracker().SetTotalResources(len(apiclusters))
+		if output.NextToken == nil {
+			break
+		}
+		input.NextToken = output.NextToken
+	}
+
+	a.Tracker().SetServiceLabel("Adapting DynamoDB clusters..")
+	return concurrency.Adapt(apiclusters, a.RootAdapter, a.adaptcluster), nil
+
+}
+
+func (a *adapter) adaptcluster(cluster daxtype.Cluster) (*dynamodb.DAXCluster, error) {
+
+	metadata := a.CreateMetadataFromARN(*cluster.ClusterArn)
+
+	encryption := dynamodb.ServerSideEncryption{
+		Metadata: metadata,
+		Enabled:  defsecTypes.BoolDefault(false, metadata),
+		KMSKeyID: defsecTypes.StringDefault("", metadata),
+	}
+	if cluster.SSEDescription != nil {
+
+		if cluster.SSEDescription.Status == daxtype.SSEStatusEnabled {
+			encryption.Enabled = defsecTypes.BoolDefault(true, metadata)
+		}
+	}
+
+	return &dynamodb.DAXCluster{
+		Metadata:             metadata,
 		ServerSideEncryption: encryption,
-		PointInTimeRecovery:  pitRecovery,
 	}, nil
 }
@@ -34,3 +34,32 @@ func getClusters(file parser.FileContext) (clusters []dynamodb.DAXCluster) {
 
 	return clusters
 }
+
+func getTables(file parser.FileContext) (tables []dynamodb.Table) {
+
+	tableResources := file.GetResourcesByType("AWS::DynamoDB::Table")
+
+	for _, r := range tableResources {
+		table := dynamodb.Table{
+			Metadata: r.Metadata(),
+			ServerSideEncryption: dynamodb.ServerSideEncryption{
+				Metadata: r.Metadata(),
+				Enabled:  defsecTypes.BoolDefault(false, r.Metadata()),
+				KMSKeyID: defsecTypes.StringDefault("", r.Metadata()),
+			},
+			PointInTimeRecovery: r.GetBoolProperty("PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled"),
+		}
+
+		if sseProp := r.GetProperty("SSESpecification"); sseProp.IsNotNil() {
+			table.ServerSideEncryption = dynamodb.ServerSideEncryption{
+				Metadata: sseProp.Metadata(),
+				Enabled:  r.GetBoolProperty("SSESpecification.SSEEnabled"),
+				KMSKeyID: defsecTypes.StringUnresolvable(sseProp.Metadata()),
+			}
+		}
+
+		tables = append(tables, table)
+	}
+
+	return tables
+}
@@ -9,5 +9,6 @@ import (
 func Adapt(cfFile parser.FileContext) dynamodb.DynamoDB {
 	return dynamodb.DynamoDB{
 		DAXClusters: getClusters(cfFile),
+		Tables:      getTables(cfFile),
 	}
 }
@@ -7,6 +7,7 @@ import (
 type DynamoDB struct {
 	DAXClusters []DAXCluster
 	Tables      []Table
+	Backups     []Backup
 }
 
 type DAXCluster struct {
@@ -15,10 +16,15 @@ type DAXCluster struct {
 	PointInTimeRecovery  defsecTypes.BoolValue
 }
 
+type Backup struct {
+	Metadata defsecTypes.Metadata
+}
+
 type Table struct {
-	Metadata             defsecTypes.Metadata
-	ServerSideEncryption ServerSideEncryption
-	PointInTimeRecovery  defsecTypes.BoolValue
+	Metadata               defsecTypes.Metadata
+	ServerSideEncryption   ServerSideEncryption
+	PointInTimeRecovery    defsecTypes.BoolValue
+	ContinuousBackupStatus defsecTypes.StringValue
 }
 
 type ServerSideEncryption struct {

@@ -859,6 +859,9 @@
         }
       }
     },
+    "github.com.aquasecurity.defsec.pkg.providers.aws.dynamodb.Backup": {
+      "type": "object"
+    },
     "github.com.aquasecurity.defsec.pkg.providers.aws.dynamodb.DAXCluster": {
       "type": "object",
       "properties": {
@@ -875,6 +878,13 @@
     "github.com.aquasecurity.defsec.pkg.providers.aws.dynamodb.DynamoDB": {
       "type": "object",
       "properties": {
+        "backups": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.providers.aws.dynamodb.Backup"
+          }
+        },
         "daxclusters": {
           "type": "array",
           "items": {
@@ -907,6 +917,10 @@
     "github.com.aquasecurity.defsec.pkg.providers.aws.dynamodb.Table": {
       "type": "object",
       "properties": {
+        "continuousbackupstatus": {
+          "type": "object",
+          "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.StringValue"
+        },
         "pointintimerecovery": {
           "type": "object",
           "$ref": "#/definitions/github.com.aquasecurity.defsec.pkg.types.BoolValue"