rspec/rules/S6308/python/rule.adoc

include::description.adoc[]

include::../ask-yourself.adoc[]

include::recommended.adoc[]

== Sensitive Code Example

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/Domain.html[aws_cdk.aws_opensearchservice.Domain]:

[source,python]
----
from aws_cdk.aws_opensearchservice import Domain, EngineVersion

class DomainStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        Domain(self, "Sensitive",
            version=EngineVersion.OPENSEARCH_1_3
        ) # Sensitive, encryption is disabled by default
----

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/CfnDomain.html[aws_cdk.aws_opensearchservice.CfnDomain]:

[source,python]
----
from aws_cdk.aws_opensearchservice import CfnDomain

class CfnDomainStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        CfnDomain(self, "Sensitive") # Sensitive, encryption is disabled by default
----

== Compliant Solution

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/Domain.html[aws_cdk.aws_opensearchservice.Domain]:

[source,python]
----
from aws_cdk.aws_opensearchservice import Domain, EncryptionAtRestOptions, EngineVersion

class DomainStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        Domain(self, "Compliant",
            version=EngineVersion.OPENSEARCH_1_3,
            encryption_at_rest=EncryptionAtRestOptions(
                enabled=True
            )
        )
----

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/CfnDomain.html[aws_cdk.aws_opensearchservice.CfnDomain]:

[source,python]
----
from aws_cdk.aws_opensearchservice import CfnDomain

class CfnDomainStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        CfnDomain(self, "Compliant",
            encryption_at_rest_options=CfnDomain.EncryptionAtRestOptionsProperty(
                enabled=True
            )
        )
----


include::see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

endif::env-github,rspecator-view[]
Create rule S6308: Using unencrypted Elasticsearch domains is security-sensitive (APPSEC-107) (#1236) 2022-09-14 14:49:32 +02:00			`include::description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::recommended.adoc[]`

			`== Sensitive Code Example`

			`For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/Domain.html[aws_cdk.aws_opensearchservice.Domain]:`

			`[source,python]`
			`----`
			`from aws_cdk.aws_opensearchservice import Domain, EngineVersion`

			`class DomainStack(Stack):`
			`def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:`
			`super().__init__(scope, construct_id, **kwargs)`

			`Domain(self, "Sensitive",`
			`version=EngineVersion.OPENSEARCH_1_3`
			`) # Sensitive, encryption is disabled by default`
			`----`

			`For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/CfnDomain.html[aws_cdk.aws_opensearchservice.CfnDomain]:`

			`[source,python]`
			`----`
			`from aws_cdk.aws_opensearchservice import CfnDomain`

			`class CfnDomainStack(Stack):`
			`def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:`
			`super().__init__(scope, construct_id, **kwargs)`

			`CfnDomain(self, "Sensitive") # Sensitive, encryption is disabled by default`
			`----`

			`== Compliant Solution`

			`For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/Domain.html[aws_cdk.aws_opensearchservice.Domain]:`

			`[source,python]`
			`----`
			`from aws_cdk.aws_opensearchservice import Domain, EncryptionAtRestOptions, EngineVersion`

			`class DomainStack(Stack):`
			`def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:`
			`super().__init__(scope, construct_id, **kwargs)`

			`Domain(self, "Compliant",`
			`version=EngineVersion.OPENSEARCH_1_3,`
			`encryption_at_rest=EncryptionAtRestOptions(`
			`enabled=True`
			`)`
			`)`
			`----`

			`For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/CfnDomain.html[aws_cdk.aws_opensearchservice.CfnDomain]:`

			`[source,python]`
			`----`
			`from aws_cdk.aws_opensearchservice import CfnDomain`

			`class CfnDomainStack(Stack):`
			`def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:`
			`super().__init__(scope, construct_id, **kwargs)`

			`CfnDomain(self, "Compliant",`
			`encryption_at_rest_options=CfnDomain.EncryptionAtRestOptionsProperty(`
			`enabled=True`
			`)`
			`)`
			`----`


			`include::see.adoc[]`

			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::message.adoc[]`

			`endif::env-github,rspecator-view[]`