add rule and files for aws db snapshots should not be public

Author: bahar-shah

assets/queries/terraform/aws/db_snapshot_public/metadata.json

@@ -0,0 +1,12 @@
+{
+  "id": "f0d8781f-1991-4958-9917-d39283b168a0",
+  "queryName": "DB Snapshot Is Public",
+  "severity": "HIGH",
+  "category": "Access Control",
+  "descriptionText": "The DB snapshot is public. This means that anyone can access the snapshot and restore the database. This can lead to unauthorized access to sensitive data.",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_snapshot#shared_accounts-1",
+  "platform": "Terraform",
+  "descriptionID": "f0d8781f",
+  "cloudProvider": "aws",
+  "cwe": "200"
+}

assets/queries/terraform/aws/db_snapshot_public/query.rego

@@ -0,0 +1,27 @@
+package Cx
+
+import data.generic.terraform as tf_lib
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+    resource := input.document[i].resource.aws_db_snapshot[name]
+    common_lib.valid_key(resource, "shared_accounts")
+    resource.shared_accounts[_] == "all"
+
+    result := {
+        "documentId": input.document[i].id,
+        "resourceType": "aws_db_snapshot",
+        "resourceName": tf_lib.get_resource_name(resource, name),
+        "searchKey": sprintf("aws_db_snapshot[{{%s}}].shared_accounts", [name]),
+        "searchLine": common_lib.build_search_line(["resource", "aws_db_snapshot", name, "shared_accounts"], []),
+        "issueType": "IncorrectValue",
+        "keyExpectedValue": "aws_db_snapshot.shared_accounts should not include 'all'",
+        "keyActualValue": "aws_db_snapshot.shared_accounts includes 'all'",
+        "remediation": json.marshal({
+            "before": "shared_accounts = [\"all\"]",
+            "after": "shared_accounts = []"
+        }),
+        "remediationType": "replacement",
+    }
+}
+

assets/queries/terraform/aws/db_snapshot_public/test/negative1.tf

@@ -0,0 +1,5 @@
+resource "aws_db_snapshot" "private_snapshot" {
+  db_snapshot_identifier = "private-db-snapshot"
+  db_instance_identifier = "my-db-instance"
+  shared_accounts        = []
+}

assets/queries/terraform/aws/db_snapshot_public/test/negative2.tf

@@ -0,0 +1,4 @@
+resource "aws_db_snapshot" "private_snapshot" {
+  db_snapshot_identifier = "private-db-snapshot"
+  db_instance_identifier = "my-db-instance"
+}

assets/queries/terraform/aws/db_snapshot_public/test/positive.tf

@@ -0,0 +1,5 @@
+resource "aws_db_snapshot" "public_snapshot" {
+  db_snapshot_identifier = "public-db-snapshot"
+  db_instance_identifier = "my-db-instance"
+  shared_accounts        = ["all"]
+}

assets/queries/terraform/aws/db_snapshot_public/test/positive_expected_result.json

@@ -0,0 +1,7 @@
+[
+  {
+    "queryName": "DB Snapshot Is Public",
+    "severity": "HIGH",
+    "line": 4
+  }
+]