From a6cf62b213a428db78065185a9238ded81307d72 Mon Sep 17 00:00:00 2001
From: bahar-shah <bahar.shah@datadoghq.com>
Date: Fri, 7 Mar 2025 16:15:32 -0500
Subject: [PATCH] add rule and files for aws db snapshots should not be public

---
 .../aws/db_snapshot_public/metadata.json      | 12 +++++++++
 .../aws/db_snapshot_public/query.rego         | 27 +++++++++++++++++++
 .../aws/db_snapshot_public/test/negative1.tf  |  5 ++++
 .../aws/db_snapshot_public/test/negative2.tf  |  4 +++
 .../aws/db_snapshot_public/test/positive.tf   |  5 ++++
 .../test/positive_expected_result.json        |  7 +++++
 6 files changed, 60 insertions(+)
 create mode 100644 assets/queries/terraform/aws/db_snapshot_public/metadata.json
 create mode 100644 assets/queries/terraform/aws/db_snapshot_public/query.rego
 create mode 100644 assets/queries/terraform/aws/db_snapshot_public/test/negative1.tf
 create mode 100644 assets/queries/terraform/aws/db_snapshot_public/test/negative2.tf
 create mode 100644 assets/queries/terraform/aws/db_snapshot_public/test/positive.tf
 create mode 100644 assets/queries/terraform/aws/db_snapshot_public/test/positive_expected_result.json

diff --git a/assets/queries/terraform/aws/db_snapshot_public/metadata.json b/assets/queries/terraform/aws/db_snapshot_public/metadata.json
new file mode 100644
index 00000000000..fe72cf6f541
--- /dev/null
+++ b/assets/queries/terraform/aws/db_snapshot_public/metadata.json
@@ -0,0 +1,12 @@
+{
+  "id": "f0d8781f-1991-4958-9917-d39283b168a0",
+  "queryName": "DB Snapshot Is Public",
+  "severity": "HIGH",
+  "category": "Access Control",
+  "descriptionText": "The DB snapshot is public. This means that anyone can access the snapshot and restore the database. This can lead to unauthorized access to sensitive data.",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_snapshot#shared_accounts-1",
+  "platform": "Terraform",
+  "descriptionID": "f0d8781f",
+  "cloudProvider": "aws",
+  "cwe": "200"
+}
diff --git a/assets/queries/terraform/aws/db_snapshot_public/query.rego b/assets/queries/terraform/aws/db_snapshot_public/query.rego
new file mode 100644
index 00000000000..40a189d6a9c
--- /dev/null
+++ b/assets/queries/terraform/aws/db_snapshot_public/query.rego
@@ -0,0 +1,27 @@
+package Cx
+
+import data.generic.terraform as tf_lib
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+    resource := input.document[i].resource.aws_db_snapshot[name]
+    common_lib.valid_key(resource, "shared_accounts")
+    resource.shared_accounts[_] == "all"
+
+    result := {
+        "documentId": input.document[i].id,
+        "resourceType": "aws_db_snapshot",
+        "resourceName": tf_lib.get_resource_name(resource, name),
+        "searchKey": sprintf("aws_db_snapshot[{{%s}}].shared_accounts", [name]),
+        "searchLine": common_lib.build_search_line(["resource", "aws_db_snapshot", name, "shared_accounts"], []),
+        "issueType": "IncorrectValue",
+        "keyExpectedValue": "aws_db_snapshot.shared_accounts should not include 'all'",
+        "keyActualValue": "aws_db_snapshot.shared_accounts includes 'all'",
+        "remediation": json.marshal({
+            "before": "shared_accounts = [\"all\"]",
+            "after": "shared_accounts = []"
+        }),
+        "remediationType": "replacement",
+    }
+}
+
diff --git a/assets/queries/terraform/aws/db_snapshot_public/test/negative1.tf b/assets/queries/terraform/aws/db_snapshot_public/test/negative1.tf
new file mode 100644
index 00000000000..2bb1df444ce
--- /dev/null
+++ b/assets/queries/terraform/aws/db_snapshot_public/test/negative1.tf
@@ -0,0 +1,5 @@
+resource "aws_db_snapshot" "private_snapshot" {
+  db_snapshot_identifier = "private-db-snapshot"
+  db_instance_identifier = "my-db-instance"
+  shared_accounts        = []
+}
diff --git a/assets/queries/terraform/aws/db_snapshot_public/test/negative2.tf b/assets/queries/terraform/aws/db_snapshot_public/test/negative2.tf
new file mode 100644
index 00000000000..4c663903a4e
--- /dev/null
+++ b/assets/queries/terraform/aws/db_snapshot_public/test/negative2.tf
@@ -0,0 +1,4 @@
+resource "aws_db_snapshot" "private_snapshot" {
+  db_snapshot_identifier = "private-db-snapshot"
+  db_instance_identifier = "my-db-instance"
+}
diff --git a/assets/queries/terraform/aws/db_snapshot_public/test/positive.tf b/assets/queries/terraform/aws/db_snapshot_public/test/positive.tf
new file mode 100644
index 00000000000..b7eea3330ab
--- /dev/null
+++ b/assets/queries/terraform/aws/db_snapshot_public/test/positive.tf
@@ -0,0 +1,5 @@
+resource "aws_db_snapshot" "public_snapshot" {
+  db_snapshot_identifier = "public-db-snapshot"
+  db_instance_identifier = "my-db-instance"
+  shared_accounts        = ["all"]
+}
diff --git a/assets/queries/terraform/aws/db_snapshot_public/test/positive_expected_result.json b/assets/queries/terraform/aws/db_snapshot_public/test/positive_expected_result.json
new file mode 100644
index 00000000000..619067b3324
--- /dev/null
+++ b/assets/queries/terraform/aws/db_snapshot_public/test/positive_expected_result.json
@@ -0,0 +1,7 @@
+[
+  {
+    "queryName": "DB Snapshot Is Public",
+    "severity": "HIGH",
+    "line": 4
+  }
+]