3 more policies

cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/fail__1__.py

@@ -0,0 +1,25 @@
+from aws_cdk import core
+from aws_cdk import aws_elasticache as elasticache
+
+class ElastiCacheReplicationGroupStack(core.Stack):
+
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create an AWS ElastiCache Replication Group
+        replication_group = elasticache.CfnReplicationGroup(
+            self,
+            "MyElastiCacheReplicationGroup",
+            replication_group_id="my-replication-group",
+            replication_group_description="My ElastiCache Replication Group",
+            cache_node_type="cache.m4.large",
+            engine="redis",
+            engine_version="5.0.6",
+            port=6379,
+            num_cache_clusters=2,
+            automatic_failover_enabled=True,
+        )
+
+app = core.App()
+ElastiCacheReplicationGroupStack(app, "ElastiCacheReplicationGroupStack")
+app.synth()

cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/pass.py

@@ -0,0 +1,26 @@
+from aws_cdk import core
+from aws_cdk import aws_elasticache as elasticache
+
+class ElastiCacheReplicationGroupStack(core.Stack):
+
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create an AWS ElastiCache Replication Group
+        replication_group = elasticache.CfnReplicationGroup(
+            self,
+            "MyElastiCacheReplicationGroup",
+            replication_group_id="my-replication-group",
+            replication_group_description="My ElastiCache Replication Group",
+            cache_node_type="cache.m4.large",
+            engine="redis",
+            engine_version="5.0.6",
+            port=6379,
+            num_cache_clusters=2,
+            automatic_failover_enabled=True,
+            transit_encryption_enabled=True  # Enable transit encryption
+        )
+
+app = core.App()
+ElastiCacheReplicationGroupStack(app, "ElastiCacheReplicationGroupStack")
+app.synth()

cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py

@@ -0,0 +1,22 @@
+from aws_cdk import core
+from aws_cdk import aws_redshift as redshift
+
+class RedshiftClusterStack(core.Stack):
+
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create an Amazon Redshift cluster
+        redshift_cluster = redshift.CfnCluster(
+            self,
+            "MyRedshiftCluster",
+            cluster_identifier="my-redshift-cluster",
+            master_username="admin",
+            master_user_password="MySecurePassword123",  # Replace with your secure password
+            node_type="dc2.large",
+            cluster_type="single-node",
+        )
+
+app = core.App()
+RedshiftClusterStack(app, "RedshiftClusterStack")
+app.synth()

cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py

@@ -0,0 +1,23 @@
+from aws_cdk import core
+from aws_cdk import aws_redshift as redshift
+
+class RedshiftClusterStack(core.Stack):
+
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create an Amazon Redshift cluster
+        redshift_cluster = redshift.CfnCluster(
+            self,
+            "MyRedshiftCluster",
+            cluster_identifier="my-redshift-cluster",
+            master_username="admin",
+            master_user_password="MySecurePassword123",  # Replace with your secure password
+            node_type="dc2.large",
+            cluster_type="single-node",
+            encrypted=True  # Enable encryption
+        )
+
+app = core.App()
+RedshiftClusterStack(app, "RedshiftClusterStack")
+app.synth()

cdk_integration_tests/src/python/WAFEnabled/fail__1__.py

@@ -0,0 +1,23 @@
+from aws_cdk import core
+from aws_cdk import aws_cloudfront as cloudfront
+
+class CloudFrontDistributionStack(core.Stack):
+
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create a CloudFront distribution
+        distribution = cloudfront.CfnDistribution(
+            self,
+            "MyCloudFrontDistribution",
+            distribution_config={
+                "defaultCacheBehavior": {
+                    # Configure your cache behavior as needed
+                },
+                "enabled": True,
+            }
+        )
+
+app = core.App()
+CloudFrontDistributionStack(app, "CloudFrontDistributionStack")
+app.synth()

cdk_integration_tests/src/python/WAFEnabled/pass.py

@@ -0,0 +1,35 @@
+from aws_cdk import core
+from aws_cdk import aws_cloudfront as cloudfront
+from aws_cdk import aws_wafv2 as wafv2
+
+class CloudFrontDistributionStack(core.Stack):
+
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create a WebACL
+        web_acl = wafv2.CfnWebACL(
+            self,
+            "MyWebACL",
+            default_action={
+                "allow": {}
+            },
+            # Configure your WebACL as needed
+        )
+
+        # Create a CloudFront distribution
+        distribution = cloudfront.CfnDistribution(
+            self,
+            "MyCloudFrontDistribution",
+            distribution_config={
+                "defaultCacheBehavior": {
+                    # Configure your cache behavior as needed
+                },
+                "enabled": True,
+                "webAclId": web_acl.attr_arn  # Set the WebACL association
+            }
+        )
+
+app = core.App()
+CloudFrontDistributionStack(app, "CloudFrontDistributionStack")
+app.synth()

cdk_integration_tests/test_checks_python.py

@@ -94,4 +94,10 @@ def test_CKV_AWS_27_SQSQueueEncryption():
     run_check(lang='python', check_name="SQSQueueEncryption")
 
 def test_CKV_AWS_195_GlueSecurityConfigurationEnabled():
-    run_check(lang='python', check_name="GlueSecurityConfigurationEnabled")
+    run_check(lang='python', check_name="GlueSecurityConfigurationEnabled")
+
+def test_CKV_AWS_30_ElasticacheReplicationGroupEncryptionAtTransit():
+    run_check(lang='python', check_name="ElasticacheReplicationGroupEncryptionAtTransit")
+
+def test_CKV_AWS_68_WAFEnabled():
+    run_check(lang='python', check_name="WAFEnabled")

checkov/cdk/checks/python/ElasticacheReplicationGroupEncryptionAtTransit.yaml

@@ -0,0 +1,13 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_30
+  name: Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit
+  category: ENCRYPTION
+scope:
+  languages:
+    - python
+definition:
+  pattern: aws_cdk.aws_elasticache.CfnReplicationGroup(<ANY>)
+  conditions:
+    - not_pattern: aws_cdk.aws_elasticache.CfnReplicationGroup(<ANY>, transit_encryption_enabled=True, <ANY>)

checkov/cdk/checks/python/RedshiftClusterEncryption.yaml

@@ -0,0 +1,13 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_64
+  name: Ensure all data stored in the Redshift cluster is securely encrypted at rest
+  category: ENCRYPTION
+scope:
+  languages:
+    - python
+definition:
+  pattern: aws_cdk.aws_redshift.CfnCluster(<ANY>)
+  conditions:
+    - not_pattern: aws_cdk.aws_redshift.CfnCluster(<ANY>, encrypted=True , <ANY>)

checkov/cdk/checks/python/WAFEnabled.yaml

@@ -0,0 +1,13 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_68
+  name: CloudFront Distribution should have WAF enabled
+  category: ENCRYPTION
+scope:
+  languages:
+    - python
+definition:
+  pattern: aws_cdk.aws_cloudfront.CfnDistribution(<ANY>)
+  conditions:
+    - not_pattern: 'aws_cdk.aws_cloudfront.CfnDistribution(<ANY>, distribution_config={<ANY>, "webAclId": <ANY> , <ANY>} , <ANY>)'