added policy to check encryption enable for efs

avd_docs/aws/efs/AVD-AWS-0194/docs.md

@@ -0,0 +1,13 @@
+
+Ensures that EFS volumes are encrypted at rest
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/efs/latest/ug/encryption.html
+
+

avd_docs/kubernetes/general/AVD-KSV-01010/docs.md

@@ -2,7 +2,7 @@
 Storing sensitive content such as usernames and email addresses in configMaps is unsafe
 
 ### Impact
-Unsafe storage of sensitive content in configMaps could lead to the information being compromised.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/kubernetes/general/AVD-KSV-0107/docs.md

@@ -1,10 +1,13 @@
 
-apiVersion and kind has been deprecated
+apiVersion '' and kind '' has been deprecated on: '' and planned for removal on:''
 
 ### Impact
 <!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
+### Links
+- 
+
 

avd_docs/kubernetes/general/AVD-KSV-0108/docs.md

@@ -2,8 +2,8 @@
 Services with external IP addresses allows direct access from the internet and might expose risk for CVE-2020-8554
 
 ### Impact
-Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
-https://www.cvedetails.com/cve/CVE-2020-8554/
+<!-- Add Impact here -->
+
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 

avd_docs/kubernetes/general/AVD-KSV-0109/docs.md

@@ -2,7 +2,7 @@
 Storing secrets in configMaps is unsafe
 
 ### Impact
-Unsafe storage of secret content in configMaps could lead to the information being compromised.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption.rego

@@ -0,0 +1,25 @@
+# METADATA
+# title: "EFS Encryption Enabled"
+# description: "Ensures that EFS volumes are encrypted at rest"
+# scope: package
+# schemas:
+# - input: schema.input
+# related_resources:
+# - https://docs.aws.amazon.com/efs/latest/ug/encryption.html
+# custom:
+#   avd_id: AVD-AWS-0194
+#   provider: aws
+#   service: efs
+#   severity: HIGH
+#   short_code: enable-at-rest-encryption
+#   recommended_action: "Encryption of data at rest can only be enabled during file system creation. Encryption of data in transit is configured when mounting your file system. 1. Backup your data in not encrypted efs 2. Recreate the EFS and select \'Enable encryption of data at rest\'"
+#   input:
+#     selector:
+#     - type: cloud
+package builtin.aws.efs.aws0194
+
+deny[res] {
+	fs := input.aws.efs.filesystems[_]
+	not fs.encrypted.value
+	res := result.new("File system is not encrypted.", fs.encrypted)
+}

internal/rules/policies/cloud/policies/aws/efs/enable_at_rest_encryption_test.rego

@@ -0,0 +1,11 @@
+package builtin.aws.efs.aws0194
+
+test_detects_when_decrypted {
+	r := deny with input as {"aws": {"efs": {"filesystems": [{"encrypted": {"value": false}}]}}}
+	count(r) == 1
+}
+
+test_when_encrypted {
+	r := deny with input as {"aws": {"efs": {"filesystems": [{"encrypted": {"value": true}}]}}}
+	count(r) == 0
+}