fix(checks): check only clusters in AVD-AWS-0343

Signed-off-by: Nikita Pivkin <[email protected]>
aquasecurity · Nov 16, 2024 · 8bc9f38 · 8bc9f38
1 parent 1c461a7
commit 8bc9f38
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/checks/cloud/aws/rds/enable_cluster_deletion_protection.rego b/checks/cloud/aws/rds/enable_cluster_deletion_protection.rego
@@ -24,6 +24,7 @@ package builtin.aws.rds.aws0343
 
 deny[res] {
 	cluster := input.aws.rds.clusters[_]
+	isManaged(cluster.deletionprotection)
 	not cluster.deletionprotection.value
 	res := result.new("Cluster does not have Deletion Protection enabled", cluster.deletionprotection)
 }
diff --git a/checks/cloud/aws/rds/enable_cluster_deletion_protection_test.rego b/checks/cloud/aws/rds/enable_cluster_deletion_protection_test.rego
@@ -1,11 +1,17 @@
 package builtin.aws.rds.aws0343
 
-test_detects_when_disabled {
+test_deny_deletion_protection_disabled {
 	r := deny with input as {"aws": {"rds": {"clusters": [{"deletionprotection": {"value": false}}]}}}
 	count(r) == 1
 }
 
-test_when_enabled {
+test_allow_deletion_protection_enabled {
 	r := deny with input as {"aws": {"rds": {"clusters": [{"deletionprotection": {"value": true}}]}}}
 	count(r) == 0
 }
+
+# If there is no cluster for database instances, they are added to an empty cluster.
+test_allow_deletion_protection_disabled_but_instances_orphaned {
+	r := deny with input as {"aws": {"rds": {"clusters": [{"deletionprotection": {"__defsec_metadata": {"managed": false}, "value": false}}]}}}
+	count(r) == 0
+}