#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#    CLOUDWATCH_LOG_GROUP_ENCRYPTED
#
# Description:
#   Checks if a log group in Amazon CloudWatch Logs is encrypted with a
#   AWS Key Management Service (KMS) managed Customer Master Keys (CMK).
#
# Reports on:
#    AWS::Logs::LogGroup
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when there are no cloudwatch logs log group resources present
# b) PASS: when all cloudwatch logs log group resources property KmsKeyId is set
# c) FAIL: when all cloudwatch logs log group resources property KmsKeyId is not set with valid value
# d) SKIP: when metada has rule suppression for CLOUDWATCH_LOG_GROUP_ENCRYPTED

#
# Select all cloudwatch logs log group resources from incoming template (payload)
#
let cloudwatch_logs = Resources.*[ Type == 'AWS::Logs::LogGroup'
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "CLOUDWATCH_LOG_GROUP_ENCRYPTED"
]

rule CLOUDWATCH_LOG_GROUP_ENCRYPTED when %cloudwatch_logs !empty {
  %cloudwatch_logs.Properties.KmsKeyId exists
  <<
    Violation: CloudWatch Log LogsGroup does not have KmsKeyId set.
    Fix: Set the KmsKeyId parameter to a ARN.
  >>
}