#
#####################################
##           Gherkin               ##
#####################################
#
# Rule Identifier:
#    DYNAMODB_TABLE_ENCRYPTED_KMS
#
# Description:
#   Checks if Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS).
#
# Reports on:
#    AWS::DynamoDB::Table
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when there are no DynamoDB Tables present
# b) SKIP: when metadata has rule suppression for DYNAMODB_TABLE_ENCRYPTED_KMS
# c) FAIL: when all DynamoDB Tables are not are encrypted with KMS
# d) PASS: when all DynamoDB Tables are encrypted with KMS

let dynamodb_table_encrypted_kms = Resources.*[ Type == "AWS::DynamoDB::Table"
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "DYNAMODB_TABLE_ENCRYPTED_KMS"
]

let DYNAMODB_TABLE_ENCRYPTED_KMS_ALLOWED_ALGORITHMS = [ "KMS" ]

rule DYNAMODB_TABLE_ENCRYPTED_KMS when %dynamodb_table_encrypted_kms !empty {
  %dynamodb_table_encrypted_kms.Properties.SSESpecification exists
  %dynamodb_table_encrypted_kms.Properties.SSESpecification.SSEEnabled == true
  %dynamodb_table_encrypted_kms.Properties.SSESpecification.KMSMasterKeyId exists
  %dynamodb_table_encrypted_kms.Properties.SSESpecification.SSEType in %DYNAMODB_TABLE_ENCRYPTED_KMS_ALLOWED_ALGORITHMS
      <<
        Violation: Amazon DynamoDB tables are configured with SSE and a KMS key
        Fix: In SSESpecification, set SSEEnabled to true and set KMSMasterKeyId to the ID of a KMS key
      >>
}