ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6383/terraform/rule.adoc

119 lines
3.3 KiB
Plaintext
Raw Normal View History

Create rule S6383[terraform]: Disabling Role-Based Access Control on Azure resources is security-sensitive (#595) * Create rule S6383 * Add first draft * Update rules/S6383/terraform/rule.adoc * rename title * finished S6383 rule * Update rules/S6383/terraform/rule.adoc * Update rules/S6383/terraform/rule.adoc * Update rules/S6383/terraform/rule.adoc * Update rules/S6383/terraform/metadata.json * Update rules/S6383/terraform/metadata.json * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * c'est mon dernier mot jean pierre * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
2022-01-10 14:01:54 +00:00
Disabling Role-Based Access Control (RBAC) on Azure resources can reduce an
organization's ability to protect itself against access controls being compromised.
To be considered safe, access controls must follow the principle of
least privilege and correctly segregate duties amongst users.
RBAC helps enforce these practices by adapting the organization's access control
needs into explicit role-based policies: It helps keeping access controls maintainable
and sustainable.
Furthermore, RBAC allows operations teams to work faster during a security
incident. It helps to mitigate account theft or intrusions by quickly shutting down
accesses.
== Ask Yourself Whether
* This Azure resource is essential for the information system infrastructure.
* This Azure resource is essential for mission-critical functions.
* Compliance policies require access to this resource to be enforced through the use of Role-Based Access Control.
There is a risk if you answered yes to any of those questions.
== Recommended Secure Coding Practices
* Enable Azure RBAC when the Azure resource supports it.
* For Kubernetes clusters, enable Azure RBAC if Azure AD integration is supported. Otherwise, use the built-in Kubernetes RBAC.
== Sensitive Code Example
For https://azure.microsoft.com/fr-fr/services/kubernetes-service/[Azure Kubernetes Services]:
----
resource "azurerm_kubernetes_cluster" "example" {
role_based_access_control {
enabled = false # Sensitive
}
}
resource "azurerm_kubernetes_cluster" "example2" {
role_based_access_control {
enabled = true
azure_active_directory {
managed = true
azure_rbac_enabled = false # Sensitive
}
}
}
----
For https://azure.microsoft.com/fr-fr/services/key-vault/[Key Vaults]:
----
resource "azurerm_key_vault" "example" {
enable_rbac_authorization = false # Sensitive
}
----
== Compliant Solution
For https://azure.microsoft.com/fr-fr/services/kubernetes-service/[Azure Kubernetes Services]:
RULEAPI-661: Add syntax coloring
2022-02-04 17:28:24 +01:00
[source,terraform]
Create rule S6383[terraform]: Disabling Role-Based Access Control on Azure resources is security-sensitive (#595) * Create rule S6383 * Add first draft * Update rules/S6383/terraform/rule.adoc * rename title * finished S6383 rule * Update rules/S6383/terraform/rule.adoc * Update rules/S6383/terraform/rule.adoc * Update rules/S6383/terraform/rule.adoc * Update rules/S6383/terraform/metadata.json * Update rules/S6383/terraform/metadata.json * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * c'est mon dernier mot jean pierre * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
2022-01-10 14:01:54 +00:00
----
resource "azurerm_kubernetes_cluster" "example" {
role_based_access_control {
enabled = true
}
}
resource "azurerm_kubernetes_cluster" "example" {
role_based_access_control {
enabled = true
azure_active_directory {
managed = true
azure_rbac_enabled = true
}
}
}
----
For https://azure.microsoft.com/fr-fr/services/key-vault/[Key Vaults]:
RULEAPI-661: Add syntax coloring
2022-02-04 17:28:24 +01:00
[source,terraform]
Create rule S6383[terraform]: Disabling Role-Based Access Control on Azure resources is security-sensitive (#595) * Create rule S6383 * Add first draft * Update rules/S6383/terraform/rule.adoc * rename title * finished S6383 rule * Update rules/S6383/terraform/rule.adoc * Update rules/S6383/terraform/rule.adoc * Update rules/S6383/terraform/rule.adoc * Update rules/S6383/terraform/metadata.json * Update rules/S6383/terraform/metadata.json * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * c'est mon dernier mot jean pierre * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
2022-01-10 14:01:54 +00:00
----
resource "azurerm_key_vault" "example" {
enable_rbac_authorization = true
}
----
== See
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Boken Access Control
Fix typo in OWASP links from the See section (#807) * Fix typos in OWASP Top 10 2017 links * Fixing wrong URI in OWASP Top 10 2021 A4 links
2022-02-10 09:11:45 +01:00
* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) * Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files
2022-04-07 08:53:59 -05:00
* https://cwe.mitre.org/data/definitions/668[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere
Create rule S6383[terraform]: Disabling Role-Based Access Control on Azure resources is security-sensitive (#595) * Create rule S6383 * Add first draft * Update rules/S6383/terraform/rule.adoc * rename title * finished S6383 rule * Update rules/S6383/terraform/rule.adoc * Update rules/S6383/terraform/rule.adoc * Update rules/S6383/terraform/rule.adoc * Update rules/S6383/terraform/metadata.json * Update rules/S6383/terraform/metadata.json * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * c'est mon dernier mot jean pierre * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6383/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
2022-01-10 14:01:54 +00:00
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
* Omitting {parameter} disables role-based access control for this resource. Make sure it is safe here.
* Make sure that disabling role-based access control is safe here.
=== Highlighting
* If role_based_acccess_control is missing, highlight the resource
* If an assignment is non-compliant, highlight the entire assignment
* If an assignment is missing, highlight the block where it should be.
endif::env-github,rspecator-view[]
Reference in New Issue Copy Permalink