diff --git a/rules/S6275/ask-yourself.adoc b/rules/S6275/ask-yourself.adoc new file mode 100644 index 0000000000..216c543632 --- /dev/null +++ b/rules/S6275/ask-yourself.adoc @@ -0,0 +1,6 @@ +== Ask Yourself Whether + +* The disk contains sensitive data that could cause harm when leaked. +* There are compliance requirements for the service to store data encrypted. + +There is a risk if you answered yes to any of those questions. diff --git a/rules/S6275/cloudformation/rule.adoc b/rules/S6275/cloudformation/rule.adoc index 290c9ed990..7af9ed033d 100644 --- a/rules/S6275/cloudformation/rule.adoc +++ b/rules/S6275/cloudformation/rule.adoc @@ -1,74 +1,40 @@ +include::../description.adoc[] + +include::../ask-yourself.adoc[] + +include::../recommended.adoc[] == Sensitive Code Example +For https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volume.html[AWS::EC2::Volume]: + ---- -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "Sample EBS Volume with EC2 instance template", - "Resources": { - "Ec2Volume": { - "Type": "AWS::EC2::Volume", - "Properties": { - "AvailabilityZone": "eu-central-1", - "Size": "5", - "Encrypted" : "false" # Sensitive - }, - "DeletionPolicy" : "Snapshot" - } - } -} +AWSTemplateFormatVersion: '2010-09-09' +Resources: + Ec2Volume: + Type: AWS::EC2::Volume + Properties: + Encrypted: false # Sensitive ---- ---- -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "Sample EBS Volume with EC2 instance template", - "Resources": { - "Ec2Volume": { # Sensitive: no 'Encrypted' property set which defaults to "false" - "Type": "AWS::EC2::Volume", - "Properties": { - "AvailabilityZone": "eu-central-1", - "Size": "5" - }, - "DeletionPolicy" : "Snapshot" - } - } -} +AWSTemplateFormatVersion: '2010-09-09' +Resources: + Ec2Volume: + Type: AWS::EC2::Volume # Sensitive if "encrypted by default" is disabled ---- == Compliant Solution -YAML +For https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volume.html[AWS::EC2::Volume]: ---- AWSTemplateFormatVersion: '2010-09-09' -Description: Sample EBS Volume with EC2 instance template Resources: Ec2Volume: Type: AWS::EC2::Volume - Properties: - Size: '5' - Encrypted: true # OK - AvailabilityZone: eu-central-1 - DeletionPolicy: Snapshot + Properties: + Encrypted: true ---- -JSON - ----- -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "Sample EBS Volume with EC2 instance template", - "Resources": { - "Ec2Volume": { - "Type": "AWS::EC2::Volume", - "Properties": { - "AvailabilityZone": "eu-central-1", - "Size": "5", - "Encrypted" : "true" // OK - }, - "DeletionPolicy" : "Snapshot" - } - } -} ----- +include::../see.adoc[] diff --git a/rules/S6275/description.adoc b/rules/S6275/description.adoc new file mode 100644 index 0000000000..f5370bac6f --- /dev/null +++ b/rules/S6275/description.adoc @@ -0,0 +1 @@ +Amazon Elastic Block Store (EBS) is a block-storage service for Amazon Elastic Compute Cloud (EC2). EBS volumes can be encrypted, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage. In the case that adversaries gain physical access to the storage medium they are not able to access the data. Encryption can be enabled for specific volumes or for https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default[all new volumes and snapshots]. diff --git a/rules/S6275/metadata.json b/rules/S6275/metadata.json index 6ce07f5435..921e4246de 100644 --- a/rules/S6275/metadata.json +++ b/rules/S6275/metadata.json @@ -1,9 +1,11 @@ { - "title": "Using not encrypted EBS Volume is security-sensitive", + "title": "Using unencrypted EBS volumes is security-sensitive", "type": "SECURITY_HOTSPOT", "status": "ready", "tags": [ - + "cwe", + "owasp-a3", + "owasp-a6" ], "extra": { "coveredLanguages": [ @@ -17,6 +19,15 @@ "ruleSpecification": "RSPEC-6275", "sqKey": "S6275", "scope": "All", + "securityStandards": { + "CWE": [ + 311 + ], + "OWASP": [ + "A3", + "A6" + ] + }, "defaultQualityProfiles": [ "Sonar way" ] diff --git a/rules/S6275/recommended.adoc b/rules/S6275/recommended.adoc new file mode 100644 index 0000000000..3660628de8 --- /dev/null +++ b/rules/S6275/recommended.adoc @@ -0,0 +1,3 @@ +== Recommended Secure Coding Practices + +It's recommended to encrypt EBS volumes that contain sensitive information. Encryption and decryption are handled transparently by EC2, so no further modifications to the application are necessary. Instead of enabling encryption for every volume it is also possible to enable encryption globally for a specific region. diff --git a/rules/S6275/see.adoc b/rules/S6275/see.adoc new file mode 100644 index 0000000000..abfe395d5b --- /dev/null +++ b/rules/S6275/see.adoc @@ -0,0 +1,6 @@ +== See + +* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html[Amazon EBS encryption] +* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* https://cwe.mitre.org/data/definitions/311.html[MITRE, CWE-311] - Missing Encryption of Sensitive Data diff --git a/rules/S6275/terraform/rule.adoc b/rules/S6275/terraform/rule.adoc index af1b808efe..f49a8c4b60 100644 --- a/rules/S6275/terraform/rule.adoc +++ b/rules/S6275/terraform/rule.adoc @@ -1,70 +1,83 @@ +include::../description.adoc[] + +include::../ask-yourself.adoc[] + +include::../recommended.adoc[] == Sensitive Code Example -Terraform documentation: \https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume - +For https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume[aws_ebs_volume]: ---- -resource "aws_ebs_volume" "foo_disabled" { # Sensitive: no "encrypted" entry provided - availability_zone = "us-west-2a" - size = 40 +resource "aws_ebs_volume" "ebs_volume" { # Sensitive if "encrypted by default" is disabled +} +---- - tags = { - Name = "HelloWorld" +---- +resource "aws_ebs_volume" "ebs_volume" { + encrypted = false # Sensitive +} +---- + +For https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default[aws_ebs_encryption_by_default]: + +---- +resource "aws_ebs_encryption_by_default" "default_encryption" { + enabled = false # Sensitive +} +---- + +For https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration[aws_launch_configuration]: + +---- +resource "aws_launch_configuration" "launch_configuration" { + root_block_device { # Sensitive if "encrypted by default" is disabled + } + ebs_block_device { # Sensitive if "encrypted by default" is disabled } } ---- ---- -resource "aws_ebs_encryption_by_default" "foo_disabled" { - enabled = false # Sensitive -} ----- - ----- -resource "aws_launch_configuration" "foo-launch-config" { # Sensitive: no "encrypted" entry provided -} - -resource "aws_launch_configuration" "foo-launch-config" { - root_block_device { - encrypted = true # OK - } - ebs_block_device { - encrypted = false # Sensitive - } -} - -resource "aws_launch_configuration" "foo-launch-config" { - root_block_device { - encrypted = false # Sensitive: default is "false": https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#encrypted - } - ebs_block_device { - encrypted = false # Sensitive: default is "false": https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#encrypted - } +resource "aws_launch_configuration" "launch_configuration" { + root_block_device { + encrypted = false # Sensitive + } + ebs_block_device { + encrypted = false # Sensitive + } } ---- == Compliant Solution ----- -resource "aws_ebs_volume" "foo_enabled" { - availability_zone = "us-west-2a" - size = 40 +For https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume[aws_ebs_volume]: - tags = { - Name = "HelloWorld" +---- +resource "aws_ebs_volume" "ebs_volume" { + encrypted = true +} +---- + +For https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default[aws_ebs_encryption_by_default]: + +---- +resource "aws_ebs_encryption_by_default" "default_encryption" { + enabled = true # Optional, default is "true" +} +---- + +For https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration[aws_launch_configuration]: + +---- +resource "aws_launch_configuration" "launch_configuration" { + root_block_device { + encrypted = true + } + ebs_block_device { + encrypted = true } - - encrypted = true # OK } ---- ----- -resource "aws_ebs_encryption_by_default" "foo_enabled" { - enabled = true # OK -} - -# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default#enabled -resource "aws_ebs_encryption_by_default" "foo_enabled" { # OK, default is "true" -} ----- +include::../see.adoc[]