include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams server-side encryption: ---- resource "aws_kinesis_stream" "sensitive_stream" { encryption_type = "NONE" # Sensitive } ---- For https://aws.amazon.com/elasticache/[Amazon ElastiCache]: ---- resource "aws_elasticache_replication_group" "example" { replication_group_id = "example" replication_group_description = "example" transit_encryption_enabled = false # Sensitive } ---- For https://aws.amazon.com/ecs/[Amazon ECS]: ---- resource "aws_ecs_task_definition" "ecs_task" { family = "service" container_definitions = file("task-definition.json") volume { name = "storage" efs_volume_configuration { file_system_id = aws_efs_file_system.fs.id transit_encryption = "DISABLED" # Sensitive } } } ---- For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]: ---- resource "aws_elasticsearch_domain" "example" { domain_name = "example" domain_endpoint_options { enforce_https = false # Sensitive } node_to_node_encryption { enabled = false # Sensitive } } ---- For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers: ---- resource "aws_msk_cluster" "sensitive_data_cluster" { encryption_info { encryption_in_transit { client_broker = "TLS_PLAINTEXT" # Sensitive in_cluster = false # Sensitive } } } ---- For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]: ---- resource "aws_lb_listener" "front_load_balancer" { protocol = "HTTP" # Sensitive default_action { type = "redirect" redirect { protocol = "HTTP" } } } ---- == Compliant Solution For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams server-side encryption: ---- resource "aws_kinesis_stream" "compliant_stream" { encryption_type = "KMS" } ---- For https://aws.amazon.com/elasticache/[Amazon ElastiCache]: ---- resource "aws_elasticache_replication_group" "example" { replication_group_id = "example" replication_group_description = "example" transit_encryption_enabled = true } ---- For https://aws.amazon.com/ecs/[Amazon ECS]: ---- resource "aws_ecs_task_definition" "ecs_task" { family = "service" container_definitions = file("task-definition.json") volume { name = "storage" efs_volume_configuration { file_system_id = aws_efs_file_system.fs.id transit_encryption = "ENABLED" } } } ---- For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]: ---- resource "aws_elasticsearch_domain" "example" { domain_name = "example" domain_endpoint_options { enforce_https = true } node_to_node_encryption { enabled = true } } ---- For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers, data in transit is encrypted by default, allowing you to omit writing the `encryption_in_transit` configuration. However, if you need to configure it explicitly, this configuration is compliant: ---- resource "aws_msk_cluster" "sensitive_data_cluster" { encryption_info { encryption_in_transit { client_broker = "TLS" in_cluster = true } } } ---- For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]: ---- resource "aws_lb_listener" "front_load_balancer" { protocol = "HTTP" default_action { type = "redirect" redirect { protocol = "HTTPS" } } } ---- include::../exceptions.adoc[] include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] include::highlighting.adoc[] endif::env-github,rspecator-view[]