include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams, server-side encryption is disabled by default: [source,yaml] ---- AWSTemplateFormatVersion: 2010-09-09 Resources: KinesisStream: # Sensitive Type: AWS::Kinesis::Stream Properties: ShardCount: 1 # No StreamEncryption ---- For https://aws.amazon.com/elasticache/[Amazon ElastiCache]: [source,yaml] ---- AWSTemplateFormatVersion: 2010-09-09 Resources: Example: Type: AWS::ElastiCache::ReplicationGroup Properties: ReplicationGroupId: "example" TransitEncryptionEnabled: false # Sensitive ---- For https://aws.amazon.com/ecs/[Amazon ECS]: [source,yaml] ---- AWSTemplateFormatVersion: 2010-09-09 Resources: EcsTask: Type: AWS::ECS::TaskDefinition Properties: Family: "service" Volumes: - Name: "storage" EFSVolumeConfiguration: FilesystemId: !Ref FS TransitEncryption: "DISABLED" # Sensitive ---- For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]: [source,yaml] ---- AWSTemplateFormatVersion: 2010-09-09 Resources: HTTPlistener: Type: "AWS::ElasticLoadBalancingV2::Listener" Properties: DefaultActions: - Type: "redirect" RedirectConfig: Protocol: "HTTP" Protocol: "HTTP" # Sensitive ---- For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]: [source,yaml] ---- AWSTemplateFormatVersion: 2010-09-09 Resources: Example: Type: AWS::OpenSearchService::Domain Properties: DomainName: example DomainEndpointOptions: EnforceHTTPS: false # Sensitive NodeToNodeEncryptionOptions: Enabled: false # Sensitive ---- For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers: [source,yaml] ---- AWSTemplateFormatVersion: 2010-09-09 Resources: MSKCluster: Type: 'AWS::MSK::Cluster' Properties: ClusterName: MSKCluster EncryptionInfo: EncryptionInTransit: ClientBroker: TLS_PLAINTEXT # Sensitive InCluster: false # Sensitive ---- == Compliant Solution For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams server-side encryption: [source,yaml] ---- AWSTemplateFormatVersion: 2010-09-09 Resources: KinesisStream: Type: AWS::Kinesis::Stream Properties: ShardCount: 1 StreamEncryption: EncryptionType: KMS ---- For https://aws.amazon.com/elasticache/[Amazon ElastiCache]: [source,yaml] ---- AWSTemplateFormatVersion: 2010-09-09 Resources: Example: Type: AWS::ElastiCache::ReplicationGroup Properties: ReplicationGroupId: "example" TransitEncryptionEnabled: true ---- For https://aws.amazon.com/ecs/[Amazon ECS]: [source,yaml] ---- AWSTemplateFormatVersion: 2010-09-09 Resources: EcsTask: Type: AWS::ECS::TaskDefinition Properties: Family: "service" Volumes: - Name: "storage" EFSVolumeConfiguration: FilesystemId: !Ref FS TransitEncryption: "ENABLED" ---- For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]: [source,yaml] ---- AWSTemplateFormatVersion: 2010-09-09 Resources: HTTPlistener: Type: "AWS::ElasticLoadBalancingV2::Listener" Properties: DefaultActions: - Type: "redirect" RedirectConfig: Protocol: "HTTPS" Protocol: "HTTP" ---- For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]: [source,yaml] ---- AWSTemplateFormatVersion: 2010-09-09 Resources: Example: Type: AWS::OpenSearchService::Domain Properties: DomainName: example DomainEndpointOptions: EnforceHTTPS: true NodeToNodeEncryptionOptions: Enabled: true ---- For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers, data in transit is encrypted by default, allowing you to omit writing the `EncryptionInTransit` configuration. However, if you need to configure it explicitly, this configuration is compliant: [source,yaml] ---- AWSTemplateFormatVersion: 2010-09-09 Resources: MSKCluster: Type: 'AWS::MSK::Cluster' Properties: ClusterName: MSKCluster EncryptionInfo: EncryptionInTransit: ClientBroker: TLS InCluster: true ---- == See include::../common/resources/documentation.adoc[] include::../common/resources/articles.adoc[] include::../common/resources/standards-iac.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Highlighting For `AWS::Kinesis::Stream`, in `StreamEncryption` : * Highlight the resource bloc if ``StreamEncryption`` is missing For `AWS::ElastiCache::ReplicationGroup`: * Highlight `TransitEncryptionEnabled` if it is specified but has the wrong value * Highlight resource if `TransitEncryptionEnabled` not set For `AWS::ECS::TaskDefinition`: * Highlight `TransitEncryption` if it is specified but has the wrong value * Highlight `EFSVolumeConfiguration` if it exists but does not contain `TransitEncryption` For `AWS::ElasticLoadBalancingV2::Listener`: * For a `fixed-response` or `forward` action: Highlight `Protocol` if it is set to `HTTP` * For a `redirect` action: Highlight `Protocol` if `RedirectConfig.Protocol` is set as `HTTP` For `AWS::Elasticsearch::Domain` and `AWS::OpenSearchService::Domain`: * Highlight `Enabled` if it is specified but has the wrong value * Highlight `NodeToNodeEncryptionOptions` if it is specified but does not contain `Enabled` * Highlight `EnforceHTTPS` if it is specified but has the wrong value * Highlight `DomainEndpointOption` if it is specified but does not contain `EnforceHTTPS` * Highlight resource if `NodeToNodeEncryptionOptions` or `DomainEndpointOption` are not specified at all For `AWS::MSK::Cluster`: * Highlight `ClientBroker` if it is specified but does not contain `TLS` * Highlight `InCluster` if it is specified but is set to `false` === Message * Make sure allowing clear-text traffic is safe here. * Omitting "{argument_name}" enables clear-text protocols. Make sure it is safe here. endif::env-github,rspecator-view[]