ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6403/terraform/rule.adoc
Pierre-Loup 770348d041
Avoid OWASP Top 10 security-standard mismatch between metadata and description links (RULEAPI-798) (#3537) 
* Add check for security standard mismatch

* Fix security standard mismatches

* Fix Resources/Standards links for secrets rules

* Fix check

* Fix links and update security standard mapping

* Fix maintanability issue

* Apply review suggestions

* Apply suggestions from code review

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

* Fix typo

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

---------

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2024-01-17 17:20:28 +01:00

82 lines
2.7 KiB
Plaintext
Raw Permalink Blame History

By default, GCP SQL instances offer encryption in transit, with support for TLS, but insecure connections are still accepted. On an unsecured network, such as a public network, the risk of traffic being intercepted is high. When the data isn't encrypted, an attacker can intercept it and read confidential information.
When creating a GCP SQL instance, a public IP address is automatically assigned to it and connections to the SQL instance from public networks can be authorized.
TLS is automatically used when connecting to SQL instances through:
* The https://cloud.google.com/sql/docs/mysql/connect-admin-proxy[Cloud SQL Auth proxy].
* The https://cloud.google.com/sql/docs/mysql/connect-overview#languages[Java Socket Library].
* The built-in mechanisms in the https://cloud.google.com/appengine/docs[App Engine] environments.
== Ask Yourself Whether
Connections are not already automatically encrypted by GCP (eg: SQL Auth proxy) and
* Connections to the SQL instance are performed on untrusted networks.
* The data stored in the SQL instance is confidential.
There is a risk if you answered yes to any of those questions.
== Recommended Secure Coding Practices
It's recommended to encrypt all connections to the SQL instance, whether using public or private IP addresses. However, since private networks can be considered trusted, requiring TLS in this situation is usually a lower priority task.
== Sensitive Code Example
[source,terraform]
----
resource "google_sql_database_instance" "example" { # Sensitive: tls is not required
name = "noncompliant-master-instance"
database_version = "POSTGRES_11"
region = "us-central1"
settings {
tier = "db-f1-micro"
}
}
----
== Compliant Solution
[source,terraform]
----
resource "google_sql_database_instance" "example" {
name = "compliant-master-instance"
database_version = "POSTGRES_11"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
require_ssl = true
ipv4_enabled = true
}
}
}
----
== See
* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]
* CWE - https://cwe.mitre.org/data/definitions/79[CWE-319 - Cleartext Transmission of Sensitive Information]
* https://cloud.google.com/sql/docs/mysql/authorize-ssl[GCP Documentation] - Cloud SQL: Authorizing with SSL/TLS certificates
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make sure creating a GCP SQL instance without requiring TLS is safe here.
Omitting {parameter} allows unencrypted connections to the database. Make sure it is safe here.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink