ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6409/terraform/rule.adoc
Pierre-Loup 770348d041
Avoid OWASP Top 10 security-standard mismatch between metadata and description links (RULEAPI-798) (#3537) 
* Add check for security standard mismatch

* Fix security standard mismatches

* Fix Resources/Standards links for secrets rules

* Fix check

* Fix links and update security standard mapping

* Fix maintanability issue

* Apply review suggestions

* Apply suggestions from code review

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

* Fix typo

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

---------

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2024-01-17 17:20:28 +01:00

61 lines
1.8 KiB
Plaintext
Raw Permalink Blame History

Enabling Legacy Authorization, Attribute-Based Access Control (ABAC), on Google Kubernetes Engine resources can reduce an
organization's ability to protect itself against access controls being compromised.
For Kubernetes, Attribute-Based Access Control has been superseded by Role-Based Access Control.
ABAC is not under active development anymore and thus should be avoided.
== Ask Yourself Whether
* This resource is essential for the information system infrastructure.
* This resource is essential for mission-critical functions.
* Compliance policies require access to this resource to be enforced through the use of Role-Based Access Control.
There is a risk if you answered yes to any of those questions.
== Recommended Secure Coding Practices
Unless you are relying on ABAC, leave it disabled.
== Sensitive Code Example
For https://cloud.google.com/kubernetes-engine[Google Kubernetes Engine]:
[source,terraform]
----
resource "google_container_cluster" "example" {
enable_legacy_abac = true # Sensitive
}
----
== Compliant Solution
For https://cloud.google.com/kubernetes-engine[Google Kubernetes Engine]:
[source,terraform]
----
resource "google_container_cluster" "example" {
enable_legacy_abac = false
}
----
== See
* CWE - https://cwe.mitre.org/data/definitions/668[CWE-668 - Exposure of Resource to Wrong Sphere]
* https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#leave_abac_disabled[Google Cloud Documentation] - Hardening your cluster's security
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
* Make sure that enabling attribute-based access control is safe here.
=== Highlighting
* If an assignment is non-compliant, highlight the entire assignment
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink