9ee16daa47
* Update JSON schema to include STIG ASD 2023-06-08 mapping * Update rules to add STIG metadata mappings --------- Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com>
272 lines
6.9 KiB
Plaintext
272 lines
6.9 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams server-side encryption:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_kinesis_stream" "sensitive_stream" {
|
|
encryption_type = "NONE" # Sensitive
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/elasticache/[Amazon ElastiCache]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_elasticache_replication_group" "example" {
|
|
replication_group_id = "example"
|
|
replication_group_description = "example"
|
|
transit_encryption_enabled = false # Sensitive
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/ecs/[Amazon ECS]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_ecs_task_definition" "ecs_task" {
|
|
family = "service"
|
|
container_definitions = file("task-definition.json")
|
|
|
|
volume {
|
|
name = "storage"
|
|
efs_volume_configuration {
|
|
file_system_id = aws_efs_file_system.fs.id
|
|
transit_encryption = "DISABLED" # Sensitive
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_elasticsearch_domain" "example" {
|
|
domain_name = "example"
|
|
domain_endpoint_options {
|
|
enforce_https = false # Sensitive
|
|
}
|
|
node_to_node_encryption {
|
|
enabled = false # Sensitive
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_msk_cluster" "sensitive_data_cluster" {
|
|
encryption_info {
|
|
encryption_in_transit {
|
|
client_broker = "TLS_PLAINTEXT" # Sensitive
|
|
in_cluster = false # Sensitive
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_lb_listener" "front_load_balancer" {
|
|
protocol = "HTTP" # Sensitive
|
|
|
|
default_action {
|
|
type = "redirect"
|
|
|
|
redirect {
|
|
protocol = "HTTP"
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
HTTP protocol is used for https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_backend_service[GCP Region Backend Services]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "google_compute_region_backend_service" "example" {
|
|
name = "example-service"
|
|
region = "us-central1"
|
|
health_checks = [google_compute_region_health_check.region.id]
|
|
connection_draining_timeout_sec = 10
|
|
session_affinity = "CLIENT_IP"
|
|
load_balancing_scheme = "EXTERNAL"
|
|
protocol = "HTTP" # Sensitive
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams server-side encryption:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_kinesis_stream" "compliant_stream" {
|
|
encryption_type = "KMS"
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/elasticache/[Amazon ElastiCache]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_elasticache_replication_group" "example" {
|
|
replication_group_id = "example"
|
|
replication_group_description = "example"
|
|
transit_encryption_enabled = true
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/ecs/[Amazon ECS]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_ecs_task_definition" "ecs_task" {
|
|
family = "service"
|
|
container_definitions = file("task-definition.json")
|
|
|
|
volume {
|
|
name = "storage"
|
|
efs_volume_configuration {
|
|
file_system_id = aws_efs_file_system.fs.id
|
|
transit_encryption = "ENABLED"
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_elasticsearch_domain" "example" {
|
|
domain_name = "example"
|
|
domain_endpoint_options {
|
|
enforce_https = true
|
|
}
|
|
node_to_node_encryption {
|
|
enabled = true
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers, data in transit is encrypted by default, allowing you to omit writing the `encryption_in_transit` configuration. However, if you need to configure it explicitly, this configuration is compliant:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_msk_cluster" "sensitive_data_cluster" {
|
|
encryption_info {
|
|
encryption_in_transit {
|
|
client_broker = "TLS"
|
|
in_cluster = true
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_lb_listener" "front_load_balancer" {
|
|
protocol = "HTTP"
|
|
|
|
default_action {
|
|
type = "redirect"
|
|
|
|
redirect {
|
|
protocol = "HTTPS"
|
|
}
|
|
}
|
|
}
|
|
|
|
----
|
|
|
|
HTTPS protocol is used for https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_backend_service[GCP Region Backend Services]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "google_compute_region_backend_service" "example" {
|
|
name = "example-service"
|
|
region = "us-central1"
|
|
health_checks = [google_compute_region_health_check.region.id]
|
|
connection_draining_timeout_sec = 10
|
|
session_affinity = "CLIENT_IP"
|
|
load_balancing_scheme = "EXTERNAL"
|
|
protocol = "HTTPS"
|
|
}
|
|
----
|
|
|
|
include::../exceptions.adoc[]
|
|
|
|
|
|
== See
|
|
|
|
include::../common/resources/documentation.adoc[]
|
|
|
|
include::../common/resources/articles.adoc[]
|
|
|
|
include::../common/resources/standards-iac.adoc[]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* Make sure allowing clear-text traffic is safe here.
|
|
* Omitting "{argument_name}" enables clear-text protocols. Make sure it is safe here.
|
|
|
|
|
|
=== Highlighting
|
|
|
|
For ``aws_kinesis_stream``:
|
|
|
|
* Highlight the resource if `encryption_type` is missing or set to ``NONE``
|
|
|
|
For `aws_elasticache_replication_group`:
|
|
|
|
* Highlight `transit_encryption_enabled` if it is specified but has the wrong value
|
|
* Highlight resource if `transit_encryption_enabled` is not set
|
|
|
|
For `aws_ecs_task_definition`:
|
|
|
|
* Highlight `transit_encryption` if it is specified but has the wrong value
|
|
* Highlight `efs_volume_configuration` if it exists but does not contain `transit_encryption`
|
|
|
|
* For `aws_lb_listener`:
|
|
** For a `fixed-response` or `forward` action: Highlight the root `protocol` if it is set to `HTTP`
|
|
** For a `redirect` action: Highlight the root `protocol` if `default_action.redirect.protocol` is set as `HTTP`
|
|
|
|
For `aws_elasticsearch_domain`:
|
|
|
|
* Highlight `enabled` field from `node_to_node_encryption` if it is specified but has the wrong value
|
|
* Highlight `enforce_https` field from `domain_endpoint_options` if it is specified but has the wrong value
|
|
* Highlight resource if `node_to_node_encryption` is not specified at all
|
|
|
|
For `aws_msk_cluster`:
|
|
|
|
* Highlight `client_broker` if it is specified but does not contain `TLS`
|
|
* Highlight `in_cluster` if it is specified but is set to `false`
|
|
|
|
For `google_compute_region_backend_service`:
|
|
|
|
* Highlight `protocol` argument value when equals to `HTTP`
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|