197 lines
4.5 KiB
Plaintext
197 lines
4.5 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams, server-side encryption is disabled by default:
|
|
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
KinesisStream: # Sensitive
|
|
Type: AWS::Kinesis::Stream
|
|
Properties:
|
|
ShardCount: 1
|
|
# No StreamEncryption
|
|
----
|
|
|
|
For https://aws.amazon.com/elasticache/[Amazon ElastiCache]:
|
|
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
Example:
|
|
Type: AWS::ElastiCache::ReplicationGroup
|
|
Properties:
|
|
ReplicationGroupId: "example"
|
|
TransitEncryptionEnabled: false # Sensitive
|
|
----
|
|
|
|
For https://aws.amazon.com/ecs/[Amazon ECS]:
|
|
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
EcsTask:
|
|
Type: AWS::ECS::TaskDefinition
|
|
Properties:
|
|
Family: "service"
|
|
Volumes:
|
|
-
|
|
Name: "storage"
|
|
EFSVolumeConfiguration:
|
|
FilesystemId: !Ref FS
|
|
TransitEncryption: "DISABLED" # Sensitive
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]:
|
|
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
HTTPlistener:
|
|
Type: "AWS::ElasticLoadBalancingV2::Listener"
|
|
Properties:
|
|
DefaultActions:
|
|
- Type: "redirect"
|
|
RedirectConfig:
|
|
Protocol: "HTTP"
|
|
Protocol: "HTTP" # Sensitive
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:
|
|
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
Example:
|
|
Type: AWS::OpenSearchService::Domain
|
|
Properties:
|
|
DomainName: example
|
|
DomainEndpointOptions:
|
|
EnforceHTTPS: false # Sensitive
|
|
NodeToNodeEncryptionOptions:
|
|
Enabled: false # Sensitive
|
|
----
|
|
|
|
For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers:
|
|
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
MSKCluster:
|
|
Type: 'AWS::MSK::Cluster'
|
|
Properties:
|
|
ClusterName: MSKCluster
|
|
EncryptionInfo:
|
|
EncryptionInTransit:
|
|
ClientBroker: TLS_PLAINTEXT # Sensitive
|
|
InCluster: false # Sensitive
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams server-side encryption:
|
|
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
KinesisStream:
|
|
Type: AWS::Kinesis::Stream
|
|
Properties:
|
|
ShardCount: 1
|
|
StreamEncryption:
|
|
EncryptionType: KMS
|
|
----
|
|
|
|
For https://aws.amazon.com/elasticache/[Amazon ElastiCache]:
|
|
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
Example:
|
|
Type: AWS::ElastiCache::ReplicationGroup
|
|
Properties:
|
|
ReplicationGroupId: "example"
|
|
TransitEncryptionEnabled: true
|
|
----
|
|
|
|
For https://aws.amazon.com/ecs/[Amazon ECS]:
|
|
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
EcsTask:
|
|
Type: AWS::ECS::TaskDefinition
|
|
Properties:
|
|
Family: "service"
|
|
Volumes:
|
|
-
|
|
Name: "storage"
|
|
EFSVolumeConfiguration:
|
|
FilesystemId: !Ref FS
|
|
TransitEncryption: "ENABLED"
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]:
|
|
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
HTTPlistener:
|
|
Type: "AWS::ElasticLoadBalancingV2::Listener"
|
|
Properties:
|
|
DefaultActions:
|
|
- Type: "redirect"
|
|
RedirectConfig:
|
|
Protocol: "HTTPS"
|
|
Protocol: "HTTP"
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:
|
|
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
Example:
|
|
Type: AWS::OpenSearchService::Domain
|
|
Properties:
|
|
DomainName: example
|
|
DomainEndpointOptions:
|
|
EnforceHTTPS: true
|
|
NodeToNodeEncryptionOptions:
|
|
Enabled: true
|
|
----
|
|
|
|
For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers, data in transit is encrypted by default, allowing you to omit writing the `EncryptionInTransit` configuration. However, if you need to configure it explicitly, this configuration is compliant:
|
|
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
MSKCluster:
|
|
Type: 'AWS::MSK::Cluster'
|
|
Properties:
|
|
ClusterName: MSKCluster
|
|
EncryptionInfo:
|
|
EncryptionInTransit:
|
|
ClientBroker: TLS
|
|
InCluster: true
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::highlighting.adoc[]
|
|
|
|
include::../message.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|