218 lines
5.4 KiB
Plaintext
218 lines
5.4 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams server-side encryption:
|
|
[source,terraform]
|
|
----
|
|
resource "aws_kinesis_stream" "sensitive_stream" {
|
|
encryption_type = "NONE" # Sensitive
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/elasticache/[Amazon ElastiCache]:
|
|
[source,terraform]
|
|
----
|
|
resource "aws_elasticache_replication_group" "example" {
|
|
replication_group_id = "example"
|
|
replication_group_description = "example"
|
|
transit_encryption_enabled = false # Sensitive
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/ecs/[Amazon ECS]:
|
|
[source,terraform]
|
|
----
|
|
resource "aws_ecs_task_definition" "ecs_task" {
|
|
family = "service"
|
|
container_definitions = file("task-definition.json")
|
|
|
|
volume {
|
|
name = "storage"
|
|
efs_volume_configuration {
|
|
file_system_id = aws_efs_file_system.fs.id
|
|
transit_encryption = "DISABLED" # Sensitive
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:
|
|
[source,terraform]
|
|
----
|
|
resource "aws_elasticsearch_domain" "example" {
|
|
domain_name = "example"
|
|
domain_endpoint_options {
|
|
enforce_https = false # Sensitive
|
|
}
|
|
node_to_node_encryption {
|
|
enabled = false # Sensitive
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers:
|
|
[source,terraform]
|
|
----
|
|
resource "aws_msk_cluster" "sensitive_data_cluster" {
|
|
encryption_info {
|
|
encryption_in_transit {
|
|
client_broker = "TLS_PLAINTEXT" # Sensitive
|
|
in_cluster = false # Sensitive
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]:
|
|
[source,terraform]
|
|
----
|
|
resource "aws_lb_listener" "front_load_balancer" {
|
|
protocol = "HTTP" # Sensitive
|
|
|
|
default_action {
|
|
type = "redirect"
|
|
|
|
redirect {
|
|
protocol = "HTTP"
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
HTTP protocol is used for https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_backend_service[GCP Region Backend Services]:
|
|
[source,terraform]
|
|
----
|
|
resource "google_compute_region_backend_service" "example" {
|
|
name = "example-service"
|
|
region = "us-central1"
|
|
health_checks = [google_compute_region_health_check.region.id]
|
|
connection_draining_timeout_sec = 10
|
|
session_affinity = "CLIENT_IP"
|
|
load_balancing_scheme = "EXTERNAL"
|
|
protocol = "HTTP" # Sensitive
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams server-side encryption:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_kinesis_stream" "compliant_stream" {
|
|
encryption_type = "KMS"
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/elasticache/[Amazon ElastiCache]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_elasticache_replication_group" "example" {
|
|
replication_group_id = "example"
|
|
replication_group_description = "example"
|
|
transit_encryption_enabled = true
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/ecs/[Amazon ECS]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_ecs_task_definition" "ecs_task" {
|
|
family = "service"
|
|
container_definitions = file("task-definition.json")
|
|
|
|
volume {
|
|
name = "storage"
|
|
efs_volume_configuration {
|
|
file_system_id = aws_efs_file_system.fs.id
|
|
transit_encryption = "ENABLED"
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_elasticsearch_domain" "example" {
|
|
domain_name = "example"
|
|
domain_endpoint_options {
|
|
enforce_https = true
|
|
}
|
|
node_to_node_encryption {
|
|
enabled = true
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers, data in transit is encrypted by default, allowing you to omit writing the `encryption_in_transit` configuration. However, if you need to configure it explicitly, this configuration is compliant:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_msk_cluster" "sensitive_data_cluster" {
|
|
encryption_info {
|
|
encryption_in_transit {
|
|
client_broker = "TLS"
|
|
in_cluster = true
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_lb_listener" "front_load_balancer" {
|
|
protocol = "HTTP"
|
|
|
|
default_action {
|
|
type = "redirect"
|
|
|
|
redirect {
|
|
protocol = "HTTPS"
|
|
}
|
|
}
|
|
}
|
|
|
|
----
|
|
|
|
HTTPS protocol is used for https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_backend_service[GCP Region Backend Services]:
|
|
[source,terraform]
|
|
----
|
|
resource "google_compute_region_backend_service" "example" {
|
|
name = "example-service"
|
|
region = "us-central1"
|
|
health_checks = [google_compute_region_health_check.region.id]
|
|
connection_draining_timeout_sec = 10
|
|
session_affinity = "CLIENT_IP"
|
|
load_balancing_scheme = "EXTERNAL"
|
|
protocol = "HTTPS"
|
|
}
|
|
----
|
|
|
|
include::../exceptions.adoc[]
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
include::highlighting.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|