16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
264 lines
6.8 KiB
Plaintext
264 lines
6.8 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams server-side encryption:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_kinesis_stream" "sensitive_stream" {
|
|
encryption_type = "NONE" # Sensitive
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/elasticache/[Amazon ElastiCache]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_elasticache_replication_group" "example" {
|
|
replication_group_id = "example"
|
|
replication_group_description = "example"
|
|
transit_encryption_enabled = false # Sensitive
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/ecs/[Amazon ECS]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_ecs_task_definition" "ecs_task" {
|
|
family = "service"
|
|
container_definitions = file("task-definition.json")
|
|
|
|
volume {
|
|
name = "storage"
|
|
efs_volume_configuration {
|
|
file_system_id = aws_efs_file_system.fs.id
|
|
transit_encryption = "DISABLED" # Sensitive
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_elasticsearch_domain" "example" {
|
|
domain_name = "example"
|
|
domain_endpoint_options {
|
|
enforce_https = false # Sensitive
|
|
}
|
|
node_to_node_encryption {
|
|
enabled = false # Sensitive
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_msk_cluster" "sensitive_data_cluster" {
|
|
encryption_info {
|
|
encryption_in_transit {
|
|
client_broker = "TLS_PLAINTEXT" # Sensitive
|
|
in_cluster = false # Sensitive
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_lb_listener" "front_load_balancer" {
|
|
protocol = "HTTP" # Sensitive
|
|
|
|
default_action {
|
|
type = "redirect"
|
|
|
|
redirect {
|
|
protocol = "HTTP"
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
HTTP protocol is used for https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_backend_service[GCP Region Backend Services]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "google_compute_region_backend_service" "example" {
|
|
name = "example-service"
|
|
region = "us-central1"
|
|
health_checks = [google_compute_region_health_check.region.id]
|
|
connection_draining_timeout_sec = 10
|
|
session_affinity = "CLIENT_IP"
|
|
load_balancing_scheme = "EXTERNAL"
|
|
protocol = "HTTP" # Sensitive
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams server-side encryption:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_kinesis_stream" "compliant_stream" {
|
|
encryption_type = "KMS"
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/elasticache/[Amazon ElastiCache]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_elasticache_replication_group" "example" {
|
|
replication_group_id = "example"
|
|
replication_group_description = "example"
|
|
transit_encryption_enabled = true
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/ecs/[Amazon ECS]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_ecs_task_definition" "ecs_task" {
|
|
family = "service"
|
|
container_definitions = file("task-definition.json")
|
|
|
|
volume {
|
|
name = "storage"
|
|
efs_volume_configuration {
|
|
file_system_id = aws_efs_file_system.fs.id
|
|
transit_encryption = "ENABLED"
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_elasticsearch_domain" "example" {
|
|
domain_name = "example"
|
|
domain_endpoint_options {
|
|
enforce_https = true
|
|
}
|
|
node_to_node_encryption {
|
|
enabled = true
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers, data in transit is encrypted by default, allowing you to omit writing the `encryption_in_transit` configuration. However, if you need to configure it explicitly, this configuration is compliant:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_msk_cluster" "sensitive_data_cluster" {
|
|
encryption_info {
|
|
encryption_in_transit {
|
|
client_broker = "TLS"
|
|
in_cluster = true
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_lb_listener" "front_load_balancer" {
|
|
protocol = "HTTP"
|
|
|
|
default_action {
|
|
type = "redirect"
|
|
|
|
redirect {
|
|
protocol = "HTTPS"
|
|
}
|
|
}
|
|
}
|
|
|
|
----
|
|
|
|
HTTPS protocol is used for https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_backend_service[GCP Region Backend Services]:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "google_compute_region_backend_service" "example" {
|
|
name = "example-service"
|
|
region = "us-central1"
|
|
health_checks = [google_compute_region_health_check.region.id]
|
|
connection_draining_timeout_sec = 10
|
|
session_affinity = "CLIENT_IP"
|
|
load_balancing_scheme = "EXTERNAL"
|
|
protocol = "HTTPS"
|
|
}
|
|
----
|
|
|
|
include::../exceptions.adoc[]
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* Make sure allowing clear-text traffic is safe here.
|
|
* Omitting "{argument_name}" enables clear-text protocols. Make sure it is safe here.
|
|
|
|
|
|
=== Highlighting
|
|
|
|
For ``aws_kinesis_stream``:
|
|
|
|
* Highlight the resource if `encryption_type` is missing or set to ``NONE``
|
|
|
|
For `aws_elasticache_replication_group`:
|
|
|
|
* Highlight `transit_encryption_enabled` if it is specified but has the wrong value
|
|
* Highlight resource if `transit_encryption_enabled` is not set
|
|
|
|
For `aws_ecs_task_definition`:
|
|
|
|
* Highlight `transit_encryption` if it is specified but has the wrong value
|
|
* Highlight `efs_volume_configuration` if it exists but does not contain `transit_encryption`
|
|
|
|
* For `aws_lb_listener`:
|
|
** For a `fixed-response` or `forward` action: Highlight the root `protocol` if it is set to `HTTP`
|
|
** For a `redirect` action: Highlight the root `protocol` if `default_action.redirect.protocol` is set as `HTTP`
|
|
|
|
For `aws_elasticsearch_domain`:
|
|
|
|
* Highlight `enabled` field from `node_to_node_encryption` if it is specified but has the wrong value
|
|
* Highlight `enforce_https` field from `domain_endpoint_options` if it is specified but has the wrong value
|
|
* Highlight resource if `node_to_node_encryption` is not specified at all
|
|
|
|
For `aws_msk_cluster`:
|
|
|
|
* Highlight `client_broker` if it is specified but does not contain `TLS`
|
|
* Highlight `in_cluster` if it is specified but is set to `false`
|
|
|
|
For `google_compute_region_backend_service`:
|
|
|
|
* Highlight `protocol` argument value when equals to `HTTP`
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|