ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5332/cloudformation/rule.adoc
Pierre-Loup 770348d041
Avoid OWASP Top 10 security-standard mismatch between metadata and description links (RULEAPI-798) (#3537) 
* Add check for security standard mismatch

* Fix security standard mismatches

* Fix Resources/Standards links for secrets rules

* Fix check

* Fix links and update security standard mapping

* Fix maintanability issue

* Apply review suggestions

* Apply suggestions from code review

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

* Fix typo

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

---------

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2024-01-17 17:20:28 +01:00

252 lines
6.9 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams, server-side encryption is disabled by default:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
KinesisStream: # Sensitive
Type: AWS::Kinesis::Stream
Properties:
ShardCount: 1
# No StreamEncryption
----
For https://aws.amazon.com/elasticache/[Amazon ElastiCache]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
Example:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
ReplicationGroupId: "example"
TransitEncryptionEnabled: false # Sensitive
----
For https://aws.amazon.com/ecs/[Amazon ECS]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
EcsTask:
Type: AWS::ECS::TaskDefinition
Properties:
Family: "service"
Volumes:
-
Name: "storage"
EFSVolumeConfiguration:
FilesystemId: !Ref FS
TransitEncryption: "DISABLED" # Sensitive
----
For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
HTTPlistener:
Type: "AWS::ElasticLoadBalancingV2::Listener"
Properties:
DefaultActions:
- Type: "redirect"
RedirectConfig:
Protocol: "HTTP"
Protocol: "HTTP" # Sensitive
----
For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
Example:
Type: AWS::OpenSearchService::Domain
Properties:
DomainName: example
DomainEndpointOptions:
EnforceHTTPS: false # Sensitive
NodeToNodeEncryptionOptions:
Enabled: false # Sensitive
----
For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
MSKCluster:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: MSKCluster
EncryptionInfo:
EncryptionInTransit:
ClientBroker: TLS_PLAINTEXT # Sensitive
InCluster: false # Sensitive
----
== Compliant Solution
For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams server-side encryption:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
KinesisStream:
Type: AWS::Kinesis::Stream
Properties:
ShardCount: 1
StreamEncryption:
EncryptionType: KMS
----
For https://aws.amazon.com/elasticache/[Amazon ElastiCache]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
Example:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
ReplicationGroupId: "example"
TransitEncryptionEnabled: true
----
For https://aws.amazon.com/ecs/[Amazon ECS]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
EcsTask:
Type: AWS::ECS::TaskDefinition
Properties:
Family: "service"
Volumes:
-
Name: "storage"
EFSVolumeConfiguration:
FilesystemId: !Ref FS
TransitEncryption: "ENABLED"
----
For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
HTTPlistener:
Type: "AWS::ElasticLoadBalancingV2::Listener"
Properties:
DefaultActions:
- Type: "redirect"
RedirectConfig:
Protocol: "HTTPS"
Protocol: "HTTP"
----
For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
Example:
Type: AWS::OpenSearchService::Domain
Properties:
DomainName: example
DomainEndpointOptions:
EnforceHTTPS: true
NodeToNodeEncryptionOptions:
Enabled: true
----
For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers, data in transit is encrypted by default, allowing you to omit writing the `EncryptionInTransit` configuration. However, if you need to configure it explicitly, this configuration is compliant:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
MSKCluster:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: MSKCluster
EncryptionInfo:
EncryptionInTransit:
ClientBroker: TLS
InCluster: true
----
== See
* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor]
* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information]
* https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web]
* https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http]
* https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Documentation] - Listeners for your Application Load Balancers
* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesis-stream-streamencryption.html[AWS Documentation] - Stream Encryption
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Highlighting
For `AWS::Kinesis::Stream`, in `StreamEncryption` :
* Highlight the resource bloc if ``StreamEncryption`` is missing
For `AWS::ElastiCache::ReplicationGroup`:
* Highlight `TransitEncryptionEnabled` if it is specified but has the wrong value
* Highlight resource if `TransitEncryptionEnabled` not set
For `AWS::ECS::TaskDefinition`:
* Highlight `TransitEncryption` if it is specified but has the wrong value
* Highlight `EFSVolumeConfiguration` if it exists but does not contain `TransitEncryption`
For `AWS::ElasticLoadBalancingV2::Listener`:
* For a `fixed-response` or `forward` action: Highlight `Protocol` if it is set to `HTTP`
* For a `redirect` action: Highlight `Protocol` if `RedirectConfig.Protocol` is set as `HTTP`
For `AWS::Elasticsearch::Domain` and `AWS::OpenSearchService::Domain`:
* Highlight `Enabled` if it is specified but has the wrong value
* Highlight `NodeToNodeEncryptionOptions` if it is specified but does not contain `Enabled`
* Highlight `EnforceHTTPS` if it is specified but has the wrong value
* Highlight `DomainEndpointOption` if it is specified but does not contain `EnforceHTTPS`
* Highlight resource if `NodeToNodeEncryptionOptions` or `DomainEndpointOption` are not specified at all
For `AWS::MSK::Cluster`:
* Highlight `ClientBroker` if it is specified but does not contain `TLS`
* Highlight `InCluster` if it is specified but is set to `false`
=== Message
* Make sure allowing clear-text traffic is safe here.
* Omitting "{argument_name}" enables clear-text protocols. Make sure it is safe here.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink