16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
245 lines
6.2 KiB
Plaintext
245 lines
6.2 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams, server-side encryption is disabled by default:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
KinesisStream: # Sensitive
|
|
Type: AWS::Kinesis::Stream
|
|
Properties:
|
|
ShardCount: 1
|
|
# No StreamEncryption
|
|
----
|
|
|
|
For https://aws.amazon.com/elasticache/[Amazon ElastiCache]:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
Example:
|
|
Type: AWS::ElastiCache::ReplicationGroup
|
|
Properties:
|
|
ReplicationGroupId: "example"
|
|
TransitEncryptionEnabled: false # Sensitive
|
|
----
|
|
|
|
For https://aws.amazon.com/ecs/[Amazon ECS]:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
EcsTask:
|
|
Type: AWS::ECS::TaskDefinition
|
|
Properties:
|
|
Family: "service"
|
|
Volumes:
|
|
-
|
|
Name: "storage"
|
|
EFSVolumeConfiguration:
|
|
FilesystemId: !Ref FS
|
|
TransitEncryption: "DISABLED" # Sensitive
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
HTTPlistener:
|
|
Type: "AWS::ElasticLoadBalancingV2::Listener"
|
|
Properties:
|
|
DefaultActions:
|
|
- Type: "redirect"
|
|
RedirectConfig:
|
|
Protocol: "HTTP"
|
|
Protocol: "HTTP" # Sensitive
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
Example:
|
|
Type: AWS::OpenSearchService::Domain
|
|
Properties:
|
|
DomainName: example
|
|
DomainEndpointOptions:
|
|
EnforceHTTPS: false # Sensitive
|
|
NodeToNodeEncryptionOptions:
|
|
Enabled: false # Sensitive
|
|
----
|
|
|
|
For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
MSKCluster:
|
|
Type: 'AWS::MSK::Cluster'
|
|
Properties:
|
|
ClusterName: MSKCluster
|
|
EncryptionInfo:
|
|
EncryptionInTransit:
|
|
ClientBroker: TLS_PLAINTEXT # Sensitive
|
|
InCluster: false # Sensitive
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams server-side encryption:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
KinesisStream:
|
|
Type: AWS::Kinesis::Stream
|
|
Properties:
|
|
ShardCount: 1
|
|
StreamEncryption:
|
|
EncryptionType: KMS
|
|
----
|
|
|
|
For https://aws.amazon.com/elasticache/[Amazon ElastiCache]:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
Example:
|
|
Type: AWS::ElastiCache::ReplicationGroup
|
|
Properties:
|
|
ReplicationGroupId: "example"
|
|
TransitEncryptionEnabled: true
|
|
----
|
|
|
|
For https://aws.amazon.com/ecs/[Amazon ECS]:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
EcsTask:
|
|
Type: AWS::ECS::TaskDefinition
|
|
Properties:
|
|
Family: "service"
|
|
Volumes:
|
|
-
|
|
Name: "storage"
|
|
EFSVolumeConfiguration:
|
|
FilesystemId: !Ref FS
|
|
TransitEncryption: "ENABLED"
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
HTTPlistener:
|
|
Type: "AWS::ElasticLoadBalancingV2::Listener"
|
|
Properties:
|
|
DefaultActions:
|
|
- Type: "redirect"
|
|
RedirectConfig:
|
|
Protocol: "HTTPS"
|
|
Protocol: "HTTP"
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
Example:
|
|
Type: AWS::OpenSearchService::Domain
|
|
Properties:
|
|
DomainName: example
|
|
DomainEndpointOptions:
|
|
EnforceHTTPS: true
|
|
NodeToNodeEncryptionOptions:
|
|
Enabled: true
|
|
----
|
|
|
|
For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers, data in transit is encrypted by default, allowing you to omit writing the `EncryptionInTransit` configuration. However, if you need to configure it explicitly, this configuration is compliant:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
MSKCluster:
|
|
Type: 'AWS::MSK::Cluster'
|
|
Properties:
|
|
ClusterName: MSKCluster
|
|
EncryptionInfo:
|
|
EncryptionInTransit:
|
|
ClientBroker: TLS
|
|
InCluster: true
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Highlighting
|
|
|
|
For `AWS::Kinesis::Stream`, in `StreamEncryption` :
|
|
|
|
* Highlight the resource bloc if ``StreamEncryption`` is missing
|
|
|
|
For `AWS::ElastiCache::ReplicationGroup`:
|
|
|
|
* Highlight `TransitEncryptionEnabled` if it is specified but has the wrong value
|
|
* Highlight resource if `TransitEncryptionEnabled` not set
|
|
|
|
For `AWS::ECS::TaskDefinition`:
|
|
|
|
* Highlight `TransitEncryption` if it is specified but has the wrong value
|
|
* Highlight `EFSVolumeConfiguration` if it exists but does not contain `TransitEncryption`
|
|
|
|
For `AWS::ElasticLoadBalancingV2::Listener`:
|
|
* For a `fixed-response` or `forward` action: Highlight `Protocol` if it is set to `HTTP`
|
|
* For a `redirect` action: Highlight `Protocol` if `RedirectConfig.Protocol` is set as `HTTP`
|
|
|
|
For `AWS::Elasticsearch::Domain` and `AWS::OpenSearchService::Domain`:
|
|
|
|
* Highlight `Enabled` if it is specified but has the wrong value
|
|
* Highlight `NodeToNodeEncryptionOptions` if it is specified but does not contain `Enabled`
|
|
* Highlight `EnforceHTTPS` if it is specified but has the wrong value
|
|
* Highlight `DomainEndpointOption` if it is specified but does not contain `EnforceHTTPS`
|
|
* Highlight resource if `NodeToNodeEncryptionOptions` or `DomainEndpointOption` are not specified at all
|
|
|
|
For `AWS::MSK::Cluster`:
|
|
|
|
* Highlight `ClientBroker` if it is specified but does not contain `TLS`
|
|
* Highlight `InCluster` if it is specified but is set to `false`
|
|
|
|
|
|
=== Message
|
|
|
|
* Make sure allowing clear-text traffic is safe here.
|
|
* Omitting "{argument_name}" enables clear-text protocols. Make sure it is safe here.
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|