1a84c758e1
Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com>
57 lines
1.3 KiB
Plaintext
57 lines
1.3 KiB
Plaintext
== How to fix it in AWS CDK
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,javascript,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
import { aws_apigateway as agw } from 'aws-cdk-lib';
|
|
new agw.DomainName(this, 'Example', {
|
|
certificate: certificate,
|
|
domainName: domainName,
|
|
securityPolicy: agw.SecurityPolicy.TLS_1_0, // Noncompliant
|
|
});
|
|
----
|
|
|
|
The resource `CfnDomain` uses a weak TLS security policy, by default.
|
|
|
|
[source,javascript,diff-id=2,diff-type=noncompliant]
|
|
----
|
|
import { aws_opensearchservice as os } from 'aws-cdk-lib';
|
|
|
|
new os.CfnDomain(this, 'Example', {
|
|
domainEndpointOptions: {
|
|
enforceHttps: true,
|
|
},
|
|
}); // Noncompliant
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,javascript,diff-id=1,diff-type=compliant]
|
|
----
|
|
import { aws_apigateway as agw } from 'aws-cdk-lib';
|
|
new agw.DomainName(this, 'Example', {
|
|
certificate: certificate,
|
|
domainName: domainName,
|
|
securityPolicy: agw.SecurityPolicy.TLS_1_2,
|
|
});
|
|
----
|
|
|
|
[source,javascript,diff-id=2,diff-type=compliant]
|
|
----
|
|
import { aws_opensearchservice as os } from 'aws-cdk-lib';
|
|
|
|
new os.CfnDomain(this, 'Example', {
|
|
domainEndpointOptions: {
|
|
enforceHttps: true,
|
|
tlsSecurityPolicy: 'Policy-Min-TLS-1-2-2019-07',
|
|
},
|
|
});
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/fix.adoc[]
|