Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var AvoidLeaksViaHTTP = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0134", Provider: providers.AWSProvider, Service: "ssm", ShortCode: "avoid-leaks-via-http", Summary: "Secrets should not be exfiltrated using Terraform HTTP data blocks", Impact: "Secrets could be exposed outside of the organisation.", Resolution: "Remove this potential exfiltration HTTP request.", Explanation: `The data.http block can be used to send secret data outside of the organisation.`, Links: []string{ "https://sprocketfox.io/xssfox/2022/02/09/terraformsupply/", }, Terraform: &rules.EngineMetadata{ GoodExamples: terraformAvoidLeaksViaHTTPGoodExamples, BadExamples: terraformAvoidLeaksViaHTTPBadExamples, Links: terraformAvoidLeaksViaHTTPLinks, RemediationMarkdown: terraformAvoidLeaksViaHTTPRemediationMarkdown, }, CustomChecks: rules.CustomChecks{ Terraform: &rules.TerraformCustomCheck{ RequiredTypes: []string{"data"}, RequiredLabels: []string{"http"}, Check: func(block *terraform.Block, module *terraform.Module) (results rules.Results) { attr := block.GetAttribute("url") if attr.IsNil() { return } for _, ref := range attr.AllReferences() { if ref.BlockType().Name() == "resource" && ref.TypeLabel() == "aws_ssm_parameter" { results.Add("Potential exfiltration of secret value detected", block) } } return }, }, }, Severity: severity.Critical, }, nil, )
View Source
var CheckSecretUseCustomerKey = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0098", Provider: providers.AWSProvider, Service: "ssm", ShortCode: "secret-use-customer-key", Summary: "Secrets Manager should use customer managed keys", Impact: "Using AWS managed keys reduces the flexibility and control over the encryption key", Resolution: "Use customer managed keys", Explanation: `Secrets Manager encrypts secrets by default using a default key created by AWS. To ensure control and granularity of secret encryption, CMK's should be used explicitly.`, Links: []string{ "https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html#asm-encrypt", }, Terraform: &rules.EngineMetadata{ GoodExamples: terraformSecretUseCustomerKeyGoodExamples, BadExamples: terraformSecretUseCustomerKeyBadExamples, Links: terraformSecretUseCustomerKeyLinks, RemediationMarkdown: terraformSecretUseCustomerKeyRemediationMarkdown, }, CloudFormation: &rules.EngineMetadata{ GoodExamples: cloudFormationSecretUseCustomerKeyGoodExamples, BadExamples: cloudFormationSecretUseCustomerKeyBadExamples, Links: cloudFormationSecretUseCustomerKeyLinks, RemediationMarkdown: cloudFormationSecretUseCustomerKeyRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results rules.Results) { for _, secret := range s.AWS.SSM.Secrets { if secret.KMSKeyID.IsEmpty() { results.Add( "Secret is not encrypted with a customer managed key.", secret.KMSKeyID, ) } else if secret.KMSKeyID.EqualTo(ssm.DefaultKMSKeyID) { results.Add( "Secret explicitly uses the default key.", secret.KMSKeyID, ) } else { results.AddPassed(&secret) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.