ssm

package
v0.72.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 22, 2022 License: MIT Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var AvoidLeaksViaHTTP = rules.Register(
	scan.Rule{
		AVDID:       "AVD-AWS-0134",
		Provider:    providers.AWSProvider,
		Service:     "ssm",
		ShortCode:   "avoid-leaks-via-http",
		Summary:     "Secrets should not be exfiltrated using Terraform HTTP data blocks",
		Impact:      "Secrets could be exposed outside of the organisation.",
		Resolution:  "Remove this potential exfiltration HTTP request.",
		Explanation: `The data.http block can be used to send secret data outside of the organisation.`,
		Links: []string{
			"https://sprocketfox.io/xssfox/2022/02/09/terraformsupply/",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformAvoidLeaksViaHTTPGoodExamples,
			BadExamples:         terraformAvoidLeaksViaHTTPBadExamples,
			Links:               terraformAvoidLeaksViaHTTPLinks,
			RemediationMarkdown: terraformAvoidLeaksViaHTTPRemediationMarkdown,
		},
		CustomChecks: scan.CustomChecks{
			Terraform: &scan.TerraformCustomCheck{
				RequiredTypes:  []string{"data"},
				RequiredLabels: []string{"http"},
				Check: func(block *terraform.Block, module *terraform.Module) (results scan.Results) {
					attr := block.GetAttribute("url")
					if attr.IsNil() {
						return
					}
					for _, ref := range attr.AllReferences() {
						if ref.BlockType().Name() == "resource" && ref.TypeLabel() == "aws_ssm_parameter" {
							results.Add("Potential exfiltration of secret value detected", block)
						}
					}
					return
				},
			},
		},
		Severity: severity.Critical,
	},
	nil,
)
View Source
var CheckSecretUseCustomerKey = rules.Register(
	scan.Rule{
		AVDID:       "AVD-AWS-0098",
		Provider:    providers.AWSProvider,
		Service:     "ssm",
		ShortCode:   "secret-use-customer-key",
		Summary:     "Secrets Manager should use customer managed keys",
		Impact:      "Using AWS managed keys reduces the flexibility and control over the encryption key",
		Resolution:  "Use customer managed keys",
		Explanation: `Secrets Manager encrypts secrets by default using a default key created by AWS. To ensure control and granularity of secret encryption, CMK's should be used explicitly.`,
		Links: []string{
			"https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html#asm-encrypt",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformSecretUseCustomerKeyGoodExamples,
			BadExamples:         terraformSecretUseCustomerKeyBadExamples,
			Links:               terraformSecretUseCustomerKeyLinks,
			RemediationMarkdown: terraformSecretUseCustomerKeyRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationSecretUseCustomerKeyGoodExamples,
			BadExamples:         cloudFormationSecretUseCustomerKeyBadExamples,
			Links:               cloudFormationSecretUseCustomerKeyLinks,
			RemediationMarkdown: cloudFormationSecretUseCustomerKeyRemediationMarkdown,
		},
		Severity: severity.Low,
	},
	func(s *state.State) (results scan.Results) {
		for _, secret := range s.AWS.SSM.Secrets {
			if secret.KMSKeyID.IsEmpty() {
				results.Add(
					"Secret is not encrypted with a customer managed key.",
					secret.KMSKeyID,
				)
			} else if secret.KMSKeyID.EqualTo(ssm.DefaultKMSKeyID) {
				results.Add(
					"Secret explicitly uses the default key.",
					secret.KMSKeyID,
				)
			} else {
				results.AddPassed(&secret)
			}
		}
		return
	},
)

Functions

This section is empty.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL