Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckAlbNotPublic = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0053", Provider: providers.AWSProvider, Service: "elb", ShortCode: "alb-not-public", Summary: "Load balancer is exposed to the internet.", Impact: "The load balancer is exposed on the internet", Resolution: "Switch to an internal load balancer or add a terrasec ignore", Explanation: `There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformAlbNotPublicGoodExamples, BadExamples: terraformAlbNotPublicBadExamples, Links: terraformAlbNotPublicLinks, RemediationMarkdown: terraformAlbNotPublicRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, lb := range s.AWS.ELB.LoadBalancers { if lb.Metadata.IsUnmanaged() || lb.Type.EqualTo(elb.TypeGateway) { continue } if lb.Internal.IsFalse() { results.Add( "Load balancer is exposed publicly.", lb.Internal, ) } else { results.AddPassed(&lb) } } return }, )
View Source
var CheckDropInvalidHeaders = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0052", Provider: providers.AWSProvider, Service: "elb", ShortCode: "drop-invalid-headers", Summary: "Load balancers should drop invalid headers", Impact: "Invalid headers being passed through to the target of the load balance may exploit vulnerabilities", Resolution: "Set drop_invalid_header_fields to true", Explanation: `Passing unknown or invalid headers through to the target poses a potential risk of compromise. By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.`, Links: []string{ "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformDropInvalidHeadersGoodExamples, BadExamples: terraformDropInvalidHeadersBadExamples, Links: terraformDropInvalidHeadersLinks, RemediationMarkdown: terraformDropInvalidHeadersRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, lb := range s.AWS.ELB.LoadBalancers { if lb.Metadata.IsUnmanaged() || !lb.Type.EqualTo(elb.TypeApplication) || lb.Metadata.IsUnmanaged() { continue } if lb.DropInvalidHeaderFields.IsFalse() { results.Add( "Application load balancer is not set to drop invalid headers.", lb.DropInvalidHeaderFields, ) } else { results.AddPassed(&lb) } } return }, )
View Source
var CheckHttpNotUsed = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0054", Provider: providers.AWSProvider, Service: "elb", ShortCode: "http-not-used", Summary: "Use of plain HTTP.", Impact: "Your traffic is not protected", Resolution: "Switch to HTTPS to benefit from TLS security features", Explanation: `Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth. You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.`, Links: []string{ "https://www.cloudflare.com/en-gb/learning/ssl/why-is-http-not-secure/", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformHttpNotUsedGoodExamples, BadExamples: terraformHttpNotUsedBadExamples, Links: terraformHttpNotUsedLinks, RemediationMarkdown: terraformHttpNotUsedRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, lb := range s.AWS.ELB.LoadBalancers { if !lb.Type.EqualTo(elb.TypeApplication) { continue } for _, listener := range lb.Listeners { if !listener.Protocol.EqualTo("HTTP") { results.AddPassed(&listener) continue } var hasRedirect bool for _, action := range listener.DefaultActions { if action.Type.EqualTo("redirect") { hasRedirect = true break } } if hasRedirect { results.AddPassed(&listener) break } results.Add( "Listener for application load balancer does not use HTTPS.", listener.Protocol, ) } } return }, )
View Source
var CheckUseSecureTlsPolicy = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0047", Provider: providers.AWSProvider, Service: "elb", ShortCode: "use-secure-tls-policy", Summary: "An outdated SSL policy is in use by a load balancer.", Impact: "The SSL policy is outdated and has known vulnerabilities", Resolution: "Use a more recent TLS/SSL policy for the load balancer", Explanation: `You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformUseSecureTlsPolicyGoodExamples, BadExamples: terraformUseSecureTlsPolicyBadExamples, Links: terraformUseSecureTlsPolicyLinks, RemediationMarkdown: terraformUseSecureTlsPolicyRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, lb := range s.AWS.ELB.LoadBalancers { for _, listener := range lb.Listeners { for _, outdated := range outdatedSSLPolicies { if listener.TLSPolicy.EqualTo(outdated) { results.Add( "Listener uses an outdated TLS policy.", listener.TLSPolicy, ) } else { results.AddPassed(&listener) } } } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.