terraform.aws.best-practice.aws-qldb-inadequate-ledger-permissions-mode.aws-qldb-inadequate-ledger-permissions-mode

semgrep

Author

unknown

Download Count*

LGPL Commons Clause

License

The AWS QLDB ledger permissions are too permissive. Consider using "'STANDARD'" permissions mode if possible.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: aws-qldb-inadequate-ledger-permissions-mode
    patterns:
      - pattern: |
          resource "aws_qldb_ledger" $ANYTHING {
            ...
            permissions_mode = "ALLOW_ALL"
            ...
          }
    message: The AWS QLDB ledger permissions are too permissive. Consider using
      "'STANDARD'" permissions mode if possible.
    languages:
      - hcl
    severity: WARNING
    metadata:
      category: best-practice
      technology:
        - terraform
        - aws
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

aws-qldb-inadequate-ledger-permissions-mode.tf

# pass

resource "aws_qldb_ledger" "standard" {
  name             = "ledger"
  permissions_mode = "STANDARD"
}

# failure
# ruleid: aws-qldb-inadequate-ledger-permissions-mode
resource "aws_qldb_ledger" "allow_all" {
  name             = "ledger"
  permissions_mode = "ALLOW_ALL"
}

Short Link: https://sg.run/OyDB