terraform.aws.security.aws-athena-client-can-disable-workgroup-encryption.aws-athena-client-can-disable-workgroup-encryption

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

The Athena workgroup configuration can be overriden by client-side settings. The client can make changes to disable encryption settings. Enforce the configuration to prevent client overrides.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: aws-athena-client-can-disable-workgroup-encryption
    patterns:
      - pattern: |
          resource "aws_athena_workgroup" $ANYTHING {
            ...
            configuration {
              ...
              enforce_workgroup_configuration = false
              ...
              result_configuration {
                ...
                encryption_configuration {
                  ...
                }
                ...
              }
              ...
            }
            ...
          }
    message: The Athena workgroup configuration can be overriden by client-side
      settings. The client can make changes to disable encryption settings.
      Enforce the configuration to prevent client overrides.
    languages:
      - hcl
    severity: WARNING
    metadata:
      category: security
      technology:
        - terraform
        - aws
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A04:2021 - Insecure Design
      cwe:
        - "CWE-311: Missing Encryption of Sensitive Data"
      references:
        - https://owasp.org/Top10/A04_2021-Insecure_Design
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

aws-athena-client-can-disable-workgroup-encryption.tf

# ruleid: aws-athena-client-can-disable-workgroup-encryption
resource "aws_athena_workgroup" "fail" {
  name = "example"

  configuration {
    enforce_workgroup_configuration    = false
    publish_cloudwatch_metrics_enabled = true

    result_configuration {
      output_location = "s3://${aws_s3_bucket.example.bucket}/output/"

      encryption_configuration {
        encryption_option = "SSE_KMS"
        kms_key_arn       = aws_kms_key.example.arn
      }
    }
  }
}

# ok: aws-athena-client-can-disable-workgroup-encryption
resource "aws_athena_workgroup" "pass_with_no_encryption" {
  name = "example"
}

# ok: aws-athena-client-can-disable-workgroup-encryption
resource "aws_athena_workgroup" "pass_with_encryption_1" {
  name = "example"

  configuration {
    publish_cloudwatch_metrics_enabled = true

    result_configuration {
      output_location = "s3://${aws_s3_bucket.example.bucket}/output/"

      encryption_configuration {
        encryption_option = "SSE_KMS"
        kms_key_arn       = aws_kms_key.example.arn
      }
    }
  }
}

# ok: aws-athena-client-can-disable-workgroup-encryption
resource "aws_athena_workgroup" "pass_with_encryption_2" {
  name = "example"

  configuration {
    enforce_workgroup_configuration    = true
    publish_cloudwatch_metrics_enabled = true

    result_configuration {
      output_location = "s3://${aws_s3_bucket.example.bucket}/output/"

      encryption_configuration {
        encryption_option = "SSE_KMS"
        kms_key_arn       = aws_kms_key.example.arn
      }
    }
  }
}