terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted

semgrep

Author

unknown

Download Count*

License

The AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: aws-backup-vault-unencrypted
    patterns:
      - pattern-not-inside: |
          resource "aws_backup_vault" $BACKUP {
            ...
            kms_key_arn = ...
            ...
          }
      - pattern: resource "aws_backup_vault" $BACKUP {...}
    message: The AWS Backup vault is unencrypted. The AWS KMS encryption key
      protects backups in the Backup vault. To create your own, create a
      aws_kms_key resource or use the ARN string of a key in your account.
    languages:
      - hcl
    severity: WARNING
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
      cwe:
        - "CWE-320: CWE CATEGORY: Key Management Errors"
      technology:
        - aws
        - terraform
      category: security
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

aws-backup-vault-unencrypted.tf

# ruleid: aws-backup-vault-unencrypted
resource "aws_backup_vault" "backup" {
    name = "example_backup_vault"
}

# ok: aws-backup-vault-unencrypted
resource "aws_backup_vault" "backup_with_kms_key" {
    name = "example_backup_vault"
    kms_key_arn = aws_kms_key.example.arn
}

Short Link: https://sg.run/18yw