terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted
semgrep
Author
unknown
Download Count*
License
The AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Run Locally
Run in CI
Defintion
rules:
- id: aws-backup-vault-unencrypted
patterns:
- pattern-not-inside: |
resource "aws_backup_vault" $BACKUP {
...
kms_key_arn = ...
...
}
- pattern: resource "aws_backup_vault" $BACKUP {...}
message: The AWS Backup vault is unencrypted. The AWS KMS encryption key
protects backups in the Backup vault. To create your own, create a
aws_kms_key resource or use the ARN string of a key in your account.
languages:
- hcl
severity: WARNING
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
cwe:
- "CWE-320: CWE CATEGORY: Key Management Errors"
technology:
- aws
- terraform
category: security
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-backup-vault-unencrypted.tf
# ruleid: aws-backup-vault-unencrypted
resource "aws_backup_vault" "backup" {
name = "example_backup_vault"
}
# ok: aws-backup-vault-unencrypted
resource "aws_backup_vault" "backup_with_kms_key" {
name = "example_backup_vault"
kms_key_arn = aws_kms_key.example.arn
}
Short Link: https://sg.run/18yw