terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions

profile photo of semgrepsemgrep
Author
unknown
Download Count*

The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.

Run Locally

Run in CI

Defintion

rules:
  - id: aws-config-aggregator-not-all-regions
    pattern-either:
      - pattern: |
          resource "aws_config_configuration_aggregator" $ANYTHING {
            ...
            account_aggregation_source {
              ...
              regions = ...
              ...
            }
            ...
          }
      - pattern: |
          resource "aws_config_configuration_aggregator" $ANYTHING {
            ...
            organization_aggregation_source {
              ...
              regions = ...
              ...
            }
            ...
          }
    message: The AWS configuration aggregator does not aggregate all AWS Config
      region. This may result in unmonitored configuration in regions that are
      thought to be unused. Configure the aggregator with all_regions for the
      source.
    languages:
      - hcl
    severity: WARNING
    metadata:
      category: security
      technology:
        - terraform
        - aws
      owasp:
        - A09:2021 - Security Logging and Monitoring Failures
      cwe:
        - "CWE-778: Insufficient Logging"
      references:
        - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Insufficient Logging

Examples

aws-config-aggregator-not-all-regions.tf

# ok: aws-config-aggregator-not-all-regions
resource "aws_config_configuration_aggregator" "pass_1" {
   name = "example"

   account_aggregation_source {
     account_ids = ["123456789012"]
     all_regions = true
   }
}

# ok: aws-config-aggregator-not-all-regions
resource "aws_config_configuration_aggregator" "pass_2" {
   name = "example"

   organization_aggregation_source {
     account_ids = ["123456789012"]
     all_regions = true
   }
}

# ruleid: aws-config-aggregator-not-all-regions
resource "aws_config_configuration_aggregator" "fail_1" {
   name = "example"

   account_aggregation_source {
     account_ids = ["123456789012"]
     regions     = ["us-west-2", "eu-west-1"]
   }
}

# ruleid: aws-config-aggregator-not-all-regions
resource "aws_config_configuration_aggregator" "fail_1" {
   name = "example"

   organization_aggregation_source {
    account_ids = ["123456789012"]
    regions     = ["us-west-2", "eu-west-1"]
  }
}