terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions
semgrep
Author
unknown
Download Count*
License
The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.
Run Locally
Run in CI
Defintion
rules:
- id: aws-config-aggregator-not-all-regions
pattern-either:
- pattern: |
resource "aws_config_configuration_aggregator" $ANYTHING {
...
account_aggregation_source {
...
regions = ...
...
}
...
}
- pattern: |
resource "aws_config_configuration_aggregator" $ANYTHING {
...
organization_aggregation_source {
...
regions = ...
...
}
...
}
message: The AWS configuration aggregator does not aggregate all AWS Config
region. This may result in unmonitored configuration in regions that are
thought to be unused. Configure the aggregator with all_regions for the
source.
languages:
- hcl
severity: WARNING
metadata:
category: security
technology:
- terraform
- aws
owasp:
- A09:2021 - Security Logging and Monitoring Failures
cwe:
- "CWE-778: Insufficient Logging"
references:
- https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Insufficient Logging
Examples
aws-config-aggregator-not-all-regions.tf
# ok: aws-config-aggregator-not-all-regions
resource "aws_config_configuration_aggregator" "pass_1" {
name = "example"
account_aggregation_source {
account_ids = ["123456789012"]
all_regions = true
}
}
# ok: aws-config-aggregator-not-all-regions
resource "aws_config_configuration_aggregator" "pass_2" {
name = "example"
organization_aggregation_source {
account_ids = ["123456789012"]
all_regions = true
}
}
# ruleid: aws-config-aggregator-not-all-regions
resource "aws_config_configuration_aggregator" "fail_1" {
name = "example"
account_aggregation_source {
account_ids = ["123456789012"]
regions = ["us-west-2", "eu-west-1"]
}
}
# ruleid: aws-config-aggregator-not-all-regions
resource "aws_config_configuration_aggregator" "fail_1" {
name = "example"
organization_aggregation_source {
account_ids = ["123456789012"]
regions = ["us-west-2", "eu-west-1"]
}
}
Short Link: https://sg.run/O6A7