terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted
semgrep
Author
unknown
Download Count*
License
By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
Run Locally
Run in CI
Defintion
rules:
- id: aws-dynamodb-table-unencrypted
patterns:
- pattern: |
resource "aws_dynamodb_table" $ANYTHING {
...
}
- pattern-not-inside: |
resource "aws_dynamodb_table" $ANYTHING {
...
server_side_encryption {
enabled = true
kms_key_arn = ...
}
...
}
message: By default, AWS DynamoDB Table is encrypted using AWS-managed keys.
However, for added security, it's recommended to configure your own AWS
KMS encryption key to protect your data in the DynamoDB table. You can
either create a new aws_kms_key resource or use the ARN of an existing key
in your AWS account to do so.
languages:
- hcl
severity: WARNING
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-326: Inadequate Encryption Strength"
technology:
- aws
- terraform
category: security
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-dynamodb-table-unencrypted.tf
# pass
resource "aws_dynamodb_table" "cmk" {
name = "GameScores"
billing_mode = "PROVISIONED"
read_capacity = 20
write_capacity = 20
hash_key = "UserId"
range_key = "UserId"
attribute {
name = "UserId"
type = "S"
}
server_side_encryption {
enabled = true
kms_key_arn = "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
}
# failure
# ruleid: aws-dynamodb-table-unencrypted
resource "aws_dynamodb_table" "default" {
name = "GameScores"
billing_mode = "PROVISIONED"
read_capacity = 20
write_capacity = 20
hash_key = "UserId"
range_key = "UserId"
attribute {
name = "UserId"
type = "S"
}
}
# ruleid: aws-dynamodb-table-unencrypted
resource "aws_dynamodb_table" "encrypted_false" {
name = "GameScores"
billing_mode = "PROVISIONED"
read_capacity = 20
write_capacity = 20
hash_key = "UserId"
range_key = "UserId"
attribute {
name = "UserId"
type = "S"
}
server_side_encryption {
enabled = false
}
}
# ruleid: aws-dynamodb-table-unencrypted
resource "aws_dynamodb_table" "encrypted_no_cmk" {
name = "GameScores"
billing_mode = "PROVISIONED"
read_capacity = 20
write_capacity = 20
hash_key = "UserId"
range_key = "UserId"
attribute {
name = "UserId"
type = "S"
}
server_side_encryption {
enabled = true
}
}
Short Link: https://sg.run/Ay4p