terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: aws-dynamodb-table-unencrypted
    patterns:
      - pattern: |
          resource "aws_dynamodb_table" $ANYTHING {
            ...
          }
      - pattern-not-inside: |
          resource "aws_dynamodb_table" $ANYTHING {
            ...
            server_side_encryption {
              enabled = true
              kms_key_arn = ...
            }
            ...
          }
    message: By default, AWS DynamoDB Table is encrypted using AWS-managed keys.
      However, for added security, it's recommended to configure your own AWS
      KMS encryption key to protect your data in the DynamoDB table. You can
      either create a new aws_kms_key resource or use the ARN of an existing key
      in your AWS account to do so.
    languages:
      - hcl
    severity: WARNING
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      technology:
        - aws
        - terraform
      category: security
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

aws-dynamodb-table-unencrypted.tf

# pass

resource "aws_dynamodb_table" "cmk" {
  name           = "GameScores"
  billing_mode   = "PROVISIONED"
  read_capacity  = 20
  write_capacity = 20
  hash_key       = "UserId"
  range_key      = "UserId"

  attribute {
    name = "UserId"
    type = "S"
  }

  server_side_encryption {
      enabled = true
      kms_key_arn = "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
  }
}

# failure
# ruleid: aws-dynamodb-table-unencrypted
resource "aws_dynamodb_table" "default" {
  name           = "GameScores"
  billing_mode   = "PROVISIONED"
  read_capacity  = 20
  write_capacity = 20
  hash_key       = "UserId"
  range_key      = "UserId"

  attribute {
    name = "UserId"
    type = "S"
  }
}
# ruleid: aws-dynamodb-table-unencrypted
resource "aws_dynamodb_table" "encrypted_false" {
  name           = "GameScores"
  billing_mode   = "PROVISIONED"
  read_capacity  = 20
  write_capacity = 20
  hash_key       = "UserId"
  range_key      = "UserId"

  attribute {
    name = "UserId"
    type = "S"
  }

  server_side_encryption {
      enabled = false
  }
}

# ruleid: aws-dynamodb-table-unencrypted 
resource "aws_dynamodb_table" "encrypted_no_cmk" {
  name           = "GameScores"
  billing_mode   = "PROVISIONED"
  read_capacity  = 20
  write_capacity = 20
  hash_key       = "UserId"
  range_key      = "UserId"

  attribute {
    name = "UserId"
    type = "S"
  }

  server_side_encryption {
      enabled = true
  }
}