terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk
semgrepAuthor
unknown
Download Count*
License
Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Run Locally
Run in CI
Defintion
rules:
- id: aws-ebs-snapshot-encrypted-with-cmk
patterns:
- pattern: |
resource "aws_ebs_snapshot_copy" $ANYTHING {
...
encrypted = true
...
}
- pattern-not-inside: |
resource "aws_ebs_snapshot_copy" $ANYTHING {
...
encrypted = true
kms_key_id = ...
...
}
message: Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you
control over the encryption key in terms of access and rotation.
metadata:
category: security
technology:
- terraform
- aws
owasp:
- A03:2017 - Sensitive Data Exposure
cwe:
- "CWE-320: CWE CATEGORY: Key Management Errors"
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- hcl
severity: WARNING
Examples
aws-ebs-snapshot-encrypted-with-cmk.tf
resource "aws_ebs_snapshot_copy" "pass" {
source_snapshot_id = aws_ebs_snapshot.test.id
source_region = data.aws_region.current.name
encrypted = true
kms_key_id = aws_kms_key.test.arn
tags = {
Name = "testAccEBSSnapshotCopyWithKMSConfig"
}
}
# ruleid: aws-ebs-snapshot-encrypted-with-cmk
resource "aws_ebs_snapshot_copy" "fail" {
source_snapshot_id = aws_ebs_snapshot.test.id
source_region = data.aws_region.current.name
encrypted = true
tags = {
Name = "testAccEBSSnapshotCopyWithKMSConfig"
}
}
Short Link: https://sg.run/ByPW