terraform.aws.security.aws-ec2-security-group-rule-missing-description.aws-ec2-security-group-rule-missing-description
semgrep
Author
unknown
Download Count*
License
The AWS security group rule is missing a description, or its description is empty or the default value. Security groups rules should include a meaningful description in order to simplify auditing, debugging, and managing security groups.
Run Locally
Run in CI
Defintion
rules:
- id: aws-ec2-security-group-rule-missing-description
patterns:
- pattern-either:
- patterns:
- pattern-either:
- patterns:
- pattern-inside: |
resource "aws_security_group" $ANYTHING {
...
$INGRESS {
...
description = $DESCR
...
}
...
}
- metavariable-regex:
metavariable: $INGRESS
regex: ^(ingress|egress)$
- patterns:
- pattern-inside: |
resource "$SECGROUP" $ANYTHING {
...
description = $DESCR
...
}
- metavariable-regex:
metavariable: $SECGROUP
regex: ^(aws_security_group_rule|aws_security_group)$
- metavariable-regex:
metavariable: $DESCR
regex: ^(['\"]['\"]|['\"]Managed by Terraform['\"])$
- focus-metavariable: $DESCR
- patterns:
- metavariable-regex:
metavariable: $INGRESS
regex: ^(ingress|egress)$
- pattern: |
resource "aws_security_group" $ANYTHING {
...
$INGRESS {
...
}
...
}
- pattern-not: |
resource "aws_security_group" $ANYTHING {
...
$INGRESS {
...
description = ...
...
}
...
}
- patterns:
- metavariable-regex:
metavariable: $SECGROUP
regex: ^(aws_security_group_rule|aws_security_group)$
- pattern: |
resource "$SECGROUP" $ANYTHING {
...
}
- pattern-not: |
resource "$SECGROUP" $ANYTHING {
...
description = ...
...
}
message: The AWS security group rule is missing a description, or its
description is empty or the default value. Security groups rules should
include a meaningful description in order to simplify auditing, debugging,
and managing security groups.
languages:
- hcl
severity: INFO
metadata:
category: security
technology:
- terraform
- aws
owasp:
- A09:2021 - Security Logging and Monitoring Failures
cwe:
- "CWE-223: Omission of Security-relevant Information"
references:
- https://shisho.dev/dojo/providers/aws/Amazon_EC2/aws-security-group/#:~:text=Ensure%20to%20keep%20the%20description%20of%20your%20security%20group%20up%2Dto%2Ddate
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#description
- https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
Examples
aws-ec2-security-group-rule-missing-description.tf
# ruleid: aws-ec2-security-group-rule-missing-description
resource "aws_security_group" "fail_1" {
name = "http"
description = "Allow inbound HTTP traffic"
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
}
}
# ruleid: aws-ec2-security-group-rule-missing-description
resource "aws_security_group" "fail_2" {
name = "http"
description = "Allow outbound HTTP traffic"
egress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
}
}
# ruleid: aws-ec2-security-group-rule-missing-description
resource "aws_security_group_rule" "fail_3" {
type = "egress"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
security_group_id = "sg-123456"
}
resource "aws_security_group" "fail_4" {
name = "http"
description = "Allow inbound HTTP traffic"
ingress {
# ruleid: aws-ec2-security-group-rule-missing-description
description = ""
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
}
}
resource "aws_security_group" "fail_5" {
name = "http"
description = "Allow outbound HTTP traffic"
egress {
# ruleid: aws-ec2-security-group-rule-missing-description
description = ""
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
}
}
resource "aws_security_group_rule" "fail_6" {
# ruleid: aws-ec2-security-group-rule-missing-description
description = ""
type = "egress"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
security_group_id = "sg-123456"
}
resource "aws_security_group" "pass_1" {
name = "http"
# ruleid: aws-ec2-security-group-rule-missing-description
description = "Managed by Terraform"
ingress {
description = "HTTP from VPC"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
}
}
resource "aws_security_group" "pass_1" {
name = "http"
description = "Something"
ingress {
# ruleid: aws-ec2-security-group-rule-missing-description
description = "Managed by Terraform"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
}
}
resource "aws_security_group" "pass_2" {
name = "http"
description = "HTTP to VPC"
egress {
# ruleid: aws-ec2-security-group-rule-missing-description
description = "Managed by Terraform"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
}
}
resource "aws_security_group_rule" "pass_3" {
# ruleid: aws-ec2-security-group-rule-missing-description
description = "Managed by Terraform"
type = "egress"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
security_group_id = "sg-123456"
}
# ok: aws-ec2-security-group-rule-missing-description
resource "aws_security_group" "pass_1" {
name = "http"
description = "Allow inbound HTTP traffic"
ingress {
description = "HTTP from VPC"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
}
}
# ok: aws-ec2-security-group-rule-missing-description
resource "aws_security_group" "pass_2" {
name = "http"
description = "Allow outbound HTTP traffic"
egress {
description = "HTTP to VPC"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
}
}
# ok: aws-ec2-security-group-rule-missing-description
resource "aws_security_group_rule" "pass_3" {
description = "Allow outbound HTTP traffic"
type = "egress"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
security_group_id = "sg-123456"
}
# ruleid: aws-ec2-security-group-rule-missing-description
resource "aws_security_group" "fail_1" {
name = "http"
ingress {
description = "HTTP from VPC"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
}
}
resource "aws_security_group" "fail_2" {
name = "http"
# ruleid: aws-ec2-security-group-rule-missing-description
description = ""
ingress {
description = "HTTP from VPC"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
}
}
# ok: aws-ec2-security-group-rule-missing-description
resource "aws_security_group" "pass" {
name = "http"
description = "Allow inbound HTTP traffic"
ingress {
description = "HTTP from VPC"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
}
}
Short Link: https://sg.run/v40R