terraform.aws.security.aws-ec2-security-group-rule-missing-description.aws-ec2-security-group-rule-missing-description

semgrep

Author

unknown

Download Count*

License

The AWS security group rule is missing a description, or its description is empty or the default value. Security groups rules should include a meaningful description in order to simplify auditing, debugging, and managing security groups.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: aws-ec2-security-group-rule-missing-description
    patterns:
      - pattern-either:
          - patterns:
              - pattern-either:
                  - patterns:
                      - pattern-inside: |
                          resource "aws_security_group" $ANYTHING {
                            ...
                            $INGRESS {
                              ...
                              description = $DESCR
                              ...
                            }
                            ...
                          }
                      - metavariable-regex:
                          metavariable: $INGRESS
                          regex: ^(ingress|egress)$
                  - patterns:
                      - pattern-inside: |
                          resource "$SECGROUP" $ANYTHING {
                            ...
                            description = $DESCR
                            ...
                          }
                      - metavariable-regex:
                          metavariable: $SECGROUP
                          regex: ^(aws_security_group_rule|aws_security_group)$
              - metavariable-regex:
                  metavariable: $DESCR
                  regex: ^(['\"]['\"]|['\"]Managed by Terraform['\"])$
              - focus-metavariable: $DESCR
          - patterns:
              - metavariable-regex:
                  metavariable: $INGRESS
                  regex: ^(ingress|egress)$
              - pattern: |
                  resource "aws_security_group" $ANYTHING {
                    ...
                    $INGRESS {
                      ...
                    }
                    ...
                  }
              - pattern-not: |
                  resource "aws_security_group" $ANYTHING {
                    ...
                    $INGRESS {
                      ...
                      description = ...
                      ...
                    }
                    ...
                  }
          - patterns:
              - metavariable-regex:
                  metavariable: $SECGROUP
                  regex: ^(aws_security_group_rule|aws_security_group)$
              - pattern: |
                  resource "$SECGROUP" $ANYTHING {
                    ...
                  }
              - pattern-not: |
                  resource "$SECGROUP" $ANYTHING {
                    ...
                    description = ...
                    ...
                  }
    message: The AWS security group rule is missing a description, or its
      description is empty or the default value.  Security groups rules should
      include a meaningful description in order to simplify auditing, debugging,
      and managing security groups.
    languages:
      - hcl
    severity: INFO
    metadata:
      category: security
      technology:
        - terraform
        - aws
      owasp:
        - A09:2021 - Security Logging and Monitoring Failures
      cwe:
        - "CWE-223: Omission of Security-relevant Information"
      references:
        - https://shisho.dev/dojo/providers/aws/Amazon_EC2/aws-security-group/#:~:text=Ensure%20to%20keep%20the%20description%20of%20your%20security%20group%20up%2Dto%2Ddate
        - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#description
        - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Other

Examples

aws-ec2-security-group-rule-missing-description.tf

# ruleid: aws-ec2-security-group-rule-missing-description
resource "aws_security_group" "fail_1" {
  name        = "http"
  description = "Allow inbound HTTP traffic"

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]
  }
}

# ruleid: aws-ec2-security-group-rule-missing-description
resource "aws_security_group" "fail_2" {
  name        = "http"
  description = "Allow outbound HTTP traffic"

  egress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]
  }
}

# ruleid: aws-ec2-security-group-rule-missing-description
resource "aws_security_group_rule" "fail_3" {
  type              = "egress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = [aws_vpc.main.cidr_block]
  security_group_id = "sg-123456"
}

resource "aws_security_group" "fail_4" {
  name        = "http"
  description = "Allow inbound HTTP traffic"

  ingress {
    # ruleid: aws-ec2-security-group-rule-missing-description
    description = ""
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]
  }
}

resource "aws_security_group" "fail_5" {
  name        = "http"
  description = "Allow outbound HTTP traffic"

  egress {
    # ruleid: aws-ec2-security-group-rule-missing-description
    description = ""
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]
  }
}

resource "aws_security_group_rule" "fail_6" {
  # ruleid: aws-ec2-security-group-rule-missing-description
  description       = ""
  type              = "egress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = [aws_vpc.main.cidr_block]
  security_group_id = "sg-123456"
}

resource "aws_security_group" "pass_1" {
  name        = "http"
  # ruleid: aws-ec2-security-group-rule-missing-description
  description = "Managed by Terraform"

  ingress {
    description = "HTTP from VPC"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]
  }
}

resource "aws_security_group" "pass_1" {
  name        = "http"
  description = "Something"

  ingress {
    # ruleid: aws-ec2-security-group-rule-missing-description
    description = "Managed by Terraform"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]
  }
}

resource "aws_security_group" "pass_2" {
  name        = "http"
  description = "HTTP to VPC"

  egress {
    # ruleid: aws-ec2-security-group-rule-missing-description
    description = "Managed by Terraform"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]
  }
}

resource "aws_security_group_rule" "pass_3" {
  # ruleid: aws-ec2-security-group-rule-missing-description
  description       = "Managed by Terraform"
  type              = "egress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = [aws_vpc.main.cidr_block]
  security_group_id = "sg-123456"
}

# ok: aws-ec2-security-group-rule-missing-description
resource "aws_security_group" "pass_1" {
  name        = "http"
  description = "Allow inbound HTTP traffic"

  ingress {
    description = "HTTP from VPC"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]
  }
}

# ok: aws-ec2-security-group-rule-missing-description
resource "aws_security_group" "pass_2" {
  name        = "http"
  description = "Allow outbound HTTP traffic"

  egress {
    description = "HTTP to VPC"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]
  }
}

# ok: aws-ec2-security-group-rule-missing-description
resource "aws_security_group_rule" "pass_3" {
  description       = "Allow outbound HTTP traffic"
  type              = "egress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = [aws_vpc.main.cidr_block]
  security_group_id = "sg-123456"
}

# ruleid: aws-ec2-security-group-rule-missing-description
resource "aws_security_group" "fail_1" {
  name = "http"

  ingress {
    description = "HTTP from VPC"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]
  }
}

resource "aws_security_group" "fail_2" {
  name        = "http"
  # ruleid: aws-ec2-security-group-rule-missing-description
  description = ""

  ingress {
    description = "HTTP from VPC"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]
  }
}

# ok: aws-ec2-security-group-rule-missing-description
resource "aws_security_group" "pass" {
  name        = "http"
  description = "Allow inbound HTTP traffic"

  ingress {
    description = "HTTP from VPC"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]
  }
}

Short Link: https://sg.run/v40R