terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version
semgrep
Author
unknown
Download Count*
License
Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set "tls_security_policy" equal to "Policy-Min-TLS-1-2-2019-07".
Run Locally
Run in CI
Defintion
rules:
- id: aws-elasticsearch-insecure-tls-version
pattern: |
resource "aws_elasticsearch_domain" $ANYTHING {
...
domain_endpoint_options {
...
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-0-2019-07"
...
}
...
}
message: Detected an AWS Elasticsearch domain using an insecure version of TLS.
To fix this, set "tls_security_policy" equal to
"Policy-Min-TLS-1-2-2019-07".
languages:
- terraform
severity: WARNING
metadata:
cwe:
- "CWE-326: Inadequate Encryption Strength"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
category: security
technology:
- aws
- terraform
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-elasticsearch-insecure-tls-version.tf
# ruleid: aws-elasticsearch-insecure-tls-version
resource "aws_elasticsearch_domain" "badCode" {
domain_name = "badCode"
domain_endpoint_options {
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-0-2019-07"
}
}
# ok
resource "aws_elasticsearch_domain" "okCode" {
domain_name = "okCode"
domain_endpoint_options {
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
}
}
Short Link: https://sg.run/PYlq