Semgrep Registry - terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled

Ensure all Elasticsearch has node-to-node encryption enabled.

Defintion

rules:
  - id: aws-elasticsearch-nodetonode-encryption-not-enabled
    patterns:
      - pattern-either:
          - pattern: |
              resource "aws_elasticsearch_domain" $ANYTHING {
                ...
                node_to_node_encryption {
                  ...
                  enabled = false
                  ...
                }
                ...
              }
          - pattern: |
              resource "aws_elasticsearch_domain" $ANYTHING {
                ...
                cluster_config {
                  ...
                  instance_count = $COUNT
                  ...
                }
              }
      - pattern-not-inside: |
          resource "aws_elasticsearch_domain" $ANYTHING {
            ...
            cluster_config {
              ...
              instance_count = $COUNT
              ...
            }
            node_to_node_encryption {
              ...
              enabled = true
              ...
            }
          }
      - metavariable-comparison:
          metavariable: $COUNT
          comparison: $COUNT > 1
    message: "Ensure all Elasticsearch has node-to-node encryption enabled.\t"
    metadata:
      category: security
      technology:
        - terraform
        - aws
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - hcl
    severity: WARNING

# pass resource "aws_elasticsearch_domain" "without_cluster_config" { domain_name = "without_cluster_config" } resource "aws_elasticsearch_domain" "without_instance_count" { domain_name = "without_instance_count" cluster_config {} } resource "aws_elasticsearch_domain" "instance_count_not_bigger_than_1" { domain_name = "instance_count_not_bigger_than_1" cluster_config { instance_count = 1 // a value <= 1 } } resource "aws_elasticsearch_domain" "node_to_node_encryption_enabled" { domain_name = "node_to_node_encryption_enabled" cluster_config { instance_count = 2 // a value > 1 } node_to_node_encryption { enabled = true } } resource "aws_elasticsearch_domain" "old_hcl" { domain_name = "old_hcl" cluster_config = { instance_count = 2 } node_to_node_encryption = { enabled = true } } # fail # ruleid: aws-elasticsearch-nodetonode-encryption-not-enabled resource "aws_elasticsearch_domain" "node_to_node_encryption_disabled" { domain_name = "node_to_node_encryption_disabled" cluster_config { instance_count = 2 // a value > 1 } node_to_node_encryption { enabled = false } } # ruleid: aws-elasticsearch-nodetonode-encryption-not-enabled resource "aws_elasticsearch_domain" "node_to_node_encryption_doesnt_exist" { domain_name = "node_to_node_encryption_doesnt_exist" cluster_config { instance_count = 2 // a value > 1 } } # unknown resource "aws_elasticsearch_domain" "instance_count_not_number" { domain_name = "instance_count_not_number" cluster_config { instance_count = "not_int" } }

terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled

Run Locally

Run in CI

Defintion

Examples

aws-elasticsearch-nodetonode-encryption.tf