terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled
semgrep
Author
unknown
Download Count*
License
Ensure all Elasticsearch has node-to-node encryption enabled.
Run Locally
Run in CI
Defintion
rules:
- id: aws-elasticsearch-nodetonode-encryption-not-enabled
patterns:
- pattern-either:
- pattern: |
resource "aws_elasticsearch_domain" $ANYTHING {
...
node_to_node_encryption {
...
enabled = false
...
}
...
}
- pattern: |
resource "aws_elasticsearch_domain" $ANYTHING {
...
cluster_config {
...
instance_count = $COUNT
...
}
}
- pattern-not-inside: |
resource "aws_elasticsearch_domain" $ANYTHING {
...
cluster_config {
...
instance_count = $COUNT
...
}
node_to_node_encryption {
...
enabled = true
...
}
}
- metavariable-comparison:
metavariable: $COUNT
comparison: $COUNT > 1
message: "Ensure all Elasticsearch has node-to-node encryption enabled.\t"
metadata:
category: security
technology:
- terraform
- aws
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-326: Inadequate Encryption Strength"
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- hcl
severity: WARNING
Examples
aws-elasticsearch-nodetonode-encryption.tf
# pass
resource "aws_elasticsearch_domain" "without_cluster_config" {
domain_name = "without_cluster_config"
}
resource "aws_elasticsearch_domain" "without_instance_count" {
domain_name = "without_instance_count"
cluster_config {}
}
resource "aws_elasticsearch_domain" "instance_count_not_bigger_than_1" {
domain_name = "instance_count_not_bigger_than_1"
cluster_config {
instance_count = 1 // a value <= 1
}
}
resource "aws_elasticsearch_domain" "node_to_node_encryption_enabled" {
domain_name = "node_to_node_encryption_enabled"
cluster_config {
instance_count = 2 // a value > 1
}
node_to_node_encryption {
enabled = true
}
}
resource "aws_elasticsearch_domain" "old_hcl" {
domain_name = "old_hcl"
cluster_config = {
instance_count = 2
}
node_to_node_encryption = {
enabled = true
}
}
# fail
# ruleid: aws-elasticsearch-nodetonode-encryption-not-enabled
resource "aws_elasticsearch_domain" "node_to_node_encryption_disabled" {
domain_name = "node_to_node_encryption_disabled"
cluster_config {
instance_count = 2 // a value > 1
}
node_to_node_encryption {
enabled = false
}
}
# ruleid: aws-elasticsearch-nodetonode-encryption-not-enabled
resource "aws_elasticsearch_domain" "node_to_node_encryption_doesnt_exist" {
domain_name = "node_to_node_encryption_doesnt_exist"
cluster_config {
instance_count = 2 // a value > 1
}
}
# unknown
resource "aws_elasticsearch_domain" "instance_count_not_number" {
domain_name = "instance_count_not_number"
cluster_config {
instance_count = "not_int"
}
}
Short Link: https://sg.run/lp3y