terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk
semgrep
Author
unknown
Download Count*
License
Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Run Locally
Run in CI
Defintion
rules:
- id: aws-fsx-lustre-filesystem-encrypted-with-cmk
patterns:
- pattern: |
resource "aws_fsx_lustre_file_system" $ANYTHING {
...
}
- pattern-not-inside: |
resource "aws_fsx_lustre_file_system" $ANYTHING {
...
kms_key_id = ...
...
}
message: Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs
gives you control over the encryption key in terms of access and rotation.
metadata:
category: security
technology:
- terraform
- aws
owasp:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
cwe:
- "CWE-311: Missing Encryption of Sensitive Data"
references:
- https://owasp.org/Top10/A04_2021-Insecure_Design
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- hcl
severity: WARNING
Examples
aws-fsx-lustre-filesystem-encrypted-with-cmk.tf
resource "aws_fsx_lustre_file_system" "pass" {
storage_capacity = 1200
subnet_ids = [aws_subnet.test1.id]
deployment_type = "PERSISTENT_1"
per_unit_storage_throughput = 50
kms_key_id = aws_kms_key.test1.arn
}
# ruleid: aws-fsx-lustre-filesystem-encrypted-with-cmk
resource "aws_fsx_lustre_file_system" "fail" {
storage_capacity = 1200
subnet_ids = [aws_subnet.test1.id]
deployment_type = "PERSISTENT_1"
per_unit_storage_throughput = 50
}
Short Link: https://sg.run/zJ6G