terraform.aws.security.aws-insecure-api-gateway-tls-version.aws-insecure-api-gateway-tls-version
semgrep
Author
unknown
Download Count*
License
Detected AWS API Gateway to be using an insecure version of TLS. To fix this issue make sure to set "security_policy" equal to "TLS_1_2".
Run Locally
Run in CI
Defintion
rules:
- id: aws-insecure-api-gateway-tls-version
patterns:
- pattern-either:
- pattern: |
resource "aws_api_gateway_domain_name" $ANYTHING {
...
security_policy = "..."
...
}
- pattern: |
resource "aws_apigatewayv2_domain_name" $ANYTHING {
...
domain_name_configuration {...}
...
}
- pattern-not: |
resource "aws_api_gateway_domain_name" $ANYTHING {
...
security_policy = "TLS_1_2"
...
}
- pattern-not: |
resource "aws_apigatewayv2_domain_name" $ANYTHING {
...
domain_name_configuration {
...
security_policy = "TLS_1_2"
...
}
}
message: Detected AWS API Gateway to be using an insecure version of TLS. To fix
this issue make sure to set "security_policy" equal to "TLS_1_2".
languages:
- terraform
severity: WARNING
metadata:
cwe:
- "CWE-326: Inadequate Encryption Strength"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
category: security
technology:
- aws
- terraform
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-insecure-api-gateway-tls-version.tf
# ruleid: aws-insecure-api-gateway-tls-version
resource "aws_api_gateway_domain_name" "badCode" {
domain_name = "api.badCode.com"
security_policy = "TLS_1_0"
}
# ruleid: aws-insecure-api-gateway-tls-version
resource "aws_apigatewayv2_domain_name" "badCode" {
domain_name = "api.badCode.com"
domain_name_configuration {}
}
# ok: aws-insecure-api-gateway-tls-version
resource "aws_api_gateway_domain_name" "okCode" {
domain_name = "api.okCode.com"
security_policy = "TLS_1_2"
}
# ok: aws-insecure-api-gateway-tls-version
resource "aws_apigatewayv2_domain_name" "okCode" {
domain_name = "api.okCode.com"
domain_name_configuration {
security_policy = "TLS_1_2"
}
}
Short Link: https://sg.run/p98J