terraform.aws.security.aws-insecure-api-gateway-tls-version.aws-insecure-api-gateway-tls-version

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected AWS API Gateway to be using an insecure version of TLS. To fix this issue make sure to set "security_policy" equal to "TLS_1_2".

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: aws-insecure-api-gateway-tls-version
    patterns:
      - pattern-either:
          - pattern: |
              resource "aws_api_gateway_domain_name" $ANYTHING {
                  ...
                  security_policy = "..."
                  ...
              }
          - pattern: |
              resource "aws_apigatewayv2_domain_name" $ANYTHING {
                  ...
                  domain_name_configuration {...}
                  ...
              }
      - pattern-not: |
          resource "aws_api_gateway_domain_name" $ANYTHING {
                  ...
                  security_policy = "TLS_1_2"
                  ...
              }
      - pattern-not: |
          resource "aws_apigatewayv2_domain_name" $ANYTHING {
                  ...
                  domain_name_configuration {
                      ...
                      security_policy = "TLS_1_2"
                      ...
                  }
              }
    message: Detected AWS API Gateway to be using an insecure version of TLS. To fix
      this issue make sure to set "security_policy" equal to "TLS_1_2".
    languages:
      - terraform
    severity: WARNING
    metadata:
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      category: security
      technology:
        - aws
        - terraform
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

aws-insecure-api-gateway-tls-version.tf

# ruleid: aws-insecure-api-gateway-tls-version
resource "aws_api_gateway_domain_name" "badCode" {
  domain_name = "api.badCode.com"
  security_policy = "TLS_1_0"
}

# ruleid: aws-insecure-api-gateway-tls-version
resource "aws_apigatewayv2_domain_name" "badCode" {
  domain_name = "api.badCode.com"
  domain_name_configuration {}
}

# ok: aws-insecure-api-gateway-tls-version
resource "aws_api_gateway_domain_name" "okCode" {
  domain_name = "api.okCode.com"
  security_policy = "TLS_1_2"
}

# ok: aws-insecure-api-gateway-tls-version
resource "aws_apigatewayv2_domain_name" "okCode" {
  domain_name = "api.okCode.com"
  domain_name_configuration {
    security_policy = "TLS_1_2"
  }
}