terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your require_ssl to "true".

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: aws-insecure-redshift-ssl-configuration
    patterns:
      - pattern: |
          resource "aws_redshift_parameter_group" $ANYTHING {
            ...
          }
      - pattern-not-inside: |
          resource "aws_redshift_parameter_group" $ANYTHING {
            ...
            parameter {
              name  = "require_ssl"
              value = "true"
            }
            ...
          }
      - pattern-not-inside: |
          resource "aws_redshift_parameter_group" $ANYTHING {
            ...
            parameter {
              name  = "require_ssl"
              value = true
            }
            ...
          }
    message: Detected an AWS Redshift configuration with a SSL disabled. To fix
      this, set your `require_ssl` to `"true"`.
    metadata:
      category: security
      technology:
        - terraform
        - aws
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - hcl
    severity: WARNING

Examples

aws-insecure-redshift-ssl-configuration.tf

# ruleid: aws-insecure-redshift-ssl-configuration
resource "aws_redshift_parameter_group" "failasfalse" {
  name   = var.param_group_name
  family = "redshift-1.0"

  parameter {
    name  = "require_ssl"
    value = "false"
  }

  parameter {
    name  = "enable_user_activity_logging"
    value = "true"
  }
}

# ruleid: aws-insecure-redshift-ssl-configuration
resource "aws_redshift_parameter_group" "fail" {
  name   = var.param_group_name
  family = "redshift-1.0"

}


resource "aws_redshift_parameter_group" "pass" {
  name   = var.param_group_name
  family = "redshift-1.0"

  parameter {
    name  = "require_ssl"
    value = "true"
  }

  parameter {
    name  = "enable_user_activity_logging"
    value = "true"
  }
}

resource "aws_redshift_parameter_group" "passbutbool" {
  name   = var.param_group_name
  family = "redshift-1.0"

  parameter {
    name  = "require_ssl"
    value = true
  }

  parameter {
    name  = "enable_user_activity_logging"
    value = "true"
  }
}