terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: aws-redshift-cluster-encrypted-with-cmk
    patterns:
      - pattern: |
          resource "aws_redshift_cluster" $ANYTHING {
            ...
          }
      - pattern-not-inside: |
          resource "aws_redshift_cluster" $ANYTHING {
            ...
            kms_key_id = ...
            ...
          }
    message: Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs
      gives you control over the encryption key in terms of access and rotation.
    metadata:
      category: security
      technology:
        - terraform
        - aws
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-284: Improper Access Control"
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: WARNING

Examples

aws-redshift-cluster-encrypted-with-cmk.tf

resource "aws_redshift_cluster" "pass" {
  cluster_identifier                  = "examplea"
  availability_zone                   = data.aws_availability_zones.available.names[0]
  database_name                       = "mydb"
  master_username                     = "foo_test"
  master_password                     = "Mustbe8characters"
  node_type                           = "dc2.large"
  automated_snapshot_retention_period = 0
  allow_version_upgrade               = false
  skip_final_snapshot                 = true
  encrypted                           = true
  kms_key_id                          = aws_kms_key.test.arn
}
# ruleid: aws-redshift-cluster-encrypted-with-cmk
resource "aws_redshift_cluster" "fail" {
  cluster_identifier                  = "examplea"
  availability_zone                   = data.aws_availability_zones.available.names[0]
  database_name                       = "mydb"
  master_username                     = "foo_test"
  master_password                     = "Mustbe8characters"
  node_type                           = "dc2.large"
  automated_snapshot_retention_period = 0
  allow_version_upgrade               = false
  skip_final_snapshot                 = true
  encrypted                           = true
}