terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk
semgrep
Author
unknown
Download Count*
License
Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Run Locally
Run in CI
Defintion
rules:
- id: aws-redshift-cluster-encrypted-with-cmk
patterns:
- pattern: |
resource "aws_redshift_cluster" $ANYTHING {
...
}
- pattern-not-inside: |
resource "aws_redshift_cluster" $ANYTHING {
...
kms_key_id = ...
...
}
message: Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs
gives you control over the encryption key in terms of access and rotation.
metadata:
category: security
technology:
- terraform
- aws
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
cwe:
- "CWE-284: Improper Access Control"
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- hcl
severity: WARNING
Examples
aws-redshift-cluster-encrypted-with-cmk.tf
resource "aws_redshift_cluster" "pass" {
cluster_identifier = "examplea"
availability_zone = data.aws_availability_zones.available.names[0]
database_name = "mydb"
master_username = "foo_test"
master_password = "Mustbe8characters"
node_type = "dc2.large"
automated_snapshot_retention_period = 0
allow_version_upgrade = false
skip_final_snapshot = true
encrypted = true
kms_key_id = aws_kms_key.test.arn
}
# ruleid: aws-redshift-cluster-encrypted-with-cmk
resource "aws_redshift_cluster" "fail" {
cluster_identifier = "examplea"
availability_zone = data.aws_availability_zones.available.names[0]
database_name = "mydb"
master_username = "foo_test"
master_password = "Mustbe8characters"
node_type = "dc2.large"
automated_snapshot_retention_period = 0
allow_version_upgrade = false
skip_final_snapshot = true
encrypted = true
}
Short Link: https://sg.run/eXnb