terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted
semgrep
Author
unknown
Download Count*
License
By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
Run Locally
Run in CI
Defintion
rules:
- id: aws-secretsmanager-secret-unencrypted
patterns:
- pattern: |
resource "aws_secretsmanager_secret" $ANYTHING {
...
}
- pattern-not-inside: |
resource "aws_secretsmanager_secret" $ANYTHING {
...
kms_key_id = ...
...
}
message: By default, AWS SecretManager secrets are encrypted using AWS-managed
keys. However, for added security, it's recommended to configure your own
AWS KMS encryption key to protect your secrets in the Secret Manager. You
can either create a new aws_kms_key resource or use the ARN of an existing
key in your AWS account to do so.
languages:
- hcl
severity: WARNING
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-326: Inadequate Encryption Strength"
technology:
- aws
- terraform
category: security
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-secretsmanager-secret-unencrypted.tf
# pass
resource "aws_secretsmanager_secret" "enabled1" {
name = "secret"
kms_key_id = var.kms_key_id
}
resource "aws_secretsmanager_secret" "enabled2" {
name = "secret"
kms_key_id = "1234"
}
# failure
# ruleid: aws-secretsmanager-secret-unencrypted
resource "aws_secretsmanager_secret" "default" {
name = "secret"
}
resource "aws_secretsmanager_secret" "default_explicit" {
name = "secret"
kms_key_id = "alias/aws/secretsmanager"
}
Short Link: https://sg.run/nrRX