terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues
semgrep
Author
unknown
Download Count*
License
The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Run Locally
Run in CI
Defintion
rules:
- id: aws-ssm-document-logging-issues
patterns:
- pattern-either:
- patterns:
- pattern-not-inside: |
resource "aws_ssm_document" $ANYTHING {
...
document_format = "YAML"
...
}
- pattern: content = "$STATEMENT"
- metavariable-pattern:
metavariable: $STATEMENT
language: json
patterns:
- pattern-either:
- pattern: '"s3EncryptionEnabled": false'
- pattern: '"cloudWatchEncryptionEnabled": false'
- pattern: '{..., "cloudWatchLogGroupName": "", ..., "s3BucketName": "", ...}'
message: The AWS SSM logs are unencrypted or disabled. Please enable logs and
use AWS KMS encryption key to protect SSM logs. To create your own, create
a aws_kms_key resource or use the ARN string of a key in your account.
languages:
- hcl
severity: WARNING
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-326: Inadequate Encryption Strength"
technology:
- aws
- terraform
category: security
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-ssm-document-logging-issues.tf
# pass
resource "aws_ssm_document" "s3_enabled_encrypted" {
name = "SSM-SessionManagerRunShell"
document_type = "Session"
content = <<DOC
{
"schemaVersion": "1.0",
"description": "Document to hold regional settings for Session Manager",
"sessionType": "Standard_Stream",
"inputs": {
"s3BucketName": "example",
"s3KeyPrefix": "",
"s3EncryptionEnabled": true,
"cloudWatchLogGroupName": "",
"cloudWatchEncryptionEnabled": true,
"idleSessionTimeout": "20",
"cloudWatchStreamingEnabled": true,
"kmsKeyId": "",
"runAsEnabled": false,
"runAsDefaultUser": "",
"shellProfile": {
"windows": "",
"linux": ""
}
}
}
DOC
}
resource "aws_ssm_document" "s3_enabled_encrypted_yaml" {
name = "SSM-SessionManagerRunShell"
document_type = "Session"
document_format = "YAML"
content = <<DOC
schemaVersion: '1.0'
description: Document to hold regional settings for Session Manager
sessionType: Standard_Stream
inputs:
s3BucketName: 'example'
s3KeyPrefix: ''
s3EncryptionEnabled: true
cloudWatchLogGroupName: ''
cloudWatchEncryptionEnabled: true
cloudWatchStreamingEnabled: true
kmsKeyId: ''
runAsEnabled: true
runAsDefaultUser: ''
idleSessionTimeout: '20'
shellProfile:
windows: ''
linux: ''
DOC
}
resource "aws_ssm_document" "cw_enabled_encrypted" {
name = "SSM-SessionManagerRunShell"
document_type = "Session"
content = <<DOC
{
"schemaVersion": "1.0",
"description": "Document to hold regional settings for Session Manager",
"sessionType": "Standard_Stream",
"inputs": {
"s3BucketName": "",
"s3KeyPrefix": "",
"s3EncryptionEnabled": true,
"cloudWatchLogGroupName": "example",
"cloudWatchEncryptionEnabled": true,
"idleSessionTimeout": "20",
"cloudWatchStreamingEnabled": true,
"kmsKeyId": "",
"runAsEnabled": false,
"runAsDefaultUser": "",
"shellProfile": {
"windows": "",
"linux": ""
}
}
}
DOC
}
resource "aws_ssm_document" "cw_enabled_encrypted_yaml" {
name = "SSM-SessionManagerRunShell"
document_type = "Session"
document_format = "YAML"
content = <<DOC
schemaVersion: '1.0'
description: Document to hold regional settings for Session Manager
sessionType: Standard_Stream
inputs:
s3BucketName: ''
s3KeyPrefix: ''
s3EncryptionEnabled: true
cloudWatchLogGroupName: 'example'
cloudWatchEncryptionEnabled: true
cloudWatchStreamingEnabled: true
kmsKeyId: ''
runAsEnabled: true
runAsDefaultUser: ''
idleSessionTimeout: '20'
shellProfile:
windows: ''
linux: ''
DOC
}
# failure
resource "aws_ssm_document" "disabled" {
name = "SSM-SessionManagerRunShell"
document_type = "Session"
# ruleid: aws-ssm-document-logging-issues
content = <<DOC
{
"schemaVersion": "1.0",
"description": "Document to hold regional settings for Session Manager",
"sessionType": "Standard_Stream",
"inputs": {
"s3BucketName": "",
"s3KeyPrefix": "",
"s3EncryptionEnabled": true,
"cloudWatchLogGroupName": "",
"cloudWatchEncryptionEnabled": true,
"idleSessionTimeout": "20",
"cloudWatchStreamingEnabled": true,
"kmsKeyId": "",
"runAsEnabled": false,
"runAsDefaultUser": "",
"shellProfile": {
"windows": "",
"linux": ""
}
}
}
DOC
}
resource "aws_ssm_document" "disabled_yaml" {
name = "SSM-SessionManagerRunShell"
document_type = "Session"
document_format = "YAML"
# todoruleid: aws-ssm-document-logging-issues
content = <<DOC
schemaVersion: '1.0'
description: Document to hold regional settings for Session Manager
sessionType: Standard_Stream
inputs:
s3BucketName: ''
s3KeyPrefix: ''
s3EncryptionEnabled: true
cloudWatchLogGroupName: ''
cloudWatchEncryptionEnabled: true
cloudWatchStreamingEnabled: true
kmsKeyId: ''
runAsEnabled: true
runAsDefaultUser: ''
idleSessionTimeout: '20'
shellProfile:
windows: ''
linux: ''
DOC
}
resource "aws_ssm_document" "s3_enabled_not_encrypted" {
name = "SSM-SessionManagerRunShell"
document_type = "Session"
# ruleid: aws-ssm-document-logging-issues
content = <<DOC
{
"schemaVersion": "1.0",
"description": "Document to hold regional settings for Session Manager",
"sessionType": "Standard_Stream",
"inputs": {
"s3BucketName": "example",
"s3KeyPrefix": "",
"s3EncryptionEnabled": false,
"cloudWatchLogGroupName": "",
"cloudWatchEncryptionEnabled": true,
"idleSessionTimeout": "20",
"cloudWatchStreamingEnabled": true,
"kmsKeyId": "",
"runAsEnabled": false,
"runAsDefaultUser": "",
"shellProfile": {
"windows": "",
"linux": ""
}
}
}
DOC
}
resource "aws_ssm_document" "s3_enabled_not_encrypted_yaml" {
name = "SSM-SessionManagerRunShell"
document_type = "Session"
document_format = "YAML"
# todoruleid: aws-ssm-document-logging-issues
content = <<DOC
schemaVersion: '1.0'
description: Document to hold regional settings for Session Manager
sessionType: Standard_Stream
inputs:
s3BucketName: 'example'
s3KeyPrefix: ''
s3EncryptionEnabled: false
cloudWatchLogGroupName: ''
cloudWatchEncryptionEnabled: true
cloudWatchStreamingEnabled: true
kmsKeyId: ''
runAsEnabled: true
runAsDefaultUser: ''
idleSessionTimeout: '20'
shellProfile:
windows: ''
linux: ''
DOC
}
resource "aws_ssm_document" "cw_enabled_not_encrypted" {
name = "SSM-SessionManagerRunShell"
document_type = "Session"
# ruleid: aws-ssm-document-logging-issues
content = <<DOC
{
"schemaVersion": "1.0",
"description": "Document to hold regional settings for Session Manager",
"sessionType": "Standard_Stream",
"inputs": {
"s3BucketName": "",
"s3KeyPrefix": "",
"s3EncryptionEnabled": true,
"cloudWatchLogGroupName": "example",
"cloudWatchEncryptionEnabled": false,
"idleSessionTimeout": "20",
"cloudWatchStreamingEnabled": true,
"kmsKeyId": "",
"runAsEnabled": false,
"runAsDefaultUser": "",
"shellProfile": {
"windows": "",
"linux": ""
}
}
}
DOC
}
resource "aws_ssm_document" "cw_enabled_not_encrypted_yaml" {
name = "SSM-SessionManagerRunShell"
document_type = "Session"
document_format = "YAML"
# todoruleid: aws-ssm-document-logging-issues
content = <<DOC
schemaVersion: '1.0'
description: Document to hold regional settings for Session Manager
sessionType: Standard_Stream
inputs:
s3BucketName: ''
s3KeyPrefix: ''
s3EncryptionEnabled: false
cloudWatchLogGroupName: 'example'
cloudWatchEncryptionEnabled: false
cloudWatchStreamingEnabled: true
kmsKeyId: ''
runAsEnabled: true
runAsDefaultUser: ''
idleSessionTimeout: '20'
shellProfile:
windows: ''
linux: ''
DOC
}
Short Link: https://sg.run/EyWw