terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Transfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your endpoint_type to "VPC".

Run Locally

Run in CI

Defintion

rules:
  - id: aws-transfer-server-is-public
    patterns:
      - pattern: |
          resource "aws_transfer_server" $ANYTHING {
            ...
          }
      - pattern-not-inside: |
          resource "aws_transfer_server" $ANYTHING {
            ...
            endpoint_type = "VPC"
            ...
          }
    message: Transfer Server endpoint type should not have public or null configured
      in order to block public access. To fix this, set your `endpoint_type` to
      `"VPC"`.
    metadata:
      category: security
      technology:
        - terraform
        - aws
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-284: Improper Access Control"
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: WARNING

Examples

aws-transfer-server-is-public.tf

# fail
# ruleid: aws-transfer-server-is-public
resource "aws_transfer_server" "example_public" {
    endpoint_type = "PUBLIC"
    protocols   = ["SFTP"]
}

# pass
resource "aws_transfer_server" "example_vpc" {
    endpoint_type = "VPC"
    protocols   = ["SFTP"]
}

# fail
# ruleid: aws-transfer-server-is-public
resource "aws_transfer_server" "example" {
    protocols   = ["SFTP"]
}