terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted
semgrep
Author
unknown
Download Count*
License
The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Run Locally
Run in CI
Defintion
rules:
- id: aws-workspaces-root-volume-unencrypted
patterns:
- pattern: |
resource "aws_workspaces_workspace" $ANYTHING {
...
}
- pattern-not-inside: |
resource "aws_workspaces_workspace" $ANYTHING {
...
root_volume_encryption_enabled = true
...
}
message: The AWS Workspace root volume is unencrypted. The AWS KMS encryption
key protects root volume. To create your own, create a aws_kms_key
resource or use the ARN string of a key in your account.
languages:
- hcl
severity: WARNING
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-326: Inadequate Encryption Strength"
technology:
- aws
- terraform
category: security
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-workspaces-root-volume-unencrypted.tf
resource "aws_workspaces_workspace" "pass" {
directory_id = aws_workspaces_directory.main.id
bundle_id = data.aws_workspaces_bundle.bundle.id
user_name = var.user_name
root_volume_encryption_enabled = true
user_volume_encryption_enabled = var.user_volume_encryption_enabled
volume_encryption_key = var.volume_encryption_key
workspace_properties {
compute_type_name = "VALUE"
user_volume_size_gib = 10
root_volume_size_gib = 80
running_mode = "AUTO_STOP"
running_mode_auto_stop_timeout_in_minutes = 60
}
tags = var.common_tags
}
# ruleid: aws-workspaces-root-volume-unencrypted
resource "aws_workspaces_workspace" "fail" {
directory_id = aws_workspaces_directory.main.id
bundle_id = data.aws_workspaces_bundle.bundle.id
user_name = var.user_name
user_volume_encryption_enabled = var.user_volume_encryption_enabled
volume_encryption_key = var.volume_encryption_key
workspace_properties {
compute_type_name = "VALUE"
user_volume_size_gib = 10
root_volume_size_gib = 80
running_mode = "AUTO_STOP"
running_mode_auto_stop_timeout_in_minutes = 60
}
tags = var.common_tags
}
Short Link: https://sg.run/8gby