terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version
semgrep
Author
unknown
Download Count*
License
Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your ssl_policy
to "ELBSecurityPolicy-TLS13-1-2-2021-06"
, or include a default action to redirect to HTTPS.
Run Locally
Run in CI
Defintion
rules:
- id: insecure-load-balancer-tls-version
patterns:
- pattern-either:
- patterns:
- pattern: ssl_policy = $ANYTHING
- pattern-not-regex: ELBSecurityPolicy-TLS13-1-[23]-[0-9-]+
- pattern-not-regex: ELBSecurityPolicy-FS-1-2-[(Res)0-9-]+
- patterns:
- pattern: protocol = "HTTP"
- pattern-not-inside: |
resource $ANYTHING $NAME {
...
default_action {
...
redirect {
...
protocol = "HTTPS"
...
}
...
}
...
}
- pattern-inside: |
resource $RESOURCE $X {
...
}
- metavariable-pattern:
metavariable: $RESOURCE
patterns:
- pattern-either:
- pattern: |
"aws_lb_listener"
- pattern: |
"aws_alb_listener"
message: Detected an AWS load balancer with an insecure TLS version. TLS
versions less than 1.2 are considered insecure because they can be broken.
To fix this, set your `ssl_policy` to
`"ELBSecurityPolicy-TLS13-1-2-2021-06"`, or include a default action to
redirect to HTTPS.
metadata:
category: security
technology:
- terraform
- aws
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-326: Inadequate Encryption Strength"
references:
- https://www.ietf.org/rfc/rfc5246.txt
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- hcl
severity: WARNING
Examples
insecure-load-balancer-tls-version.tf
# Copyright 2019 Bridgecrew
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# pass
resource "aws_lb_listener" "http_redirect" {
load_balancer_arn = var.aws_lb_arn
# ok: insecure-load-balancer-tls-version
protocol = "HTTP"
port = "80"
default_action {
type = "redirect"
redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
}
resource "aws_lb_listener" "tcp" {
load_balancer_arn = var.aws_lb_arn
# ok: insecure-load-balancer-tls-version
protocol = "TCP"
port = "8080"
default_action {
type = "forward"
target_group_arn = var.aws_lb_target_group_arn
}
}
resource "aws_lb_listener" "udp" {
load_balancer_arn = var.aws_lb_arn
# ok: insecure-load-balancer-tls-version
protocol = "UDP"
port = "8080"
default_action {
type = "forward"
target_group_arn = var.aws_lb_target_group_arn
}
}
resource "aws_lb_listener" "tcp_udp" {
load_balancer_arn = var.aws_lb_arn
# ok: insecure-load-balancer-tls-version
protocol = "TCP_UDP"
port = "8080"
default_action {
type = "forward"
target_group_arn = var.aws_lb_target_group_arn
}
}
resource "aws_lb_listener" "tls_fs_1_2" {
load_balancer_arn = var.aws_lb_arn
protocol = "TLS"
port = "8080"
# ok: insecure-load-balancer-tls-version
ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2019-08"
certificate_arn = var.certificate_arn
default_action {
type = "forward"
target_group_arn = var.aws_lb_target_group_arn
}
}
resource "aws_lb_listener" "https_fs_1_2" {
load_balancer_arn = var.aws_lb_arn
protocol = "HTTPS"
port = "443"
# ok: insecure-load-balancer-tls-version
ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2019-08"
certificate_arn = var.certificate_arn
default_action {
type = "forward"
target_group_arn = var.aws_lb_target_group_arn
}
}
resource "aws_alb_listener" "https_fs_1_2" {
load_balancer_arn = var.aws_lb_arn
protocol = "HTTPS"
port = "443"
# ok: insecure-load-balancer-tls-version
ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2019-08"
certificate_arn = var.certificate_arn
default_action {
type = "forward"
target_group_arn = var.aws_lb_target_group_arn
}
}
resource "aws_alb_listener" "https_fs_1_2" {
load_balancer_arn = var.aws_lb_arn
protocol = "HTTPS"
port = "443"
# ok: insecure-load-balancer-tls-version
ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10"
certificate_arn = var.certificate_arn
default_action {
type = "forward"
target_group_arn = var.aws_lb_target_group_arn
}
}
resource "aws_alb_listener" "https_fs_1_2" {
load_balancer_arn = var.aws_lb_arn
protocol = "HTTPS"
port = "443"
# ok: insecure-load-balancer-tls-version
ssl_policy = "ELBSecurityPolicy-FS-1-2-2019-08"
certificate_arn = var.certificate_arn
default_action {
type = "forward"
target_group_arn = var.aws_lb_target_group_arn
}
}
resource "aws_lb_target_group" "foo" {
name = "foo"
port = 80
# ok: insecure-load-balancer-tls-version
protocol = "HTTP"
target_type = "instance"
vpc_id = data.aws_vpc.bar
deregistration_delay = 60
health_check {
#....
}
}
# failure
resource "aws_lb_listener" "http" {
load_balancer_arn = var.aws_lb_arn
# ruleid: insecure-load-balancer-tls-version
protocol = "HTTP"
port = "80"
default_action {
type = "forward"
target_group_arn = var.aws_lb_target_group_arn
}
}
resource "aws_lb_listener" "https_2016" {
load_balancer_arn = var.aws_lb_arn
protocol = "HTTPS"
port = "443"
# ruleid: insecure-load-balancer-tls-version
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = var.certificate_arn
default_action {
type = "forward"
target_group_arn = var.aws_lb_target_group_arn
}
}
resource "aws_lb_listener" "tls_fs_1_1" {
load_balancer_arn = var.aws_lb_arn
protocol = "TLS"
port = "8080"
# ruleid: insecure-load-balancer-tls-version
ssl_policy = "ELBSecurityPolicy-FS-1-1-2019-08"
certificate_arn = var.certificate_arn
default_action {
type = "forward"
target_group_arn = var.aws_lb_target_group_arn
}
}
resource "aws_alb_listener" "tls_fs_1_1" {
load_balancer_arn = var.aws_lb_arn
protocol = "TLS"
port = "8080"
# ruleid: insecure-load-balancer-tls-version
ssl_policy = "ELBSecurityPolicy-FS-1-1-2019-08"
certificate_arn = var.certificate_arn
default_action {
type = "forward"
target_group_arn = var.aws_lb_target_group_arn
}
}
resource "aws_alb_listener" "tls_1_3" {
load_balancer_arn = var.aws_lb_arn
protocol = "TLS"
port = "8080"
# ok: insecure-load-balancer-tls-version
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-068"
certificate_arn = var.certificate_arn
default_action {
type = "forward"
target_group_arn = var.aws_lb_target_group_arn
}
}
Short Link: https://sg.run/187G