terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest

profile photo of semgrepsemgrep
Author
1,703
Download Count*

Encryption at rest is not enabled for the elastic search domain resource

Run Locally

Run in CI

Defintion

rules:
  - id: elastic-search-encryption-at-rest
    patterns:
      - pattern: |
          resource
      - pattern-not-inside: |
          resource "aws_elasticsearch_domain" "..."{
            ...
            encrypt_at_rest{
              ...
              enabled = true
              ...
            }
            ...
          }
      - pattern-inside: |
          resource "aws_elasticsearch_domain" "..." {...}
    languages:
      - hcl
    message: Encryption at rest is not enabled for the elastic search domain resource
    severity: WARNING
    metadata:
      category: security
      cwe:
        - "CWE-311: Missing Encryption of Sensitive Data"
      technology:
        - terraform
        - aws
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A04:2021 - Insecure Design
      references:
        - https://owasp.org/Top10/A04_2021-Insecure_Design
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

elastic-search-encryption-at-rest.tf

# ruleid: elastic-search-encryption-at-rest
resource "aws_elasticsearch_domain" "monitoring-framework" {
  domain_name           = "tg-test-es"
  elasticsearch_version = "2.3"
  cluster_config {
    instance_type            = "t2.small.elasticsearch"
    instance_count           = 1
    dedicated_master_enabled = false
    dedicated_master_type    = "m4.large.elasticsearch"
    dedicated_master_count   = 1
  }
  ebs_options {
    ebs_enabled = true
    volume_size = 30
  }
}

# ruleid: elastic-search-encryption-at-rest
resource "aws_elasticsearch_domain" "monitoring-framework" {
  domain_name           = "tg-test-es"
  elasticsearch_version = "2.3"
  encrypt_at_rest {
    enabled = false
  }
  cluster_config {
    instance_type            = "t2.small.elasticsearch"
    instance_count           = 1
    dedicated_master_enabled = false
    dedicated_master_type    = "m4.large.elasticsearch"
    dedicated_master_count   = 1
  }
  ebs_options {
    ebs_enabled = true
    volume_size = 30
  }
}

resource "aws_elasticsearch_domain" "monitoring-framework" {
  domain_name           = "tg-test-es"
  elasticsearch_version = "2.3"
  encrypt_at_rest {
    enabled = true
  }
  cluster_config {
    instance_type            = "t2.small.elasticsearch"
    instance_count           = 1
    dedicated_master_enabled = false
    dedicated_master_type    = "m4.large.elasticsearch"
    dedicated_master_count   = 1
  }
  ebs_options {
    ebs_enabled = true
    volume_size = 30
  }
}