terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code
semgrepAuthor
unknown
Download Count*
License
RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.
Run Locally
Run in CI
Defintion
rules:
- id: rds-insecure-password-storage-in-source-code
pattern-either:
- patterns:
- pattern: password = "..."
- pattern-inside: |
resource "aws_db_instance" "..." {
...
}
- patterns:
- pattern: master_password = "..."
- pattern-inside: |
resource "aws_rds_cluster" "..." {
...
}
languages:
- hcl
severity: WARNING
message: RDS instance or cluster with hardcoded credentials in source code. It
is recommended to pass the credentials at runtime, or generate random
credentials using the random_password resource.
metadata:
references:
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password
- https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password
cwe:
- "CWE-522: Insufficiently Protected Credentials"
category: security
technology:
- terraform
- aws
- secrets
owasp:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
rds-insecure-password-storage-in-source-code.tf
##
## aws_db_instance resources
##
# Test case 1: No password specified (OK)
resource "aws_db_instance" "no_password" {
# ok: rds-insecure-password-storage-in-source-code
allocated_storage = 10
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
}
# Test case 2: Password specified from a random data source (OK)
resource "random_password" "password" {
length = 64
special = false
}
resource "aws_db_instance" "password_not_hardcoded" {
# ok: rds-insecure-password-storage-in-source-code
allocated_storage = 10
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
username = "admin"
password = random_password.password.result
}
# Test case 3: Password hardcoded (NOK)
resource "aws_db_instance" "password_not_hardcoded" {
allocated_storage = 10
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t3.micro"
name = "mydb"
username = "admin"
# ruleid: rds-insecure-password-storage-in-source-code
password = "p455w0rd"
}
##
## aws_rds_cluster resources
##
# Test case 1: No password specified (OK)
resource "aws_rds_cluster" "default" {
# ok: rds-insecure-password-storage-in-source-code
cluster_identifier = "aurora-cluster-demo"
engine = "aurora-mysql"
engine_version = "5.7.mysql_aurora.2.03.2"
availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
database_name = "mydb"
}
# Test case 2: Password specified from a random data source (OK)
resource "aws_rds_cluster" "default" {
cluster_identifier = "aurora-cluster-demo"
engine = "aurora-mysql"
engine_version = "5.7.mysql_aurora.2.03.2"
availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
database_name = "mydb"
master_username = "foo"
# ok: rds-insecure-password-storage-in-source-code
master_password = random_password.password.result
}
# Test case 3: Password hardcoded (NOK)
resource "aws_rds_cluster" "default" {
cluster_identifier = "aurora-cluster-demo"
engine = "aurora-mysql"
engine_version = "5.7.mysql_aurora.2.03.2"
availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
database_name = "mydb"
master_username = "foo"
# ruleid: rds-insecure-password-storage-in-source-code
master_password = "bar"
}Short Link: https://sg.run/x4qA