typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption
semgrepAuthor
unknown
Download Count*
License
Add "encryption: $Y.BucketEncryption.KMS_MANAGED" or "encryption: $Y.BucketEncryption.S3_MANAGED" to the bucket props for Bucket construct $X
Run Locally
Run in CI
Defintion
rules:
- id: awscdk-bucket-encryption
message: 'Add "encryption: $Y.BucketEncryption.KMS_MANAGED" or "encryption:
$Y.BucketEncryption.S3_MANAGED" to the bucket props for Bucket construct
$X'
metadata:
cwe:
- "CWE-311: Missing Encryption of Sensitive Data"
category: security
technology:
- AWS-CDK
references:
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html
owasp:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
subcategory:
- vuln
likelihood: LOW
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- typescript
severity: ERROR
pattern-either:
- patterns:
- pattern-inside: |
import {Bucket} from '@aws-cdk/aws-s3'
...
- pattern: const $X = new Bucket(...)
- pattern-not: >
const $X = new Bucket(..., {..., encryption:
BucketEncryption.KMS_MANAGED, ...})
- pattern-not: >
const $X = new Bucket(..., {..., encryption: BucketEncryption.KMS,
...})
- pattern-not: >
const $X = new Bucket(..., {..., encryption:
BucketEncryption.S3_MANAGED, ...})
- patterns:
- pattern-inside: |
import * as $Y from '@aws-cdk/aws-s3'
...
- pattern: const $X = new $Y.Bucket(...)
- pattern-not: >
const $X = new $Y.Bucket(..., {..., encryption:
$Y.BucketEncryption.KMS_MANAGED, ...})
- pattern-not: >
const $X = new $Y.Bucket(..., {..., encryption:
$Y.BucketEncryption.KMS, ...})
- pattern-not: >
const $X = new $Y.Bucket(..., {..., encryption:
$Y.BucketEncryption.S3_MANAGED, ...})
Examples
awscdk-bucket-encryption.ts
import * as s3 from '@aws-cdk/aws-s3';
import * as cdk from '@aws-cdk/core';
import * as renamed_s3 from '@aws-cdk/aws-s3';
import {Bucket, BucketEncryption} from '@aws-cdk/aws-s3';
export class CdkStarterStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// ok:awscdk-bucket-encryption
const goodBucket = new s3.Bucket(this, 's3-bucket', {
encryption: s3.BucketEncryption.S3_MANAGED
})
// ruleid:awscdk-bucket-encryption
const badBucket = new s3.Bucket(this, 's3-bucket-bad')
// ok:awscdk-bucket-encryption
const AnotherGoodBucket = new s3.Bucket(this, 's3-bucket', {
encryption: s3.BucketEncryption.KMS_MANAGED
})
// ruleid:awscdk-bucket-encryption
const badBucket2 = new s3.Bucket(this, 's3-bucket-bad',{
encryption: s3.BucketEncryption.UNMANAGED
})
// ok:awscdk-bucket-encryption
const goodBucketRenamed = new renamed_s3.Bucket(this, 's3-bucket', {
encryption: renamed_s3.BucketEncryption.S3_MANAGED
})
// ruleid:awscdk-bucket-encryption
const badBucketRenamed = new renamed_s3.Bucket(this, 's3-bucket-bad')
// ok:awscdk-bucket-encryption
const AnotherGoodBucketRenamed = new renamed_s3.Bucket(this, 's3-bucket', {
encryption: renamed_s3.BucketEncryption.KMS_MANAGED
})
// ruleid:awscdk-bucket-encryption
const badBucket2Renamed = new renamed_s3.Bucket(this, 's3-bucket-bad',{
encryption: renamed_s3.BucketEncryption.UNMANAGED
})
// ok:awscdk-bucket-encryption
const goodBucketDirect = new Bucket(this, 's3-bucket', {
encryption: BucketEncryption.S3_MANAGED
})
// ruleid:awscdk-bucket-encryption
const badBucketDirect = new Bucket(this, 's3-bucket-bad')
// ok:awscdk-bucket-encryption
const AnotherGoodBucketDirect = new Bucket(this, 's3-bucket', {
encryption: BucketEncryption.KMS_MANAGED
})
// ruleid:awscdk-bucket-encryption
const badBucket2Direct = new Bucket(this, 's3-bucket-bad',{
encryption: BucketEncryption.UNMANAGED
})
}
}
Short Link: https://sg.run/eowX