typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property "enforceSSL" should be set to true

Run Locally

Run in CI

Defintion

rules:
  - id: aws-cdk-bucket-enforcessl
    message: Bucket $X is not set to enforce encryption-in-transit, if not explictly
      setting this on the bucket policy - the property "enforceSSL" should be
      set to true
    metadata:
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      category: security
      technology:
        - AWS-CDK
      references:
        - https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - ts
    severity: ERROR
    pattern-either:
      - patterns:
          - pattern-inside: |
              import {Bucket} from '@aws-cdk/aws-s3';
              ...
          - pattern: const $X = new Bucket(...)
          - pattern-not: |
              const $X = new Bucket(..., {enforceSSL: true}, ...)
      - patterns:
          - pattern-inside: |
              import * as $Y from '@aws-cdk/aws-s3';
              ...
          - pattern: const $X = new $Y.Bucket(...)
          - pattern-not: |
              const $X = new $Y.Bucket(..., {..., enforceSSL: true, ...})

Examples

awscdk-bucket-enforcessl.ts

import * as s3 from '@aws-cdk/aws-s3';
import * as cdk from '@aws-cdk/core';
import * as rename_s3 from '@aws-cdk/aws-s3';
import {Bucket} from '@aws-cdk/aws-s3';

export class CdkStarterStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // ruleid:aws-cdk-bucket-enforcessl
    const badBucket = new s3.Bucket(this, 's3-bucket-bad')
    // ok:aws-cdk-bucket-enforcessl
    const AnotherGoodBucket = new s3.Bucket(this, 's3-bucket', {
      enforceSSL: true
    })
    // ruleid:aws-cdk-bucket-enforcessl
    const badBucket2 = new s3.Bucket(this, 's3-bucket-bad', {
      enforceSSL: false
     })
    // ruleid:aws-cdk-bucket-enforcessl
    const badBucketRenamed = new rename_s3.Bucket(this, 's3-bucket-bad')
    // ok:aws-cdk-bucket-enforcessl
    const AnotherGoodBucketRenamed = new rename_s3.Bucket(this, 's3-bucket', {
      enforceSSL: true
    })
    // ruleid:aws-cdk-bucket-enforcessl
    const badBucket2Renamed = new rename_s3.Bucket(this, 's3-bucket-bad', {
      enforceSSL: false
     })

     // ruleid:aws-cdk-bucket-enforcessl
     const badBucketDirect = new Bucket(this, 's3-bucket-bad')
     // ok:aws-cdk-bucket-enforcessl
     const AnotherGoodBucketDirect = new Bucket(this, 's3-bucket', {
       enforceSSL: true
     })
     // ruleid:aws-cdk-bucket-enforcessl
     const badBucket2Direct = new Bucket(this, 's3-bucket-bad', {
       enforceSSL: false
      })
  }
}