EMR Security Configuration Encryption Disabled

  • Query id: 5b033ec8-f079-4323-b5c8-99d4620433a9
  • Query name: EMR Security Configuration Encryption Disabled
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Encryption
  • CWE: Ongoing
  • URL: Github

Description

EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  EMRSecurityConfiguration:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
       Name: String
       SecurityConfiguration:
         EncryptionConfiguration:
           EnableInTransitEncryption: false
           EnableAtRestEncryption: false
           AtRestEncryptionConfiguration:
             LocalDiskEncryptionConfiguration:
                 EnableEbsEncryption: true
                 EncryptionKeyProviderType: AwsKms
                 AwsKmsKey: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
Positive test num. 2 - yaml file
Resources:
  EMRSecurityConfiguration01:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
       Name: String
       SecurityConfiguration:
         EncryptionConfiguration:
           AtRestEncryptionConfiguration:
             LocalDiskEncryptionConfiguration:
                 EnableEbsEncryption: false
Positive test num. 3 - yaml file
Resources:
  EMRSecurityConfiguration03:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
       Name: String
       SecurityConfiguration:
         EncryptionConfiguration:
           EnableInTransitEncryption: false
           EnableAtRestEncryption: false

Positive test num. 4 - yaml file
Resources:
  EMRSecurityConfiguration04:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
       Name: String
       SecurityConfiguration: {}
Positive test num. 5 - json file
{
  "Resources": {
    "EMRSecurityConfiguration": {
      "Type": "AWS::EMR::SecurityConfiguration",
      "Properties": {
        "Name": "String",
        "SecurityConfiguration": {
          "EncryptionConfiguration": {
            "EnableInTransitEncryption": false,
            "EnableAtRestEncryption": false,
            "AtRestEncryptionConfiguration": {
              "LocalDiskEncryptionConfiguration": {
                "EnableEbsEncryption": true,
                "EncryptionKeyProviderType": "AwsKms",
                "AwsKmsKey": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
              }
            }
          }
        }
      }
    }
  }
}
Positive test num. 6 - json file
{
  "Resources": {
    "EMRSecurityConfiguration01": {
      "Properties": {
        "Name": "String",
        "SecurityConfiguration": {
          "EncryptionConfiguration": {
            "AtRestEncryptionConfiguration": {
              "LocalDiskEncryptionConfiguration": {
                "EnableEbsEncryption": false
              }
            }
          }
        }
      },
      "Type": "AWS::EMR::SecurityConfiguration"
    }
  }
}
Positive test num. 7 - json file
{
  "Resources": {
    "EMRSecurityConfiguration03": {
      "Type": "AWS::EMR::SecurityConfiguration",
      "Properties": {
        "SecurityConfiguration": {
          "EncryptionConfiguration": {
            "EnableInTransitEncryption": false,
            "EnableAtRestEncryption": false
          }
        },
        "Name": "String"
      }
    }
  }
}
Positive test num. 8 - json file
{
  "Resources": {
    "EMRSecurityConfiguration04": {
      "Type": "AWS::EMR::SecurityConfiguration",
      "Properties": {
        "Name": "String",
        "SecurityConfiguration": {}
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
#this is a problematic code where the query should report a result(s)
Resources:
  EMRSecurityConfiguration:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
       Name: String
       SecurityConfiguration:
         EncryptionConfiguration:
           EnableInTransitEncryption: true
           EnableAtRestEncryption: true
           AtRestEncryptionConfiguration:
             LocalDiskEncryptionConfiguration:
                 EnableEbsEncryption: true
                 EncryptionKeyProviderType: AwsKms
                 AwsKmsKey: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
Negative test num. 2 - yaml file
Resources:
  EMRSecurityConfiguration01:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
       Name: String
       SecurityConfiguration:
         EncryptionConfiguration:
           AtRestEncryptionConfiguration:
             LocalDiskEncryptionConfiguration:
                 EnableEbsEncryption: true
                 EncryptionKeyProviderType: AwsKms
                 AwsKmsKey: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
Negative test num. 3 - yaml file
Resources:
  EMRSecurityConfiguration02:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
       Name: String
       SecurityConfiguration:
         EncryptionConfiguration:
           EnableInTransitEncryption: true
           EnableAtRestEncryption: true

Negative test num. 4 - json file
{
  "Resources": {
    "EMRSecurityConfiguration": {
      "Type": "AWS::EMR::SecurityConfiguration",
      "Properties": {
        "Name": "String",
        "SecurityConfiguration": {
          "EncryptionConfiguration": {
            "EnableInTransitEncryption": true,
            "EnableAtRestEncryption": true,
            "AtRestEncryptionConfiguration": {
              "LocalDiskEncryptionConfiguration": {
                "AwsKmsKey": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012",
                "EnableEbsEncryption": true,
                "EncryptionKeyProviderType": "AwsKms"
              }
            }
          }
        }
      }
    }
  }
}
Negative test num. 5 - json file
{
  "Resources": {
    "EMRSecurityConfiguration01": {
      "Type": "AWS::EMR::SecurityConfiguration",
      "Properties": {
        "Name": "String",
        "SecurityConfiguration": {
          "EncryptionConfiguration": {
            "AtRestEncryptionConfiguration": {
              "LocalDiskEncryptionConfiguration": {
                "EnableEbsEncryption": true,
                "EncryptionKeyProviderType": "AwsKms",
                "AwsKmsKey": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
              }
            }
          }
        }
      }
    }
  }
}
Negative test num. 6 - json file
{
  "Resources": {
    "EMRSecurityConfiguration02": {
      "Properties": {
        "Name": "String",
        "SecurityConfiguration": {
          "EncryptionConfiguration": {
            "EnableInTransitEncryption": true,
            "EnableAtRestEncryption": true
          }
        }
      },
      "Type": "AWS::EMR::SecurityConfiguration"
    }
  }
}