Launch Template Is Not Encrypted
- Query id: 1455cb21-1d48-46d6-8ae3-cef911b71fd5
- Query name: Launch Template Is Not Encrypted
- Platform: Terraform
- Severity: High
- Category: Encryption
- CWE: 311
- URL: Github
Description¶
ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
data "alicloud_images" "images" {
owners = "system"
}
data "alicloud_instances" "instances" {
}
resource "alicloud_launch_template" "templatepos1" {
name = "tf-test-template"
description = "test1"
image_id = data.alicloud_images.images.images[0].id
host_name = "tf-test-host"
instance_charge_type = "PrePaid"
instance_name = "tf-instance-name"
instance_type = data.alicloud_instances.instances.instances[0].instance_type
internet_charge_type = "PayByBandwidth"
internet_max_bandwidth_in = 5
internet_max_bandwidth_out = 0
io_optimized = "none"
key_pair_name = "test-key-pair"
ram_role_name = "xxxxx"
network_type = "vpc"
security_enhancement_strategy = "Active"
spot_price_limit = 5
spot_strategy = "SpotWithPriceLimit"
security_group_id = "sg-zxcvj0lasdf102350asdf9a"
system_disk_category = "cloud_ssd"
system_disk_description = "test disk"
system_disk_name = "hello"
system_disk_size = 40
resource_group_id = "rg-zkdfjahg9zxncv0"
userdata = "xxxxxxxxxxxxxx"
vswitch_id = "sw-ljkngaksdjfj0nnasdf"
vpc_id = "vpc-asdfnbg0as8dfk1nb2"
zone_id = "beijing-a"
encrypted = false
tags = {
tag1 = "hello"
tag2 = "world"
}
network_interfaces {
name = "eth0"
description = "hello1"
primary_ip = "10.0.0.2"
security_group_id = "xxxx"
vswitch_id = "xxxxxxx"
}
data_disks {
name = "disk1"
description = "test1"
}
data_disks {
name = "disk2"
description = "test2"
}
}
Positive test num. 2 - tf file
data "alicloud_images" "images" {
owners = "system"
}
data "alicloud_instances" "instances" {
}
resource "alicloud_launch_template" "templatepos2" {
name = "tf-test-template"
description = "test1"
image_id = data.alicloud_images.images.images[0].id
host_name = "tf-test-host"
instance_charge_type = "PrePaid"
instance_name = "tf-instance-name"
instance_type = data.alicloud_instances.instances.instances[0].instance_type
internet_charge_type = "PayByBandwidth"
internet_max_bandwidth_in = 5
internet_max_bandwidth_out = 0
io_optimized = "none"
key_pair_name = "test-key-pair"
ram_role_name = "xxxxx"
network_type = "vpc"
security_enhancement_strategy = "Active"
spot_price_limit = 5
spot_strategy = "SpotWithPriceLimit"
security_group_id = "sg-zxcvj0lasdf102350asdf9a"
system_disk_category = "cloud_ssd"
system_disk_description = "test disk"
system_disk_name = "hello"
system_disk_size = 40
resource_group_id = "rg-zkdfjahg9zxncv0"
userdata = "xxxxxxxxxxxxxx"
vswitch_id = "sw-ljkngaksdjfj0nnasdf"
vpc_id = "vpc-asdfnbg0as8dfk1nb2"
zone_id = "beijing-a"
tags = {
tag1 = "hello"
tag2 = "world"
}
network_interfaces {
name = "eth0"
description = "hello1"
primary_ip = "10.0.0.2"
security_group_id = "xxxx"
vswitch_id = "xxxxxxx"
}
data_disks {
name = "disk1"
description = "test1"
}
data_disks {
name = "disk2"
description = "test2"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
data "alicloud_images" "images" {
owners = "system"
}
data "alicloud_instances" "instances" {
}
resource "alicloud_launch_template" "templateneg1" {
name = "tf-test-template"
description = "test1"
image_id = data.alicloud_images.images.images[0].id
host_name = "tf-test-host"
instance_charge_type = "PrePaid"
instance_name = "tf-instance-name"
instance_type = data.alicloud_instances.instances.instances[0].instance_type
internet_charge_type = "PayByBandwidth"
internet_max_bandwidth_in = 5
internet_max_bandwidth_out = 0
io_optimized = "none"
key_pair_name = "test-key-pair"
ram_role_name = "xxxxx"
network_type = "vpc"
security_enhancement_strategy = "Active"
spot_price_limit = 5
spot_strategy = "SpotWithPriceLimit"
security_group_id = "sg-zxcvj0lasdf102350asdf9a"
system_disk_category = "cloud_ssd"
system_disk_description = "test disk"
system_disk_name = "hello"
system_disk_size = 40
resource_group_id = "rg-zkdfjahg9zxncv0"
userdata = "xxxxxxxxxxxxxx"
vswitch_id = "sw-ljkngaksdjfj0nnasdf"
vpc_id = "vpc-asdfnbg0as8dfk1nb2"
zone_id = "beijing-a"
encrypted = true
tags = {
tag1 = "hello"
tag2 = "world"
}
network_interfaces {
name = "eth0"
description = "hello1"
primary_ip = "10.0.0.2"
security_group_id = "xxxx"
vswitch_id = "xxxxxxx"
}
data_disks {
name = "disk1"
description = "test1"
}
data_disks {
name = "disk2"
description = "test2"
}
}