BOM - AWS Elasticache

  • Query id: 54229498-850b-4f78-b3a7-218d24ef2c37
  • Query name: BOM - AWS Elasticache
  • Platform: Terraform
  • Severity: Trace
  • Category: Bill Of Materials
  • CWE: 532
  • URL: Github

Description

A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_elasticache_cluster" "positive1" {
  cluster_id           = "cluster-example"
  engine               = "memcached"
  node_type            = "cache.m4.large"
  num_cache_nodes      = 2
  parameter_group_name = aws_elasticache_parameter_group.default_1
  port                 = 11211
}

resource "aws_elasticache_parameter_group" "default_1" {
  name   = "cache-params"
  family = "memcached1.4"
}
Positive test num. 2 - tf file
resource "aws_elasticache_cluster" "positive2" {
  cluster_id           = "cluster-example"
  engine               = "redis"
  node_type            = "cache.m4.large"
  num_cache_nodes      = 1
  parameter_group_name = aws_elasticache_parameter_group.default_2
  engine_version       = "3.2.10"
  port                 = 6379
}

resource "aws_elasticache_parameter_group" "default_2" {
  name   = "cache-params"
  family = "redis3.2"
}
Positive test num. 3 - tf file
resource "aws_security_group" "sg1" {
    name = "sg1"
    description = "sg1"

    ingress {
        from_port = 0
        to_port = 22
        protocol = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
    }
}

resource "aws_security_group" "sg2" {
    name = "sg2"
    description = "positive3"

    ingress {
        from_port = 0
        to_port = 80
        protocol = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
    }
}

resource "aws_elasticache_security_group" "positive3" {
    name =  "positive3"
    security_group_names = [
        aws_security_group.sg1.name,
        aws_security_group.sg2.name,
    ]
}

resource "aws_elasticache_cluster" "positive3" {
    cluster_id = "test-cache"
    engine = "redis"
    node_type = "cache.m4.large"
    port = 6379
    num_cache_nodes = 1
    parameter_group_name = aws_elasticache_parameter_group.default.id
    security_group_names = [aws_elasticache_security_group.positive3.name]
}

Positive test num. 4 - tf file
resource "aws_security_group" "sg11" {
    name = "sg1"
    description = "sg11"

    ingress {
        from_port = 0
        to_port = 22
        protocol = "tcp"
        cidr_blocks = ["0.0.2.0/0"]
    }
}

resource "aws_security_group" "sg22" {
    name = "sg22"
    description = "positive3"

    ingress {
        from_port = 0
        to_port = 80
        protocol = "tcp"
        cidr_blocks = ["0.0.2.0/0"]
    }
}

resource "aws_elasticache_security_group" "positive4" {
    name =  "positive4"
    security_group_names = [
        aws_security_group.sg11.name,
        aws_security_group.sg22.name,
    ]
}

resource "aws_elasticache_cluster" "positive4" {
    cluster_id = "test-cache"
    engine = "redis"
    node_type = "cache.m4.large"
    port = 6379
    num_cache_nodes = 1
    parameter_group_name = aws_elasticache_parameter_group.default.id
    security_group_names = [aws_elasticache_security_group.positive4.name]
}
Positive test num. 5 - tf file
resource "aws_security_group" "sgg" {
    name = "sgg"
    description = "sgg"

    ingress {
        from_port = 0
        to_port = 22
        protocol = "tcp"
        cidr_blocks = ["0.0.2.0/0"]
    }
}

resource "aws_elasticache_cluster" "positive5" {
    cluster_id = "test-cache"
    engine = "redis"
    node_type = "cache.m4.large"
    port = 6379
    num_cache_nodes = 1
    parameter_group_name = aws_elasticache_parameter_group.default.id
    security_group_names = [aws_security_group.sgg.name]
}
Positive test num. 6 - tf file
resource "aws_security_group" "sg6" {
    name = "sg6"
    description = "sg6"

    ingress {
        from_port = 0
        to_port = 22
        protocol = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
    }
}

resource "aws_elasticache_cluster" "positive6" {
    cluster_id = "test-cache"
    engine = "redis"
    node_type = "cache.m4.large"
    port = 6379
    num_cache_nodes = 1
    parameter_group_name = aws_elasticache_parameter_group.default.id
     security_group_ids = [aws_security_group.sg6.id]
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
module "redis" {
  source = "cloudposse/elasticache-redis/aws"
  version = "0.40.1"

  availability_zones         = var.availability_zones
  namespace                  = var.namespace
  stage                      = var.stage
  name                       = var.name
  zone_id                    = var.zone_id
  vpc_id                     = module.vpc.vpc_id
  subnets                    = module.subnets.private_subnet_ids
  cluster_size               = var.cluster_size
  instance_type              = var.instance_type
  apply_immediately          = true
  automatic_failover_enabled = false
  engine_version             = var.engine_version
  family                     = var.family
  at_rest_encryption_enabled = var.at_rest_encryption_enabled
  transit_encryption_enabled = var.transit_encryption_enabled

  security_group_rules = [
    {
      type                     = "egress"
      from_port                = 0
      to_port                  = 65535
      protocol                 = "-1"
      cidr_blocks              = ["0.0.0.0/0"]
      source_security_group_id = null
      description              = "Allow all outbound traffic"
    },
    {
      type                     = "ingress"
      from_port                = 0
      to_port                  = 65535
      protocol                 = "-1"
      cidr_blocks              = []
      source_security_group_id = module.vpc.vpc_default_security_group_id
      description              = "Allow all inbound traffic from trusted Security Groups"
    },
  ]

  parameter = [
    {
      name  = "notify-keyspace-events"
      value = "lK"
    }
  ]
}