BOM - AWS Elasticache
- Query id: 54229498-850b-4f78-b3a7-218d24ef2c37
- Query name: BOM - AWS Elasticache
- Platform: Terraform
- Severity: Trace
- Category: Bill Of Materials
- CWE: 532
- URL: Github
Description¶
A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_elasticache_cluster" "positive1" {
cluster_id = "cluster-example"
engine = "memcached"
node_type = "cache.m4.large"
num_cache_nodes = 2
parameter_group_name = aws_elasticache_parameter_group.default_1
port = 11211
}
resource "aws_elasticache_parameter_group" "default_1" {
name = "cache-params"
family = "memcached1.4"
}
Positive test num. 2 - tf file
resource "aws_elasticache_cluster" "positive2" {
cluster_id = "cluster-example"
engine = "redis"
node_type = "cache.m4.large"
num_cache_nodes = 1
parameter_group_name = aws_elasticache_parameter_group.default_2
engine_version = "3.2.10"
port = 6379
}
resource "aws_elasticache_parameter_group" "default_2" {
name = "cache-params"
family = "redis3.2"
}
Positive test num. 3 - tf file
resource "aws_security_group" "sg1" {
name = "sg1"
description = "sg1"
ingress {
from_port = 0
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "sg2" {
name = "sg2"
description = "positive3"
ingress {
from_port = 0
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_elasticache_security_group" "positive3" {
name = "positive3"
security_group_names = [
aws_security_group.sg1.name,
aws_security_group.sg2.name,
]
}
resource "aws_elasticache_cluster" "positive3" {
cluster_id = "test-cache"
engine = "redis"
node_type = "cache.m4.large"
port = 6379
num_cache_nodes = 1
parameter_group_name = aws_elasticache_parameter_group.default.id
security_group_names = [aws_elasticache_security_group.positive3.name]
}
Positive test num. 4 - tf file
resource "aws_security_group" "sg11" {
name = "sg1"
description = "sg11"
ingress {
from_port = 0
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.2.0/0"]
}
}
resource "aws_security_group" "sg22" {
name = "sg22"
description = "positive3"
ingress {
from_port = 0
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.2.0/0"]
}
}
resource "aws_elasticache_security_group" "positive4" {
name = "positive4"
security_group_names = [
aws_security_group.sg11.name,
aws_security_group.sg22.name,
]
}
resource "aws_elasticache_cluster" "positive4" {
cluster_id = "test-cache"
engine = "redis"
node_type = "cache.m4.large"
port = 6379
num_cache_nodes = 1
parameter_group_name = aws_elasticache_parameter_group.default.id
security_group_names = [aws_elasticache_security_group.positive4.name]
}
Positive test num. 5 - tf file
resource "aws_security_group" "sgg" {
name = "sgg"
description = "sgg"
ingress {
from_port = 0
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.2.0/0"]
}
}
resource "aws_elasticache_cluster" "positive5" {
cluster_id = "test-cache"
engine = "redis"
node_type = "cache.m4.large"
port = 6379
num_cache_nodes = 1
parameter_group_name = aws_elasticache_parameter_group.default.id
security_group_names = [aws_security_group.sgg.name]
}
Positive test num. 6 - tf file
resource "aws_security_group" "sg6" {
name = "sg6"
description = "sg6"
ingress {
from_port = 0
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_elasticache_cluster" "positive6" {
cluster_id = "test-cache"
engine = "redis"
node_type = "cache.m4.large"
port = 6379
num_cache_nodes = 1
parameter_group_name = aws_elasticache_parameter_group.default.id
security_group_ids = [aws_security_group.sg6.id]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
module "redis" {
source = "cloudposse/elasticache-redis/aws"
version = "0.40.1"
availability_zones = var.availability_zones
namespace = var.namespace
stage = var.stage
name = var.name
zone_id = var.zone_id
vpc_id = module.vpc.vpc_id
subnets = module.subnets.private_subnet_ids
cluster_size = var.cluster_size
instance_type = var.instance_type
apply_immediately = true
automatic_failover_enabled = false
engine_version = var.engine_version
family = var.family
at_rest_encryption_enabled = var.at_rest_encryption_enabled
transit_encryption_enabled = var.transit_encryption_enabled
security_group_rules = [
{
type = "egress"
from_port = 0
to_port = 65535
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
source_security_group_id = null
description = "Allow all outbound traffic"
},
{
type = "ingress"
from_port = 0
to_port = 65535
protocol = "-1"
cidr_blocks = []
source_security_group_id = module.vpc.vpc_default_security_group_id
description = "Allow all inbound traffic from trusted Security Groups"
},
]
parameter = [
{
name = "notify-keyspace-events"
value = "lK"
}
]
}