Kinesis SSE Not Configured
- Query id: 5c6dd5e7-1fe0-4cae-8f81-4c122717cef3
- Query name: Kinesis SSE Not Configured
- Platform: Terraform
- Severity: High
- Category: Encryption
- CWE: 311
- URL: Github
Description¶
AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_kinesis_firehose_delivery_stream" "positive1" {
name = "${aws_s3_bucket.logs.bucket}-firehose"
destination = "extended_s3"
kinesis_source_configuration {
kinesis_stream_arn = aws_kinesis_stream.cloudwatch-logs.arn
role_arn = aws_iam_role.firehose_role.arn
}
}
resource "aws_kinesis_firehose_delivery_stream" "positive2" {
name = "${aws_s3_bucket.logs.bucket}-firehose"
destination = "extended_s3"
}
resource "aws_kinesis_firehose_delivery_stream" "positive3" {
name = "${aws_s3_bucket.logs.bucket}-firehose"
destination = "extended_s3"
server_side_encryption {
enabled = false
}
}
resource "aws_kinesis_firehose_delivery_stream" "positive4" {
name = "${aws_s3_bucket.logs.bucket}-firehose"
destination = "extended_s3"
server_side_encryption {
enabled = true
key_type = "AWS_OWN"
}
}
resource "aws_kinesis_firehose_delivery_stream" "positive5" {
name = "${aws_s3_bucket.logs.bucket}-firehose"
destination = "extended_s3"
server_side_encryption {
enabled = true
key_type = "CUSTOMER_MANAGED_CMK"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_kinesis_firehose_delivery_stream" "negative1" {
name = "${aws_s3_bucket.logs.bucket}-firehose"
destination = "extended_s3"
server_side_encryption {
enabled = true
key_type = "CUSTOMER_MANAGED_CMK"
key_arn = "qwewewre"
}
}
resource "aws_kinesis_firehose_delivery_stream" "negative2" {
name = "${aws_s3_bucket.logs.bucket}-firehose"
destination = "extended_s3"
server_side_encryption {
enabled = true
key_type = "AWS_OWNED_CMK"
}
}