CodeGuru
Detector Library
Terraform detectors (58/58)
Unsecured encryption of SageMaker data at restDisabled AWS Glue security encryptionRestrict IAM asterisk actionDisabled AWS RDS EncryptionExposed secrets in EC2 user dataDisabled block public aclsDisabled Glue Data Catalog encryptionS3 bucket restrict public bucket not truenonhttps viewer protocol policyRestrict log4j2 message lookupRestrict overly permissive VPC peering routesRestrict overly permissive access by AWS EKS to all trafficSecure AWS Database Migration Service endpointsDisabled logging for aws document dbUnencrypted code build projectSns Topic Uses CMKEnabled RDS public accessUnsecure encryption of DAX at restPublic READ bucket ACLdisabled detailed monitoring for EC2Disabled iam authenticationUnecrypted AWS Redshift using CMKImplicit SSH for AWS EKS node groupRestrict IAM asterisk actionDisabled encryption on Aurora at restRestrict assumed IAM role accessRestrict AWS IAM policy with full administrative privilegesRestrict actions with any Principal for S3 bucketsDisabled ALB drops HTTP headersRestrict IAM policies with full 'asterisk-asterisk' administrative privilegesDisabled athena database encryptionUse AWS certificate manager SSL certificate with Elastic Load BalancerUnencrypted backup vaultAvoid hardcoded AWS access keys and secrets credentialsRestrict IAM password reuseDisabled document db encryptionConfigure TLS 1.2 in AWS Load balancerMisconfigured data encryption at rest for AWS SageMaker instanceDisabled AWS S3 object versioningConfigure HTTPS for CloudFront distribution ViewerProtocolPolicyUnsecured Encryption in transit for EFS volumesUnencrypted EBS VolumesExposed secrets in Lambda function environment variablesRDS postgresql file read vulnerabilityUndefined lambda function urls authtypeAssociate AWS Glue component with a security componentRestrict public access on DMS replication instanceS3 bucket ignore public acls not trueDynamoDB Table Autoscaling EnabledRestrict Neptune cluster instance public accessRestrict the use of asterisk actions for SQS policy documentsDisabled Neptune loggingnonhttps load balancer terraformUnencryted Codebuild projectsUnencrypted Secrets Manager using CMKAWS S3 public WRITE permissionRestrict public IP association on EC2 instanceDisabled DynamoDB Point-In-Time Recovery
Unencrypted EBS Volumes High
Instances and Launch configurations with unencrypted EBS volumes is detected. Ensure that encryption should be implemented to enhance security of data stored in the launch configuration EBS.
Detector ID
terraform/unencrypted-ebs-volumes-terraform@v1.0
Category
Common Weakness Enumeration (CWE) 
Tags
Noncompliant example
1resource "aws_launch_configuration" "demo" {
2 associate_public_ip_address = true
3 iam_instance_profile = aws_iam_instance_profile.demo-node.name
4 image_id = data.aws_ami.eks-worker.id
5 instance_type = "t2.large"
6 name_prefix = "terraform-eks-demo"
7 security_groups = [aws_security_group.demo-node.id]
8 user_data_base64 = base64encode(local.demo-node-userdata)
9 metadata_options {
10 http_endpoint = "enabled"
11 http_tokens = "required"
12 }
13 # Noncompliant: All data stored in the Launch configuration or instance Elastic Blocks Store is not encrypted.
14 lifecycle {
15 create_before_destroy = true
16 }
17}
Compliant example
1resource "aws_launch_configuration" "demo" {
2 associate_public_ip_address = true
3 iam_instance_profile = aws_iam_instance_profile.demo-node.name
4 image_id = data.aws_ami.eks-worker.id
5 instance_type = "t2.large"
6 name_prefix = "terraform-eks-demo"
7 security_groups = [aws_security_group.demo-node.id]
8 user_data_base64 = base64encode(local.demo-node-userdata)
9 metadata_options {
10 http_endpoint = "enabled"
11 http_tokens = "required"
12 }
13 # Compliant: All data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted.
14 root_block_device {
15 encrypted = true
16 }
17 lifecycle {
18 create_before_destroy = true
19 }
20}