Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Published Rules - frozen_solid.aws-opensearchserverless-is-public #3133

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

New Published Rules - frozen_solid.aws-opensearchserverless-is-public #3133

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b368e13
add frozen_solid/aws-opensearchserverless-is-public.yaml
frozenSolid Sep 27, 2023
2f96865
add frozen_solid/aws-opensearchserverless-is-public.tf
frozenSolid Sep 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 97 additions & 0 deletions frozen_solid/aws-opensearchserverless-is-public.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
resource "aws_opensearchserverless_security_policy" "example" {
name = "example"
type = "network"
description = "Mixed access for marketing and sales"
policy = jsonencode([
{
"Description" : "Marketing access",
"Rules" : [
{
"ResourceType" : "collection",
"Resource" : [
"collection/marketing*"
]
},
{
"ResourceType" : "dashboard",
"Resource" : [
"collection/marketing*"
]
}
],
"AllowFromPublic" : false,
"SourceVPCEs" : [
"vpce-050f79086ee71ac05"
]
},
# ruleid: aws-opensearchserverless-is-public
{
"Description" : "Sales access",
"Rules" : [
{
"ResourceType" : "collection",
"Resource" : [
"collection/finance"
]
}
],
"AllowFromPublic" : true
}
])
}

resource "aws_opensearchserverless_security_policy" "pass" {
name = "example"
type = "network"
description = "VPC access"
policy = jsonencode(
{
Description = "VPC access to collection and Dashboards endpoint for example collection",
Rules = [
{
ResourceType = "collection",
Resource = [
"collection/example-collection"
]
},
{
ResourceType = "dashboard"
Resource = [
"collection/example-collection"
]
}
],
# ok: aws-opensearchserverless-is-public
AllowFromPublic = false,
SourceVPCEs = [
"vpce-050f79086ee71ac05"
]
}
)
}

resource "aws_opensearchserverless_security_policy" "fail_2_heredoc" {
name = "fail_2_heredoc"
type = "network"
description = "public access"
# ruleid: aws-opensearchserverless-is-public
policy = <<POLICY
{
"Rules": [
{
"Resource": [
"collection/example-collection"
],
"ResourceType": "collection"
},
{
"Resource": [
"collection/example-collection"
],
"ResourceType": "dashboard"
}
],
"AllowFromPublic": true
}
POLICY
}
54 changes: 54 additions & 0 deletions frozen_solid/aws-opensearchserverless-is-public.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
rules:
- id: aws-opensearchserverless-is-public
patterns:
- pattern-inside: |
resource "aws_opensearchserverless_security_policy" $ANYTHING {
...
type = "network"
...
}
- pattern-either:
- patterns:
- pattern: policy = $JSONPOLICY
- metavariable-pattern:
metavariable: $JSONPOLICY
language: json
pattern: |
{..., "AllowFromPublic":true, ... }
- patterns:
- pattern-inside: policy = jsonencode(...)
- pattern: |
{..., AllowFromPublic = true, ...}
- patterns:
- pattern-inside: policy = jsonencode([...])
- pattern: |
{..., AllowFromPublic = true, ...}
- patterns:
- pattern-inside: policy = jsonencode([...])
- pattern: "{..., \"AllowFromPublic\" : true, ...} \n"
message: The opensearch serverless collection is accessible from the public internet
using a public VPC endpoint. To fix this, set your `AllowFromPublic` to `"false"`
and specify an internal VPC endpoint in `SourceVPCEs` .
Comment on lines +29 to +31
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
message: The opensearch serverless collection is accessible from the public internet
using a public VPC endpoint. To fix this, set your `AllowFromPublic` to `"false"`
and specify an internal VPC endpoint in `SourceVPCEs` .
message: >-
The opensearch serverless collection is accessible from the public internet
using a public VPC endpoint. To fix this, set your `AllowFromPublic` to `"false"`
and specify an internal VPC endpoint in `SourceVPCEs`.

The rule lints still seem unhappy with your message.

metadata:
category: security
0xDC0DE marked this conversation as resolved.
Show resolved Hide resolved
technology:
- terraform
- aws
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
cwe:
- 'CWE-284: Improper Access Control'
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_security_policy#network-security-policy
- https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-network.html
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
source_rule_url: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-network.html
languages:
- hcl
severity: WARNING