github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudfront/use_secure_tls_policy.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudfront/use_secure_tls_policy.go (about)

     1  package cloudfront
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudfront"
     7  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     8  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  )
    11  
    12  var CheckUseSecureTlsPolicy = rules.Register(
    13  	scan.Rule{
    14  		AVDID:      "AVD-AWS-0013",
    15  		Provider:   providers.AWSProvider,
    16  		Service:    "cloudfront",
    17  		ShortCode:  "use-secure-tls-policy",
    18  		Summary:    "CloudFront distribution uses outdated SSL/TLS protocols.",
    19  		Impact:     "Outdated SSL policies increase exposure to known vulnerabilities",
    20  		Resolution: "Use the most modern TLS/SSL policies available",
    21  		Explanation: `You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
    22  		
    23  Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name). 
    24  If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s. 
    25  The only option when using the cloudfront.net domain name is to ignore this rule.`,
    26  		Links: []string{
    27  			"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html",
    28  		},
    29  		Terraform: &scan.EngineMetadata{
    30  			GoodExamples:        terraformUseSecureTlsPolicyGoodExamples,
    31  			BadExamples:         terraformUseSecureTlsPolicyBadExamples,
    32  			Links:               terraformUseSecureTlsPolicyLinks,
    33  			RemediationMarkdown: terraformUseSecureTlsPolicyRemediationMarkdown,
    34  		},
    35  		CloudFormation: &scan.EngineMetadata{
    36  			GoodExamples:        cloudFormationUseSecureTlsPolicyGoodExamples,
    37  			BadExamples:         cloudFormationUseSecureTlsPolicyBadExamples,
    38  			Links:               cloudFormationUseSecureTlsPolicyLinks,
    39  			RemediationMarkdown: cloudFormationUseSecureTlsPolicyRemediationMarkdown,
    40  		},
    41  		Severity: severity.High,
    42  	},
    43  	func(s *state.State) (results scan.Results) {
    44  		for _, dist := range s.AWS.Cloudfront.Distributions {
    45  			if dist.ViewerCertificate.MinimumProtocolVersion.NotEqualTo(cloudfront.ProtocolVersionTLS1_2) {
    46  				results.Add(
    47  					"Distribution allows unencrypted communications.",
    48  					dist.ViewerCertificate.MinimumProtocolVersion,
    49  				)
    50  			} else {
    51  				results.AddPassed(&dist)
    52  			}
    53  		}
    54  		return
    55  	},
    56  )