github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_sensitive_info.go (about) 1 package ec2 2 3 import ( 4 "fmt" 5 6 "github.com/khulnasoft-lab/defsec/pkg/severity" 7 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 10 "github.com/khulnasoft-lab/defsec/pkg/scan" 11 12 "github.com/khulnasoft-lab/defsec/internal/rules" 13 14 "github.com/khulnasoft-lab/defsec/pkg/providers" 15 16 "github.com/owenrumney/squealer/pkg/squealer" 17 ) 18 19 var CheckNoSensitiveInfo = rules.Register( 20 scan.Rule{ 21 AVDID: "AVD-AWS-0122", 22 Aliases: []string{"aws-autoscaling-no-sensitive-info"}, 23 Provider: providers.AWSProvider, 24 Service: "ec2", 25 ShortCode: "no-sensitive-info", 26 Summary: "Ensure all data stored in the launch configuration EBS is securely encrypted", 27 Impact: "Sensitive credentials in user data can be leaked", 28 Resolution: "Don't use sensitive data in user data", 29 Explanation: `When creating Launch Configurations, user data can be used for the initial configuration of the instance. User data must not contain any sensitive data.`, 30 Links: []string{}, 31 Terraform: &scan.EngineMetadata{ 32 GoodExamples: terraformNoSensitiveInfoGoodExamples, 33 BadExamples: terraformNoSensitiveInfoBadExamples, 34 Links: terraformNoSensitiveInfoLinks, 35 RemediationMarkdown: terraformNoSensitiveInfoRemediationMarkdown, 36 }, 37 Severity: severity.High, 38 }, 39 func(s *state.State) (results scan.Results) { 40 scanner := squealer.NewStringScanner() 41 for _, launchConfig := range s.AWS.EC2.LaunchConfigurations { 42 if result := scanner.Scan(launchConfig.UserData.Value()); result.TransgressionFound { 43 results.Add( 44 fmt.Sprintf("Sensitive data found in user data: %s", result.Description), 45 launchConfig.UserData, 46 ) 47 } else { 48 results.AddPassed(&launchConfig) 49 } 50 } 51 return 52 }, 53 )