github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/elb/use_secure_tls_policy.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/elb/use_secure_tls_policy.go (about)

     1  package elb
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var outdatedSSLPolicies = []string{
    12  	"ELBSecurityPolicy-2015-05",
    13  	"ELBSecurityPolicy-2016-08",
    14  	"ELBSecurityPolicy-FS-2018-06",
    15  	"ELBSecurityPolicy-FS-1-1-2019-08",
    16  	"ELBSecurityPolicy-TLS-1-0-2015-04",
    17  	"ELBSecurityPolicy-TLS-1-1-2017-01",
    18  	"ELBSecurityPolicy-TLS13-1-0-2021-06",
    19  	"ELBSecurityPolicy-TLS13-1-1-2021-06",
    20  	"ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06",
    21  	"ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06",
    22  }
    23  
    24  var CheckUseSecureTlsPolicy = rules.Register(
    25  	scan.Rule{
    26  		AVDID:       "AVD-AWS-0047",
    27  		Provider:    providers.AWSProvider,
    28  		Service:     "elb",
    29  		ShortCode:   "use-secure-tls-policy",
    30  		Summary:     "An outdated SSL policy is in use by a load balancer.",
    31  		Impact:      "The SSL policy is outdated and has known vulnerabilities",
    32  		Resolution:  "Use a more recent TLS/SSL policy for the load balancer",
    33  		Explanation: `You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.`,
    34  		Links:       []string{},
    35  		Terraform: &scan.EngineMetadata{
    36  			GoodExamples:        terraformUseSecureTlsPolicyGoodExamples,
    37  			BadExamples:         terraformUseSecureTlsPolicyBadExamples,
    38  			Links:               terraformUseSecureTlsPolicyLinks,
    39  			RemediationMarkdown: terraformUseSecureTlsPolicyRemediationMarkdown,
    40  		},
    41  		Severity: severity.Critical,
    42  	},
    43  	func(s *state.State) (results scan.Results) {
    44  		for _, lb := range s.AWS.ELB.LoadBalancers {
    45  			for _, listener := range lb.Listeners {
    46  				for _, outdated := range outdatedSSLPolicies {
    47  					if listener.TLSPolicy.EqualTo(outdated) {
    48  						results.Add(
    49  							"Listener uses an outdated TLS policy.",
    50  							listener.TLSPolicy,
    51  						)
    52  					} else {
    53  						results.AddPassed(&listener)
    54  					}
    55  				}
    56  			}
    57  		}
    58  		return
    59  	},
    60  )