diff --git a/docs/queries/cloudformation-queries/aws/c1282e03-b285-4637-aee7-eefe3a7bb658.md b/docs/queries/cloudformation-queries/aws/c1282e03-b285-4637-aee7-eefe3a7bb658.md index abd8878bd5c..07ffca959d4 100644 --- a/docs/queries/cloudformation-queries/aws/c1282e03-b285-4637-aee7-eefe3a7bb658.md +++ b/docs/queries/cloudformation-queries/aws/c1282e03-b285-4637-aee7-eefe3a7bb658.md @@ -74,7 +74,293 @@ Amazon EFS volume does not have encryption for data at transit enabled. To preve } } ``` -```json title="Positive test num. 2 - json file" hl_lines="31" +```yaml title="Positive test num. 2 - yaml file" hl_lines="26" +Resources: + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - + Name: "container-using-efs" + Image: "amazonlinux:2" + EntryPoint: + - "sh" + - "-c" + Command: + - "ls -la /mount/efs" + MountPoints: + - + SourceVolume: "myEfsVolume" + ContainerPath: "/mount/efs" + ReadOnly: true + Volumes: + - + Name: "myEfsVolume" + EFSVolumeConfiguration: + FileSystemId: "fs-1234" + RootDirectory: "/path/to/my/data" + TransitEncryptionPort: 10 + TransitEncryption: DISABLED + + +``` +```json title="Positive test num. 3 - json file" hl_lines="35 27" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Multiple volumes missing TransitEncryption", + "Resources": { + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Name": "container1", + "Image": "amazonlinux:2", + "MountPoints": [ + { + "SourceVolume": "efs-vol-1", + "ContainerPath": "/mount/efs1" + }, + { + "SourceVolume": "efs-vol-2", + "ContainerPath": "/mount/efs2" + } + ] + } + ], + "Volumes": [ + { + "Name": "efs-vol-1", + "EFSVolumeConfiguration": { + "FileSystemId": "fs-1234", + "RootDirectory": "/path/to/data1", + "TransitEncryptionPort": 2999 + } + }, + { + "Name": "efs-vol-2", + "EFSVolumeConfiguration": { + "FileSystemId": "fs-5678", + "RootDirectory": "/path/to/data2", + "TransitEncryptionPort": 2999 + } + } + ] + } + } + } +} + + +``` +
Positive test num. 4 - yaml file + +```yaml hl_lines="25 19" +Resources: + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - + Name: "container1" + Image: "amazonlinux:2" + MountPoints: + - + SourceVolume: "efs-vol-1" + ContainerPath: "/mount/efs1" + - + SourceVolume: "efs-vol-2" + ContainerPath: "/mount/efs2" + Volumes: + - + Name: "efs-vol-1" + EFSVolumeConfiguration: + FileSystemId: "fs-1234" + RootDirectory: "/path/to/data1" + TransitEncryptionPort: 2999 + - + Name: "efs-vol-2" + EFSVolumeConfiguration: + FileSystemId: "fs-5678" + RootDirectory: "/path/to/data2" + TransitEncryptionPort: 2999 + + +``` +
+
Positive test num. 5 - json file + +```json hl_lines="32 26" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Multiple volumes missing EFSVolumeConfiguration", + "Resources": { + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Name": "container1", + "Image": "amazonlinux:2", + "MountPoints": [ + { + "SourceVolume": "docker-vol-1", + "ContainerPath": "/mount/docker1" + }, + { + "SourceVolume": "docker-vol-2", + "ContainerPath": "/mount/docker2" + } + ] + } + ], + "Volumes": [ + { + "Name": "docker-vol-1", + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir1/" + } + }, + { + "Name": "docker-vol-2", + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir2/" + } + } + ] + } + } + } +} + + +``` +
+
Positive test num. 6 - yaml file + +```yaml hl_lines="18 22" +Resources: + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - + Name: "container1" + Image: "amazonlinux:2" + MountPoints: + - + SourceVolume: "docker-vol-1" + ContainerPath: "/mount/docker1" + - + SourceVolume: "docker-vol-2" + ContainerPath: "/mount/docker2" + Volumes: + - + Name: "docker-vol-1" + Host: + SourcePath: "/var/lib/docker/vfs/dir1/" + - + Name: "docker-vol-2" + Host: + SourcePath: "/var/lib/docker/vfs/dir2/" + + +``` +
+
Positive test num. 7 - json file + +```json hl_lines="39" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Mixed scenario - one good volume, one bad volume", + "Resources": { + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Name": "container1", + "Image": "amazonlinux:2", + "MountPoints": [ + { + "SourceVolume": "efs-vol-good", + "ContainerPath": "/mount/efs1" + }, + { + "SourceVolume": "efs-vol-bad", + "ContainerPath": "/mount/efs2" + } + ] + } + ], + "Volumes": [ + { + "Name": "efs-vol-good", + "EFSVolumeConfiguration": { + "FileSystemId": "fs-1234", + "RootDirectory": "/path/to/data1", + "TransitEncryption": "ENABLED", + "TransitEncryptionPort": 2999 + } + }, + { + "Name": "efs-vol-bad", + "EFSVolumeConfiguration": { + "FileSystemId": "fs-5678", + "RootDirectory": "/path/to/data2", + "TransitEncryption": "DISABLED", + "TransitEncryptionPort": 2999 + } + } + ] + } + } + } +} + + +``` +
+
Positive test num. 8 - yaml file + +```yaml hl_lines="29" +Resources: + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - + Name: "container1" + Image: "amazonlinux:2" + MountPoints: + - + SourceVolume: "efs-vol-good" + ContainerPath: "/mount/efs1" + - + SourceVolume: "efs-vol-bad" + ContainerPath: "/mount/efs2" + Volumes: + - + Name: "efs-vol-good" + EFSVolumeConfiguration: + FileSystemId: "fs-1234" + RootDirectory: "/path/to/data1" + TransitEncryption: ENABLED + TransitEncryptionPort: 2999 + - + Name: "efs-vol-bad" + EFSVolumeConfiguration: + FileSystemId: "fs-5678" + RootDirectory: "/path/to/data2" + TransitEncryption: DISABLED + TransitEncryptionPort: 2999 + + +``` +
+
Positive test num. 9 - json file + +```json hl_lines="31" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", @@ -117,7 +403,42 @@ Amazon EFS volume does not have encryption for data at transit enabled. To preve } } ``` -```json title="Positive test num. 3 - json file" hl_lines="30" +
+
Positive test num. 10 - yaml file + +```yaml hl_lines="22" +Resources: + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - + Name: "container-using-efs" + Image: "amazonlinux:2" + EntryPoint: + - "sh" + - "-c" + Command: + - "ls -la /mount/efs" + MountPoints: + - + SourceVolume: "myEfsVolume" + ContainerPath: "/mount/efs" + ReadOnly: true + Volumes: + - + Name: "myEfsVolume" + EFSVolumeConfiguration: + FileSystemId: "fs-1234" + RootDirectory: "/path/to/my/data" + TransitEncryptionPort: 10 + + +``` +
+
Positive test num. 11 - json file + +```json hl_lines="30" { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", @@ -155,7 +476,36 @@ Amazon EFS volume does not have encryption for data at transit enabled. To preve } } ``` -
Positive test num. 4 - json file +
+
Positive test num. 12 - yaml file + +```yaml hl_lines="21" +Resources: + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - + Name: "container-using-efs" + Image: "amazonlinux:2" + EntryPoint: + - "sh" + - "-c" + Command: + - "ls -la /mount/efs" + MountPoints: + - + SourceVolume: "myEfsVolume" + ContainerPath: "/mount/efs" + ReadOnly: true + Volumes: + - + Name: "myEfsVolume" + + +``` +
+
Positive test num. 13 - json file ```json hl_lines="7" { @@ -191,7 +541,91 @@ Amazon EFS volume does not have encryption for data at transit enabled. To preve } ```
-
Positive test num. 5 - yaml file +
Positive test num. 14 - yaml file + +```yaml hl_lines="4" +Resources: + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - + Name: "container-using-efs" + Image: "amazonlinux:2" + EntryPoint: + - "sh" + - "-c" + Command: + - "ls -la /mount/efs" + MountPoints: + - + SourceVolume: "myEfsVolume" + ContainerPath: "/mount/efs" + ReadOnly: true + +``` +
+
Positive test num. 15 - json file + +```json hl_lines="45" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Single volume with Host and EFSVolumeConfiguration DISABLED", + "Resources": { + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Name": { + "Ref": "AppName" + }, + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "EntryPoint": [ + "sh", + "-c" + ], + "Image": "busybox", + "Cpu": 256, + "Memory": 512, + "Command": [ + "/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done\"" + ], + "Essential": false, + "VolumesFrom": [ + { + "SourceContainer": { + "Ref": "AppName" + } + } + ] + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "EFSVolumeConfiguration": { + "TransitEncryption": "DISABLED" + }, + "Name": "my-vol" + } + ] + } + } + } +} + + +``` +
+
Positive test num. 16 - yaml file ```yaml hl_lines="35" Resources: @@ -233,9 +667,67 @@ Resources: ```
-
Positive test num. 6 - yaml file +
Positive test num. 17 - json file + +```json hl_lines="41" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Single volume with empty/null EFSVolumeConfiguration", + "Resources": { + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Name": { + "Ref": "AppName" + }, + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "EntryPoint": [ + "sh", + "-c" + ], + "Image": "busybox", + "Cpu": 256, + "Memory": 512, + "Command": [ + "/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done\"" + ], + "Essential": false, + "VolumesFrom": [ + { + "SourceContainer": { + "Ref": "AppName" + } + } + ] + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "EFSVolumeConfiguration": null, + "Name": "my-vol" + } + ] + } + } + } +} + -```yaml hl_lines="34" +``` +
+
Positive test num. 18 - yaml file + +```yaml hl_lines="32" Resources: taskdefinition: Type: AWS::ECS::TaskDefinition @@ -274,7 +766,64 @@ Resources: ```
-
Positive test num. 7 - yaml file +
Positive test num. 19 - json file + +```json hl_lines="41" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Single volume missing EFSVolumeConfiguration", + "Resources": { + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Name": { + "Ref": "AppName" + }, + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "EntryPoint": [ + "sh", + "-c" + ], + "Image": "busybox", + "Cpu": 256, + "Memory": 512, + "Command": [ + "/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done\"" + ], + "Essential": false, + "VolumesFrom": [ + { + "SourceContainer": { + "Ref": "AppName" + } + } + ] + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol" + } + ] + } + } + } +} + + +``` +
+
Positive test num. 20 - yaml file ```yaml hl_lines="32" Resources: @@ -314,7 +863,56 @@ Resources: ```
-
Positive test num. 8 - yaml file +
Positive test num. 21 - json file + +```json hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Missing Volumes property", + "Resources": { + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Name": { + "Ref": "AppName" + }, + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "EntryPoint": [ + "sh", + "-c" + ], + "Image": "busybox", + "Cpu": 256, + "Memory": 512, + "Command": [ + "/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done\"" + ], + "Essential": false, + "VolumesFrom": [ + { + "SourceContainer": { + "Ref": "AppName" + } + } + ] + } + ] + } + } + } +} + + +``` +
+
Positive test num. 22 - yaml file ```yaml hl_lines="4" Resources: @@ -347,6 +945,97 @@ Resources: SourceContainer: Ref: "AppName" +``` +
+
Positive test num. 23 - json file + +```json hl_lines="30 39" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Multiple volumes with TransitEncryption DISABLED", + "Resources": { + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Name": "container1", + "Image": "amazonlinux:2", + "MountPoints": [ + { + "SourceVolume": "efs-vol-1", + "ContainerPath": "/mount/efs1" + }, + { + "SourceVolume": "efs-vol-2", + "ContainerPath": "/mount/efs2" + } + ] + } + ], + "Volumes": [ + { + "Name": "efs-vol-1", + "EFSVolumeConfiguration": { + "FileSystemId": "fs-1234", + "RootDirectory": "/path/to/data1", + "TransitEncryption": "DISABLED", + "TransitEncryptionPort": 2999 + } + }, + { + "Name": "efs-vol-2", + "EFSVolumeConfiguration": { + "FileSystemId": "fs-5678", + "RootDirectory": "/path/to/data2", + "TransitEncryption": "DISABLED", + "TransitEncryptionPort": 2999 + } + } + ] + } + } + } +} + + +``` +
+
Positive test num. 24 - yaml file + +```yaml hl_lines="29 22" +Resources: + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - + Name: "container1" + Image: "amazonlinux:2" + MountPoints: + - + SourceVolume: "efs-vol-1" + ContainerPath: "/mount/efs1" + - + SourceVolume: "efs-vol-2" + ContainerPath: "/mount/efs2" + Volumes: + - + Name: "efs-vol-1" + EFSVolumeConfiguration: + FileSystemId: "fs-1234" + RootDirectory: "/path/to/data1" + TransitEncryption: DISABLED + TransitEncryptionPort: 2999 + - + Name: "efs-vol-2" + EFSVolumeConfiguration: + FileSystemId: "fs-5678" + RootDirectory: "/path/to/data2" + TransitEncryption: DISABLED + TransitEncryptionPort: 2999 + + ```
@@ -435,4 +1124,92 @@ Resources: Name: "my-vol" ``` +```json title="Negative test num. 3 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Multiple volumes properly configured with TransitEncryption ENABLED", + "Resources": { + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Name": "container1", + "Image": "amazonlinux:2", + "MountPoints": [ + { + "SourceVolume": "efs-vol-1", + "ContainerPath": "/mount/efs1" + }, + { + "SourceVolume": "efs-vol-2", + "ContainerPath": "/mount/efs2" + } + ] + } + ], + "Volumes": [ + { + "Name": "efs-vol-1", + "EFSVolumeConfiguration": { + "FileSystemId": "fs-1234", + "RootDirectory": "/path/to/data1", + "TransitEncryption": "ENABLED", + "TransitEncryptionPort": 2999 + } + }, + { + "Name": "efs-vol-2", + "EFSVolumeConfiguration": { + "FileSystemId": "fs-5678", + "RootDirectory": "/path/to/data2", + "TransitEncryption": "ENABLED", + "TransitEncryptionPort": 2999 + } + } + ] + } + } + } +} + + +``` +
Negative test num. 4 - yaml file + +```yaml +Resources: + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - + Name: "container1" + Image: "amazonlinux:2" + MountPoints: + - + SourceVolume: "efs-vol-1" + ContainerPath: "/mount/efs1" + - + SourceVolume: "efs-vol-2" + ContainerPath: "/mount/efs2" + Volumes: + - + Name: "efs-vol-1" + EFSVolumeConfiguration: + FileSystemId: "fs-1234" + RootDirectory: "/path/to/data1" + TransitEncryption: ENABLED + TransitEncryptionPort: 2999 + - + Name: "efs-vol-2" + EFSVolumeConfiguration: + FileSystemId: "fs-5678" + RootDirectory: "/path/to/data2" + TransitEncryption: ENABLED + TransitEncryptionPort: 2999 + + +``` +
diff --git a/docs/queries/terraform-queries/aws/4d46ff3b-7160-41d1-a310-71d6d370b08f.md b/docs/queries/terraform-queries/aws/4d46ff3b-7160-41d1-a310-71d6d370b08f.md index f608c6b0615..3b906263500 100644 --- a/docs/queries/terraform-queries/aws/4d46ff3b-7160-41d1-a310-71d6d370b08f.md +++ b/docs/queries/terraform-queries/aws/4d46ff3b-7160-41d1-a310-71d6d370b08f.md @@ -84,6 +84,146 @@ resource "aws_ecs_task_definition" "service_2" { } ``` +
Positive test num. 4 - tf file + +```tf hl_lines="26 11" +resource "aws_ecs_task_definition" "service_4" { + family = "service" + container_definitions = file("task-definitions/service.json") + + volume { + name = "service-storage-1" + + efs_volume_configuration { + file_system_id = aws_efs_file_system.fs1.id + root_directory = "/opt/data1" + transit_encryption = "DISABLED" + transit_encryption_port = 2999 + authorization_config { + access_point_id = aws_efs_access_point.test1.id + iam = "ENABLED" + } + } + } + + volume { + name = "service-storage-2" + + efs_volume_configuration { + file_system_id = aws_efs_file_system.fs2.id + root_directory = "/opt/data2" + transit_encryption = "DISABLED" + transit_encryption_port = 2999 + authorization_config { + access_point_id = aws_efs_access_point.test2.id + iam = "ENABLED" + } + } + } +} + + +``` +
+
Positive test num. 5 - tf file + +```tf hl_lines="8 22" +resource "aws_ecs_task_definition" "service_5" { + family = "service" + container_definitions = file("task-definitions/service.json") + + volume { + name = "service-storage-1" + + efs_volume_configuration { + file_system_id = aws_efs_file_system.fs1.id + root_directory = "/opt/data1" + transit_encryption_port = 2999 + authorization_config { + access_point_id = aws_efs_access_point.test1.id + iam = "ENABLED" + } + } + } + + volume { + name = "service-storage-2" + + efs_volume_configuration { + file_system_id = aws_efs_file_system.fs2.id + root_directory = "/opt/data2" + transit_encryption_port = 2999 + authorization_config { + access_point_id = aws_efs_access_point.test2.id + iam = "ENABLED" + } + } + } +} + + +``` +
+
Positive test num. 6 - tf file + +```tf hl_lines="9 5" +resource "aws_ecs_task_definition" "service_6" { + family = "service" + container_definitions = file("task-definitions/service.json") + + volume { + name = "docker-storage-1" + } + + volume { + name = "docker-storage-2" + } +} + + +``` +
+
Positive test num. 7 - tf file + +```tf hl_lines="26" +resource "aws_ecs_task_definition" "service_7" { + family = "service" + container_definitions = file("task-definitions/service.json") + + volume { + name = "efs-vol-good" + + efs_volume_configuration { + file_system_id = aws_efs_file_system.fs1.id + root_directory = "/opt/data1" + transit_encryption = "ENABLED" + transit_encryption_port = 2999 + authorization_config { + access_point_id = aws_efs_access_point.test1.id + iam = "ENABLED" + } + } + } + + volume { + name = "efs-vol-bad" + + efs_volume_configuration { + file_system_id = aws_efs_file_system.fs2.id + root_directory = "/opt/data2" + transit_encryption = "DISABLED" + transit_encryption_port = 2999 + authorization_config { + access_point_id = aws_efs_access_point.test2.id + iam = "ENABLED" + } + } + } +} + + +``` +
#### Code samples without security vulnerabilities @@ -108,5 +248,43 @@ resource "aws_ecs_task_definition" "service" { } } +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_ecs_task_definition" "service" { + family = "service" + container_definitions = file("task-definitions/service.json") + + volume { + name = "efs-vol-1" + + efs_volume_configuration { + file_system_id = aws_efs_file_system.fs1.id + root_directory = "/opt/data1" + transit_encryption = "ENABLED" + transit_encryption_port = 2999 + authorization_config { + access_point_id = aws_efs_access_point.test1.id + iam = "ENABLED" + } + } + } + + volume { + name = "efs-vol-2" + + efs_volume_configuration { + file_system_id = aws_efs_file_system.fs2.id + root_directory = "/opt/data2" + transit_encryption = "ENABLED" + transit_encryption_port = 2999 + authorization_config { + access_point_id = aws_efs_access_point.test2.id + iam = "ENABLED" + } + } + } +} + + ```