GuardRails

GuardRails

  • Languages iconEnglish
    • 中文

›Terraform

Overview

  • Introduction
  • What is GuardRails
  • Getting started
  • Findings
  • Vulnerabilities
  • Configuration
  • Custom Engines
  • False Positives
  • Enforce Passing Checks
  • Build Status on Pull Requests
  • FAQ
  • Pricing
  • Glossary
  • Tools & Licenses

API

  • Usage Guide
  • Endpoints

Vulnerabilities

  • Introduction
  • General

    • Overview
    • Hard-Coded Secrets

    Apex

    • Overview
    • Insecure Access Control
    • Insecure Network Communication
    • Insecure Processing of Data
    • Insecure Use of Cryptography
    • Insecure Use of Language/Framework API
    • Insecure Use of SQL Queries

    C/C++

    • Overview
    • Insecure Access Control
    • Insecure File Management
    • Insecure Processing of Data
    • Insecure Use of Cryptography
    • Insecure Use of Dangerous Function

    Dotnet

    • Overview
    • Insecure Access Control
    • Insecure Configuration
    • Insecure File Management
    • Insecure Processing of Data
    • Insecure Use of Cryptography
    • Insecure Use of Dangerous Function
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Elixir

    • Overview
    • Insecure Configuration
    • Insecure File Management
    • Insecure Processing of Data
    • Insecure Network Communication
    • Insecure Use of Dangerous Function
    • Insecure Use of Language/Framework API
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Go

    • Overview
    • Insecure File Management
    • Insecure Network Communication
    • Insecure Processing of Data
    • Insecure Use of Cryptography
    • Insecure Use of Dangerous Function
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Java

    • Overview
    • Using Vulnerable Libraries
    • Insecure Use of SQL Queries
    • Insecure Use of Dangerous Function
    • Insecure Use of Regular Expressions
    • Insecure Authentication
    • Insecure Configuration
    • Insecure File Management
    • Insecure Use of Cryptography
    • Insecure Use of Language/Framework API
    • Insecure Processing of Data
    • Insecure Network Communication

    Javascript/TypeScript

    • Overview
    • Insecure Authentication
    • Insecure Processing of Data
    • Insecure Use of SQL Queries
    • Insecure Use of Regular Expressions
    • Insecure Use of Language/Framework API
    • Insecure Use of Dangerous Function
    • Using Vulnerable Libraries

    Kubernetes

    • Overview
    • Insecure Access Control
    • Insecure Configuration
    • Insecure Network Communication

    PHP

    • Overview
    • Insecure Configuration
    • Insecure File Management
    • Insecure Network Communication
    • Insecure Processing of Data
    • Insecure Use of Dangerous Function
    • Insecure Use of Language/Framework API
    • Insecure Use of Regular Expressions
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Python

    • Overview
    • Insecure Configuration
    • Insecure Use of Cryptography
    • Insecure Network Communication
    • Insecure Processing of Data
    • Insecure Use of Dangerous Function
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Ruby

    • Overview
    • Insecure Access Control
    • Insecure Configuration
    • Insecure File Management
    • Insecure Network Communication
    • Insecure Processing of Data
    • Insecure Use of Dangerous Function
    • Insecure Use of Language/Framework API
    • Insecure Use of Regular Expressions
    • Insecure Use of SQL Queries
    • Using Vulnerable Libraries

    Rust

    • Overview
    • Using Vulnerable Libraries

    Solidity

    • Overview
    • Insecure Integer Arithmetic
    • Insecure Use of Low-Level Call
    • Reliance on Insecure Random Numbers
    • State Change After External Call
    • Transaction Order Dependence
    • Unprotected Critical Function
    • Use of Insecure Function
    • Dependence on Predictable Environment Variables
    • Write to Arbitrary Storage Location
    • Call to Untrusted Contract

    Terraform

    • Overview
    • Hard-Coded Secrets
    • Insecure Access Control
    • Insecure Configuration
    • Insecure Network Communication
    • Insecure Use of Cryptography

Insecure Access Control

Why is this important?

Access Control is one of the most fundamental security requirements. Any problems with managing access control can allow attackers to bypass business logic and access data from other users.

Check out this video for a high-level explanation:

Access Control Issues

S3 Buckets Are Publicly Available

Option A: Limit access to S3 buckets

In the context of terraform, when an S3 bucket has a certain ACL it is publicly accessible. In some cases that doesn't just allow read access to the data of the bucket, but even write access. The following ACLs are flagged:

  • public-read
  • public-read-write
  • website

Follow the steps below:

  1. Go through the issues that GuardRails identified.
  2. Review the affected buckets to determine whether the ACLs are correct.
resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  acl    = "public-read-write"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}
  1. If not, then either remove the acl argument or change it to the right alternative.
  2. Test the changes and ensure that everything is working as expected.
  3. Ship it 🚢 and relax 🌴

Limit Access to AWS Resources

Option A: Ensure sensitive resources are not public

In the context of terraform, when a specific resource is marked as publicly accessible, it means that attackers may be able to interact with it. Resources that are identified include the following types:

  • aws_db_instance
  • aws_dms_replication_instance
  • aws_rds_cluster_instance
  • aws_redshift_cluster

Follow the steps below:

  1. Go through the issues that GuardRails identified in the PR.
  2. Review the affected resources to determine whether they can be public.
resource "aws_db_instance" "insecure" {
  # ... other configuration ...
  publicly_accessible = true
}
  1. If not, then either remove the publicly_accessible argument or change it to publicly_accessible = false.
  2. Test the changes and ensure that everything is working as expected.
  3. Ship it 🚢 and relax 🌴

Option B: Ensure inbound traffic on AWS is restricted

AWS Security Groups can be configured to allow all incoming traffic, which is in violation with the security best practices.

  1. Go through the issues that GuardRails identified in the PR.
  2. Review the aws_security_group or aws_security_group_rule resources where cidr_blocks contain /0.
resource "aws_security_group" "allow_tls" {
  name        = "allow_tls"
  description = "Allow TLS inbound traffic"
  vpc_id      = aws_vpc.main.id

  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
  1. Ensure that the cidr_blocks are limited to required ports and ip address ranges.

Option C: Ensure inbound traffic on Azure is restricted

Azure Network Security Groups can be configured to allow all incoming traffic, which is in violation with the security best practices.

  1. Go through the issues that GuardRails identified in the PR.
  2. Review the azurerm_network_security_rule resources where source_address_prefix contain /0 or *.
resource "azurerm_network_security_rule" "example" {
  name                        = "test123"
  priority                    = 100
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = azurerm_resource_group.example.name
  network_security_group_name = azurerm_network_security_group.example.name
}
  1. Ensure that the source_address_prefix are limited to required ports and ip address ranges.

Option D: Ensure inbound traffic on GCP is restricted

GCP firewalls can be configured to allow all incoming traffic, which is in violation with the security best practices.

  1. Go through the issues that GuardRails identified in the PR.
  2. Review the google_compute_firewall resources where source_ranges contain /0.
resource "google_compute_firewall" "project-firewall-allow-ssh" {
  name    = "${var.vpc_name}-allow-something"
  network = "${google_compute_network.project-network.self_link}"
  ....
  source_ranges = ["0.0.0.0/0"] 
}
  1. Ensure that the source_ranges are limited to required ports and ip address ranges.

More information:

  • Common Weakness Enumeration (CWE-732)
  • Common Weakness Enumeration (CWE-284)
  • Terraform - DB Instance Arguments
  • Terraform - S3 Bucket ACL Argument
← Hard-Coded SecretsInsecure Configuration →
  • Why is this important?
  • S3 Buckets Are Publicly Available
    • Option A: Limit access to S3 buckets
  • Limit Access to AWS Resources
    • Option A: Ensure sensitive resources are not public
    • Option B: Ensure inbound traffic on AWS is restricted
    • Option C: Ensure inbound traffic on Azure is restricted
    • Option D: Ensure inbound traffic on GCP is restricted
  • More information:
  • Status
  • Help
  • Security
  • Terms
  • Privacy

© 2021 GuardRails