diff --git a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/metadata.json b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/metadata.json new file mode 100644 index 00000000000..e8e0b704921 --- /dev/null +++ b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/metadata.json @@ -0,0 +1,14 @@ +{ + "id": "233ab26d-8f17-4dce-9616-41479da9ffe3", + "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", + "severity": "HIGH", + "category": "Encryption", + "descriptionText": "All 'azurerm_storage_account' resources should exclusively use 'AES-256-GCM' for channel encryption", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#channel_encryption_type-2", + "platform": "Terraform", + "descriptionID": "233ab26d", + "cloudProvider": "azure", + "cwe": "327", + "riskScore": "6.0", + "experimental": "true" +} diff --git a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/query.rego b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/query.rego new file mode 100644 index 00000000000..3d8016441bc --- /dev/null +++ b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/query.rego @@ -0,0 +1,67 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.azurerm_storage_account[name] + + results := get_results(resource, name) + + result := { + "documentId": input.document[i].id, + "resourceType": "azurerm_storage_account", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": results.searchKey, + "issueType": results.issueType, + "keyExpectedValue": sprintf("'azurerm_storage_account[%s].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", [name]), + "keyActualValue": results.keyActualValue, + "searchLine": results.searchLine + } +} + +get_results(resource, name) = results { + not common_lib.valid_key(resource, "share_properties") + results := { + "searchKey" : sprintf("azurerm_storage_account[%s]", [name]), + "issueType": "MissingAttribute", + "keyActualValue" : sprintf("'azurerm_storage_account[%s].share_properties' is undefined or null", [name]), + "searchLine" : common_lib.build_search_line(["resource", "azurerm_storage_account", name], []) + } +} else = results { + not common_lib.valid_key(resource.share_properties, "smb") + results := { + "searchKey" : sprintf("azurerm_storage_account[%s].share_properties", [name]), + "issueType": "MissingAttribute", + "keyActualValue" : sprintf("'azurerm_storage_account[%s].share_properties.smb' is undefined or null", [name]), + "searchLine" : common_lib.build_search_line(["resource", "azurerm_storage_account", name, "share_properties"], []) + } +} else = results { + not common_lib.valid_key(resource.share_properties.smb, "channel_encryption_type") + + results := { + "searchKey" : sprintf("azurerm_storage_account[%s].share_properties.smb", [name]), + "issueType": "MissingAttribute", + "keyActualValue" : sprintf("'azurerm_storage_account[%s].share_properties.smb.channel_encryption_type' is undefined or null", [name]), + "searchLine" : common_lib.build_search_line(["resource", "azurerm_storage_account", name, "share_properties", "smb"], []) + } +} else = results { + resource.share_properties.smb.channel_encryption_type != ["AES-256-GCM"] + + results := { + "searchKey" : sprintf("azurerm_storage_account[%s].share_properties.smb.channel_encryption_type", [name]), + "issueType": "IncorrectValue", + "keyActualValue" : get_actual_value(resource.share_properties.smb.channel_encryption_type, name), + "searchLine" : common_lib.build_search_line(["resource", "azurerm_storage_account", name, "share_properties", "smb", "channel_encryption_type"], []) + } +} + +get_actual_value(channel_encryption_types, name) = str { + channel_encryption_types == [] + str := sprintf("'azurerm_storage_account[%s].share_properties.smb.channel_encryption_type' is empty or null", [name]) +} else = str { + not common_lib.inArray(channel_encryption_types, "AES-256-GCM") + str := sprintf("'azurerm_storage_account[%s].share_properties.smb.channel_encryption_type' does not include 'AES-256-GCM' and instead includes %d weaker encryption standard(s)", [name, count(channel_encryption_types)]) +} else = str { + str := sprintf("'azurerm_storage_account[%s].share_properties.smb.channel_encryption_type' includes 'AES-256-GCM' but also includes %d weaker encryption standard(s)", [name, count(channel_encryption_types)-1]) +} diff --git a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/negative.tf b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/negative.tf new file mode 100644 index 00000000000..b5803df6420 --- /dev/null +++ b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/negative.tf @@ -0,0 +1,14 @@ +resource "azurerm_storage_account" "negative1" { + name = "negative1" + resource_group_name = "testRG" + location = "northeurope" + account_tier = "Premium" + account_replication_type = "LRS" + account_kind = "FileStorage" + + share_properties { + smb { + channel_encryption_type = ["AES-256-GCM"] + } + } +} diff --git a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive.tf b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive.tf new file mode 100644 index 00000000000..a0c39e9189b --- /dev/null +++ b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive.tf @@ -0,0 +1,77 @@ +resource "azurerm_storage_account" "positive1" { + name = "positive1" + resource_group_name = azurerm_resource_group.positive1.name + location = azurerm_resource_group.positive1.location + account_tier = "Standard" + account_replication_type = "GRS" + + # missing "share_properties" (allows all encryption standards) +} + +resource "azurerm_storage_account" "positive2" { + name = "positive2" + resource_group_name = azurerm_resource_group.positive2.name + location = azurerm_resource_group.positive2.location + account_tier = "Standard" + account_replication_type = "GRS" + + share_properties { + # missing "smb" (allows all encryption standards) + } +} + +resource "azurerm_storage_account" "positive3" { + name = "positive3" + resource_group_name = azurerm_resource_group.positive3.name + location = azurerm_resource_group.positive3.location + account_tier = "Standard" + account_replication_type = "GRS" + + share_properties { + smb { + # missing "channel_encryption_type" (allows all encryption standards) + } + } +} + +resource "azurerm_storage_account" "positive4" { + name = "positive4" + resource_group_name = azurerm_resource_group.positive4.name + location = azurerm_resource_group.positive4.location + account_tier = "Standard" + account_replication_type = "GRS" + + share_properties { + smb { + channel_encryption_type = [] # no encryption types allowed + } + } +} + +resource "azurerm_storage_account" "positive5" { + name = "positive5" + resource_group_name = azurerm_resource_group.positive5.name + location = azurerm_resource_group.positive5.location + account_tier = "Standard" + account_replication_type = "GRS" + + share_properties { + smb { + channel_encryption_type = ["AES-128-CCM", "AES-128-GCM"] # missing "AES-256-GCM" + } + } +} + +resource "azurerm_storage_account" "positive6" { + name = "positive6" + resource_group_name = azurerm_resource_group.positive6.name + location = azurerm_resource_group.positive6.location + account_tier = "Standard" + account_replication_type = "GRS" + + share_properties { + smb { + channel_encryption_type = ["AES-256-GCM", "AES-128-CCM"] # allows weaker encryption + } + } +} diff --git a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json new file mode 100644 index 00000000000..b938673842c --- /dev/null +++ b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json @@ -0,0 +1,32 @@ +[ + { + "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", + "severity": "HIGH", + "line": 1 + }, + { + "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", + "severity": "HIGH", + "line": 18 + }, + { + "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", + "severity": "HIGH", + "line": 31 + }, + { + "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", + "severity": "HIGH", + "line": 46 + }, + { + "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", + "severity": "HIGH", + "line": 60 + }, + { + "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", + "severity": "HIGH", + "line": 74 + } +] diff --git a/assets/similarityID_transition/terraform_azure.yaml b/assets/similarityID_transition/terraform_azure.yaml index 407c810f4d1..96810476654 100644 --- a/assets/similarityID_transition/terraform_azure.yaml +++ b/assets/similarityID_transition/terraform_azure.yaml @@ -3,3 +3,7 @@ similarityIDChangeList: queryName: Sensitive Port Is Exposed To Wide Private Network observations: "" change: 5 + - queryId: 233ab26d-8f17-4dce-9616-41479da9ffe3 + queryName: Beta - Storage Account Using Unsafe SMB Channel Encryption + observations: "" + change: 2