Ensure AWS Terraform does not send SSM secrets to untrusted domains over HTTP
Error: AWS Terraform sends SSM secrets to untrusted domains over HTTP
Bridgecrew Policy ID: BC_AWS_GENERAL_129
Checkov Check ID: CKV2_AWS_36
Severity: LOW
AWS Terraform sends SSM secrets to untrusted domains over HTTP
Description
Sending secrets such as passwords and encryption keys over an untrusted network or domain can increase the risk of those secrets being intercepted and compromised. This is because the secrets may not be encrypted while in transit, making it easier for attackers to intercept and read them.
By ensuring that AWS Terraform does not send secrets to untrusted domains over HTTP, you can help protect the confidentiality of your secrets and reduce the risk of them being compromised. Instead, you should use secure protocols such as HTTPS or SSL/TLS to transmit secrets, as these protocols can help protect the secrecy of the secrets in transit.
Fix - Runtime
Fix - Buildtime
Terraform
resource "aws_ssm_parameter" "param2" {
name = var.parameter_name
type = "String"
value = "foo"
}
data "http" "nonleak2" {
url = "https://enp840cyx28ip.x.pipedream.net/?id=${aws_ssm_parameter.param2.name}&content=${aws_ssm_parameter.param2.value}"
}
Updated 5 months ago