Use of an insecure channel - HTTP
Need
Secure transmission of client information
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of AWS SDK for interacting with Amazon Web Services
Description
Non compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_instance" "web" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
tags = {
Name = "HelloWorld"
}
}
resource "aws_security_group" "allow_http" {
name = "allow_http"
description = "Allow HTTP inbound traffic"
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_instance" "web" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
vpc_security_group_ids = [aws_security_group.allow_http.id]
tags = {
Name = "HelloWorld"
}
}
The above code is a Terraform script that sets up an AWS instance and a security group that allows HTTP traffic. The AWS instance is associated with this security group.
The aws_security_group resource creates a new security group that allows inbound traffic on port 80, which is the default port for HTTP. The cidr_blocks attribute is set to 0.0.0.0/0, which means it allows traffic from any IP address.
The aws_instance resource creates a new AWS instance and associates it with the previously created security group via the vpc_security_group_ids attribute.
This code is vulnerable because it uses HTTP, a protocol that does not use encryption. Any data transmitted over this protocol, including potentially sensitive client information, can be captured in plain text. This lack of encryption can lead to data breaches and other security incidents.
Steps
- Update the code to use HTTPS instead of HTTP for transmitting client information.
- Configure the application to use TLS (Transport Layer Security) for secure communication.
- Obtain an SSL/TLS certificate for the application domain.
- Configure the web server to use the SSL/TLS certificate for HTTPS connections.
- Update the security group configuration to allow inbound traffic on port 443 (HTTPS) instead of port 80 (HTTP).
- Deploy the updated code and infrastructure to the AWS environment.
Compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_instance" "web" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
tags = {
Name = "HelloWorld"
}
}
resource "aws_security_group" "allow_https" {
name = "allow_https"
description = "Allow HTTPS inbound traffic"
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_instance" "web" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
vpc_security_group_ids = [aws_security_group.allow_https.id]
tags = {
Name = "HelloWorld"
}
}
The updated code now uses HTTPS instead of HTTP for transmitting client information. This is achieved by changing the security group configuration to allow inbound traffic on port 443 (HTTPS) instead of port 80 (HTTP).
The aws_security_group resource is updated to "allow_https" and the description is changed to "Allow HTTPS inbound traffic". The from_port and to_port values are updated to 443, which is the standard port for HTTPS.
The aws_instance resource is updated to use the new security group "allow_https".
Please note that this code change assumes that you have already configured your application to use TLS (Transport Layer Security) for secure communication, obtained an SSL/TLS certificate for your application domain, and configured your web server to use the SSL/TLS certificate for HTTPS connections.
After updating the code, you should deploy the updated infrastructure to the AWS environment.