Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
AWS Terraform Misconfiguration: Insecure Supply Chain
Abstract
A Terraform configuration uses a module from an untrusted source.
Explanation
Software modules from untrusted software supply chains might not be secure. Attackers can exploit the weakness of any poorly managed supply chain to insert malicious code.
A Terraform module is a pre-built set of configuration files. Modules make it easier and faster to get cloud services up and running. Many sources provide modules, including but not limited to the Terraform Registry, local directories, source repositories, and cloud storage. However, only a fraction of modules published in the Terraform Registry are systematically and continuously verified among all sources. A verified module listed in the Terraform Registry is a module that is in active maintenance and tested for compatibility but is not necessarily secure by design.
A Terraform module is a pre-built set of configuration files. Modules make it easier and faster to get cloud services up and running. Many sources provide modules, including but not limited to the Terraform Registry, local directories, source repositories, and cloud storage. However, only a fraction of modules published in the Terraform Registry are systematically and continuously verified among all sources. A verified module listed in the Terraform Registry is a module that is in active maintenance and tested for compatibility but is not necessarily secure by design.
References
[1] Terraform Modules
[2] HashCorp Terraform Registry
[3] xssfox Supply Chain Attack as Code
[4] Standards Mapping - Common Weakness Enumeration CWE ID 829
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001749, CCI-001764
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), SA-12 Supply Chain Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, CM-14 Signed Components, SR-3 Supply Chain Controls and Processes
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 10.2.3 Malicious Code Search (L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.4 Dependency (L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[13] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001430 CAT II, APSC-DV-001480 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001430 CAT II, APSC-DV-001480 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001430 CAT II, APSC-DV-001480 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001430 CAT II, APSC-DV-001480 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001430 CAT II, APSC-DV-001480 CAT II
desc.structural.hcl.aws_terraform_misconfiguration_insecure_supply_chain