Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
GCP Terraform Misconfiguration: Cloud DNS DNSSEC Disabled
Abstract
A Terraform configuration does not enable the Domain Name System Security (DNSSEC) of a Cloud DNS Domain.
Explanation
DNSSEC prevents DNS spoofing by providing the ability to use digital signatures for DNS response validation. The DNSSEC of a Cloud DNS Domain is not enabled.
Example 1: The following example shows a Terraform configuration that disables DNSSEC on a Cloud DNS Domain by setting
Example 1: The following example shows a Terraform configuration that disables DNSSEC on a Cloud DNS Domain by setting
state to off in the dnssec_config block.
resource "google_dns_managed_zone" "zone-demo" {
...
dnssec_config {
state = "off"
...
}
...
}
References
[1] HashiCorp dns_managed_zone
[2] Google Cloud Manage DNSSEC configuration
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 3.3
[4] Standards Mapping - Common Weakness Enumeration CWE ID 345
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-002418, CCI-002422
[6] Standards Mapping - FIPS200 SC
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-8 Transmission Confidentiality and Integrity (P1), SC-20 Secure Name/Address Resolution Service (Authoritative Source) (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-8 Transmission Confidentiality and Integrity, SC-20 Secure Name/Address Resolution Service (Authoritative Source) (P1)
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.1 - Authentication and Access Control
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.1 - Authentication and Access Control
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_dns_dnssec_disabled