• Home
• org.sonarsource.javascript
• javascript-checks
• 10.13.2.25981
• source code
• S6308.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.javascript.rules.javascript.S6308.html Maven / Gradle / Ivy

Amazon OpenSearch Service is a managed service to host OpenSearch instances. It replaces Elasticsearch Service, which has been deprecated.
To harden domain (cluster) data in case of unauthorized access, OpenSearch provides data-at-rest encryption if the engine is OpenSearch (any
version), or Elasticsearch with a version of 5.1 or above. Enabling encryption at rest will help protect:

  
 indices 
  
 logs 
  
 swap files 
  
 data in the application directory 
  
 automated snapshots 

Thus, adversaries cannot access the data if they gain physical access to the storage medium.
Ask Yourself Whether

  
 The database contains sensitive data that could cause harm when leaked. 
  
 There are compliance requirements for the service to store data encrypted. 

There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It is recommended to encrypt OpenSearch domains that contain sensitive information.
OpenSearch handles encryption and decryption transparently, so no further modifications to the application are necessary.
Sensitive Code Example
For aws-cdk-lib.aws_opensearchservice.Domain:
import { aws_opensearchservice as opensearchservice } from 'aws-cdk-lib';

const exampleDomain = new opensearchservice.Domain(this, 'ExampleDomain', {
  version: EngineVersion.OPENSEARCH_1_3,
}); // Sensitive, encryption must be explicitly enabled

For aws-cdk-lib.aws_opensearchservice.CfnDomain:
import { aws_opensearchservice as opensearchservice } from 'aws-cdk-lib';

const exampleCfnDomain = new opensearchservice.CfnDomain(this, 'ExampleCfnDomain', {
  engineVersion: 'OpenSearch_1.3',
}); // Sensitive, encryption must be explicitly enabled

Compliant Solution
For aws-cdk-lib.aws_opensearchservice.Domain:
import { aws_opensearchservice as opensearchservice } from 'aws-cdk-lib';

const exampleDomain = new opensearchservice.Domain(this, 'ExampleDomain', {
  version: EngineVersion.OPENSEARCH_1_3,
  encryptionAtRest: {
    enabled: true,
  },
});

For aws-cdk-lib.aws_opensearchservice.CfnDomain:
import { aws_opensearchservice as opensearchservice } from 'aws-cdk-lib';

const exampleCfnDomain = new opensearchservice.CfnDomain(this, 'ExampleCfnDomain', {
  engineVersion: 'OpenSearch_1.3',
  encryptionAtRestOptions: {
    enabled: true,
  },
});

See

  
 AWS Documentation - Encryption of
  data at rest for Amazon OpenSearch Service 
  
 CWE - CWE-311 - Missing Encryption of Sensitive Data