Use of an insecure channel - HTTP - Aws
Need
Secure transmission of client information
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of AWS SDK for interacting with Amazon Web Services
Description
Insecure Code Example
provider "aws" {
region = "us-west-2"
}
resource "aws_instance" "web" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
tags = {
Name = "HelloWorld"
}
}
resource "aws_security_group" "allow_http" {
name = "allow_http"
description = "Allow HTTP inbound traffic"
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_instance" "web" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
vpc_security_group_ids = [aws_security_group.allow_http.id]
tags = {
Name = "HelloWorld"
}
}The above code is a Terraform script that sets up an AWS instance and a security group that allows HTTP traffic. The AWS instance is associated with this security group. The `aws_security_group` resource creates a new security group that allows inbound traffic on port 80, which is the default port for HTTP. The `cidr_blocks` attribute is set to `0.0.0.0/0`, which means it allows traffic from any IP address. The `aws_instance` resource creates a new AWS instance and associates it with the previously created security group via the `vpc_security_group_ids` attribute. This code is vulnerable because it uses HTTP, a protocol that does not use encryption. Any data transmitted over this protocol, including potentially sensitive client information, can be captured in plain text. This lack of encryption can lead to data breaches and other security incidents.
Steps
- Update the code to use HTTPS instead of HTTP for transmitting client information.
- Configure the application to use TLS (Transport Layer Security) for secure communication.
- Obtain an SSL/TLS certificate for the application domain.
- Configure the web server to use the SSL/TLS certificate for HTTPS connections.
- Update the security group configuration to allow inbound traffic on port 443 (HTTPS) instead of port 80 (HTTP).
- Deploy the updated code and infrastructure to the AWS environment.
Secure Code Example
provider "aws" {
region = "us-west-2"
}
resource "aws_instance" "web" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
tags = {
Name = "HelloWorld"
}
}
resource "aws_security_group" "allow_https" {
name = "allow_https"
description = "Allow HTTPS inbound traffic"
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_instance" "web" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
vpc_security_group_ids = [aws_security_group.allow_https.id]
tags = {
Name = "HelloWorld"
}
}The updated code now uses HTTPS instead of HTTP for transmitting client information. This is achieved by changing the security group configuration to allow inbound traffic on port 443 (HTTPS) instead of port 80 (HTTP). The `aws_security_group` resource is updated to "allow_https" and the description is changed to "Allow HTTPS inbound traffic". The `from_port` and `to_port` values are updated to 443, which is the standard port for HTTPS. The `aws_instance` resource is updated to use the new security group "allow_https". Please note that this code change assumes that you have already configured your application to use TLS (Transport Layer Security) for secure communication, obtained an SSL/TLS certificate for your application domain, and configured your web server to use the SSL/TLS certificate for HTTPS connections. After updating the code, you should deploy the updated infrastructure to the AWS environment.
References
Last updated
2023/09/18