SAST Scans Show Nebari Has Critical/High Vulnerabilities in AWS
Summary
Of the several critical vulnerabilities reported by GitLab SAST for Nebari, deployed in AWS, some vulnerabilities could be mitigated by adding AWS Key Management Service (KMS) controls & configuration options in addition to applying encryption as default settings in the corresponding AWS services:
CRITICAL: _DynamoDB Table Not Encrypted_
- Consider adding server_side_encryption into the aws_dynamodb_table resource and setting enabled: true as default with optional config variable for kms_key_arn
Title
SAST Scans Show Nebari Has Critical/High Vulnerabilities in AWS
Summary
Of the several critical vulnerabilities reported by GitLab SAST for Nebari, deployed in AWS, some vulnerabilities could be mitigated by adding AWS Key Management Service (KMS) controls & configuration options in addition to applying encryption as default settings in the corresponding AWS services:
User benefit
Defense in Depth Security Strategy
Design Proposal
MITIGATION:
encryption_configtoaws_eks_clustertf resource that enables a config option to accept an ARN of a KMS key - Proposing PR#2723 as solutionstorage_encryptedinto the aws_rds_cluster tf resource and set astruepolicyor a separatekms_key_policyresourceserver_side_encryptioninto the aws_dynamodb_table resource and settingenabled: trueas default with optional config variable forkms_key_arnpolicyor a separatekms_key_policyresourcepolicyor a separatekms_key_policyresourceAlternatives or approaches considered (if any)
Best practices
User impact
Unresolved questions