Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Apex
C
C++
CloudFormation
COBOL
C#
CSS
Docker
Flex
Go
HTML
Java
JavaScript
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

Terraform static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your TERRAFORM code

Tags

Creating public APIs is security-sensitive
Security Hotspot
Allowing public network access to cloud resources is security-sensitive
Security Hotspot
Policies granting access to all resources of an account are security-sensitive
Security Hotspot
Policies granting all privileges are security-sensitive
Security Hotspot
Policies authorizing public access to resources are security-sensitive
Security Hotspot
Granting access to S3 buckets to all or authenticated users is security-sensitive
Security Hotspot
AWS IAM policies should not allow privilege escalation
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Allowing public ACLs or policies on a S3 bucket is security-sensitive
Security Hotspot
Authorizing HTTP communications with S3 buckets is security-sensitive
Security Hotspot
Using clear-text protocols is security-sensitive
Security Hotspot
Google Cloud load balancers SSL policies should not offer weak cipher suites
Vulnerability
Azure custom roles should not grant subscription Owner capabilities
Vulnerability
Excluding users or groups activities from audit logs is security-sensitive
Security Hotspot
Defining a short log retention duration is security-sensitive
Security Hotspot
Enabling Attribute-Based Access Control for Kubernetes is security-sensitive
Security Hotspot
Creating custom roles allowing privilege escalation is security-sensitive
Security Hotspot
Creating App Engine handlers without requiring TLS is security-sensitive
Security Hotspot
Excessive granting of GCP IAM permissions is security-sensitive
Security Hotspot
Enabling project-wide SSH keys to access VM instances is security-sensitive
Security Hotspot
Granting public access to GCP resources is security-sensitive
Security Hotspot
Creating GCP SQL instances without requiring TLS is security-sensitive
Security Hotspot
Creating DNS zones without DNSSEC enabled is security-sensitive
Security Hotspot
Creating keys without a rotation period is security-sensitive
Security Hotspot
Granting highly privileged GCP resource rights is security-sensitive
Security Hotspot
Using unencrypted cloud storages is security-sensitive
Security Hotspot
Azure role assignments that grant access to all resources of a subscription are security-sensitive
Security Hotspot
Disabling Role-Based Access Control on Azure resources is security-sensitive
Security Hotspot
Disabling certificate-based authentication is security-sensitive
Security Hotspot
Assigning high privileges Azure Resource Manager built-in roles is security-sensitive
Security Hotspot
Authorizing anonymous access to Azure resources is security-sensitive
Security Hotspot
Enabling Azure resource-specific admin accounts is security-sensitive
Security Hotspot
Disabling Managed Identities for Azure resources is security-sensitive
Security Hotspot
Assigning high privileges Azure Active Directory built-in roles is security-sensitive
Security Hotspot
Defining a short backup retention duration is security-sensitive
Security Hotspot
Using unencrypted EFS file systems is security-sensitive
Security Hotspot
Using unencrypted SQS queues is security-sensitive
Security Hotspot
Using unencrypted SNS topics is security-sensitive
Security Hotspot
Using unencrypted SageMaker notebook instances is security-sensitive
Security Hotspot
Using unencrypted Elasticsearch domains is security-sensitive
Security Hotspot
Using unencrypted RDS DB resources is security-sensitive
Security Hotspot
Using unencrypted EBS volumes is security-sensitive
Security Hotspot
Disabling logging is security-sensitive
Security Hotspot
Administration services access should be restricted to specific IP addresses
Vulnerability
Unversioned Google Cloud Storage buckets are security-sensitive
Security Hotspot
Disabling S3 bucket MFA delete is security-sensitive
Security Hotspot
Disabling versioning of S3 buckets is security-sensitive
Security Hotspot
Disabling server-side encryption of S3 buckets is security-sensitive
Security Hotspot
AWS tag keys should comply with a naming convention
Code Smell
Track uses of "TODO" tags
Code Smell
Terraform parsing failure
Code Smell

Disabling certificate-based authentication is security-sensitive

Security Hotspot

MajorSonarSource default severity
click to learn more

cwe
azure

Disabling certificate-based authentication can reduce an organization’s ability to react against attacks on its critical functions and data if any.

Azure offers various authentication options to access resources: Anonymous connections, Basic authentication, password-based authentication, and certificate-based authentication.

Choosing certificate-based authentication helps bring client/host trust by allowing the host to verify the client and vice versa. In case of a security incident, certificates help bring investigators traceability and allow security operations teams to react faster (by massively revoking certificates, for example).

Ask Yourself Whether

This Azure resource is essential for the information system infrastructure.
This Azure resource is essential for mission-critical functions.
Compliance policies require access to this resource to be authenticated with certificates.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Enable certificate-based authentication.

Sensitive Code Example

For App Service:

resource "azurerm_app_service" "example" {
  client_cert_enabled = false # Sensitive
}

For Logic App Standards and Function Apps:

resource "azurerm_function_app" "example" {
  client_cert_mode = "Optional" # Sensitive
}

For Data Factory Linked Services:

resource "azurerm_data_factory_linked_service_web" "example" {
  authentication_type = "Basic" # Sensitive
}

For API Management:

resource "azurerm_api_management" "example" {
  sku_name = "Consumption_1"
  client_certificate_mode = "Optional" # Sensitive
}

For Linux and Windows Web Apps:

resource "azurerm_linux_web_app" "example" {
  client_cert_enabled = false # Sensitive
}
resource "azurerm_linux_web_app" "exemple2" {
  client_cert_enabled = true
  client_cert_mode = "Optional" # Sensitive
}

Compliant Solution

For App Service:

resource "azurerm_app_service" "example" {
  client_cert_enabled = true
}

For Logic App Standards and Function Apps:

resource "azurerm_function_app" "example" {
  client_cert_mode = "Required"
}

For Data Factory Linked Services:

resource "azurerm_data_factory_linked_service_web" "example" {
  authentication_type = "ClientCertificate"
}

For API Management:

resource "azurerm_api_management" "example" {
  sku_name = "Consumption_1"
  client_certificate_mode = "Required"
}

For Linux and Windows Web Apps:

resource "azurerm_linux_web_app" "exemple" {
  client_cert_enabled = true
  client_cert_mode = "Required"
}

See

OWASP Top 10 2021 Category A1 - Boken Access Control
OWASP Top 10 2017 Category A5 - Broken Access Control
MITRE, CWE-668 - Exposure of Resource to Wrong Sphere

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2023 SonarSource S.A., Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, and SONARCLOUD are trademarks of SonarSource S.A. All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.
Privacy Policy

In-IDE

SaaS

Self-Hosted