Airflow Config Exposure
Description
Detects public exposure of Apache Airflow configuration file.
Remediation
To remediate an Airflow Config Exposure, follow these steps:
- Identify and restrict access to the Airflow configuration file (
airflow.cfg) to only authorized users. - Ensure that the Airflow metadata database password and other sensitive information are not stored in plain text within the configuration file.
- Use environment variables or a secrets backend to manage sensitive information securely.
- Regularly audit and rotate credentials and secrets.
- Implement file system permissions and access controls to prevent unauthorized reading or modification of the configuration file.
- Review and update your Airflow webserver configuration to disable the exposure of sensitive configuration variables via the web interface.
- Apply network security measures to limit access to the Airflow webserver and metadata database to trusted networks only.
- Keep Airflow and its dependencies up to date with the latest security patches.
Configuration
Identifier:
information_disclosure/airflow_config_exposure
Examples
Ignore this check
checks:
information_disclosure/airflow_config_exposure:
skip: true
Score
- Escape Severity: HIGH
Compliance
- OWASP: API8:2023
- pci: 2.2
- gdpr: Article-32
- soc2: CC6
- psd2: Article-95
- iso27001: A.12.6
- nist: SP800-123
- fedramp: AC-6