Create test.tf#18
Conversation
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| sudo systemctl start apache2 | ||
| sudo systemctl enable apache2 | ||
| export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA | ||
| export AWS_SECRET_ACCESS_KEY=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 |
There was a problem hiding this comment.
Base64 High Entropy Strings
Resource: c00f1a6e4b20aa64691d50781b810756d6254b8e | Checkov ID: CKV_SECRET_6
Description
Entropy checks help detect unstructured secrets by measuring the entropy level of a single string.
Entropy is a concept used to assign a numerical score to how unpredictable a password is or the likelihood of highly random data in a string of characters.
Strings with a high entropy score are flagged as suspected secrets.
| }) | ||
| } | ||
|
|
||
| resource "aws_ebs_volume" "web_host_storage" { |
There was a problem hiding this comment.
Not only encrypted EBS volumes are attached to EC2 instances
Resource: aws_ebs_volume.web_host_storage | Checkov ID: CKV2_AWS_2
How to Fix
{
"resource "aws_instance" "web" {
ami = "ami-21f78e11"
availability_zone = "us-west-2a"
instance_type = "t2.micro"
tags = {
Name = "HelloWorld"
}
}
resource "aws_volume_attachment" "ok_attachment1" {
device_name = "/dev/sdh3"
volume_id = aws_ebs_volume.ok_ebs2.id
instance_id = aws_instance.web.id
}
resource "aws_ebs_volume" "ok_ebs2" {
availability_zone = ""
encrypted = true
}
",
}Description
Encrypting your AWS EBS volumes helps protect your data from unauthorized access or tampering.
That way, you can ensure that only authorized users can access and modify the contents of your volumes.
Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.
| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "flowbucket" { |
There was a problem hiding this comment.
S3 Bucket does not have public access blocks
Resource: aws_s3_bucket.flowbucket | Checkov ID: CKV2_AWS_6
How to Fix
resource "aws_s3_bucket" "bucket_good_1" {
bucket = "bucket_good"
}
+ resource "aws_s3_bucket_public_access_block" "access_good_1" {
+ bucket = aws_s3_bucket.bucket_good_1.id
+
+ block_public_acls = true
+ block_public_policy = true
+ }Description
When you create an S3 bucket, it is good practice to set the additional resource aws_s3_bucket_public_access_block to ensure the bucket is never accidentally public.
We recommend you ensure S3 bucket has public access blocks.
If the public access block is not attached it defaults to False.
| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "flowbucket" { |
There was a problem hiding this comment.
| resource "aws_s3_bucket" "flowbucket" { | |
| } | |
| resource "aws_s3_bucket_versioning" "flowbucket" { | |
| bucket = aws_s3_bucket.flowbucket.id | |
| versioning_configuration { | |
| status = "Enabled" | |
| } | |
| } | |
| resource "aws_s3_bucket" "flowbucket_destination" { | |
| # checkov:skip=CKV_AWS_144:the resource is auto generated to be a destination for replication | |
| bucket = aws_s3_bucket.flowbucket.id | |
| versioning_configuration { | |
| status = "Enabled" | |
| } | |
| } | |
| resource "aws_iam_role" "flowbucket_replication" { | |
| name = "aws-iam-role" | |
| assume_role_policy = <<POLICY | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": "sts:AssumeRole", | |
| "Principal": { | |
| "Service": "s3.amazonaws.com" | |
| }, | |
| "Effect": "Allow", | |
| "Sid": "" | |
| } | |
| ] | |
| } | |
| POLICY | |
| } | |
| resource "aws_s3_bucket_replication_configuration" "flowbucket" { | |
| depends_on = [aws_s3_bucket_versioning.flowbucket] | |
| role = aws_iam_role.flowbucket_replication.arn | |
| bucket = aws_s3_bucket.flowbucket.id | |
| rule { | |
| id = "foobar" | |
| status = "Enabled" | |
| destination { | |
| bucket = aws_s3_bucket.flowbucket_destination.arn | |
| storage_class = "STANDARD" | |
| } | |
| } | |
| } | |
S3 bucket cross-region replication disabled
Resource: aws_s3_bucket.flowbucket | Checkov ID: CKV_AWS_144
How to Fix
resource "aws_s3_bucket" "east" {
bucket = "tf-test-bucket-east-12345"
}
+ resource "aws_s3_bucket_versioning" "east" {
+ bucket = aws_s3_bucket.east.id
+ versioning_configuration {
+ status = "Enabled"
+ }
+ }
+ resource "aws_s3_bucket" "west" {
+ provider = aws.west
+ bucket = "tf-test-bucket-west-12345"
+ }
+ resource "aws_s3_bucket_versioning" "west" {
+ provider = aws.west
+ bucket = aws_s3_bucket.west.id
+ versioning_configuration {
+ status = "Enabled"
+ }
+ }
+ resource "aws_s3_bucket_replication_configuration" "east_to_west" {
+ depends_on = [aws_s3_bucket_versioning.east]
+ role = aws_iam_role.east_replication.arn
+ bucket = aws_s3_bucket.east.id
+
+ rule {
+ status = "Enabled"
+
+ destination {
+ bucket = aws_s3_bucket.west.arn
+ storage_class = "STANDARD"
+ }
+ }
+ }Description
Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets.
By default, replication supports copying new S3 objects after it is enabled. It also requires versioning for the buckets involved. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.
| instance_id = "${aws_instance.web_host.id}" | ||
| } | ||
|
|
||
| resource "aws_security_group" "web-node" { |
There was a problem hiding this comment.
AWS security groups allow ingress from 0.0.0.0/0 to port 80
Resource: aws_security_group.web-node | Checkov ID: CKV_AWS_260
How to Fix
resource "aws_security_group" "bar-sg" {
name = "sg-bar"
vpc_id = aws_vpc.main.id
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
security_groups = [aws_security_group.foo-sg.id]
description = "foo"
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}Description
Allowing ingress from 0.0.0.0/0 to port 80 (i.e.
the HTTP port) can expose your Amazon Web Services (AWS) resources to potential security threats.
This is because 0.0.0.0/0 represents all IP addresses, and allowing traffic from all IP addresses to port 80 can make it easier for attackers to access your resources.
By ensuring that your AWS security groups do not allow ingress from 0.0.0.0/0 to port 80, you can help protect your resources from potential attacks and unauthorized access.
Instead, you should specify the IP addresses or ranges of IP addresses that are allowed to access your resources, and only allow traffic from those sources.
| }) | ||
| } | ||
|
|
||
| resource "aws_subnet" "web_subnet" { |
There was a problem hiding this comment.
AWS VPC subnets should not allow automatic public IP assignment
Resource: aws_subnet.web_subnet | Checkov ID: CKV_AWS_130
How to Fix
resource "aws_subnet" "test" {
...
+ map_public_ip_on_launch = false
}Description
VPC subnet is a part of the VPC having its own rules for traffic.
Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.
| git_repo = "terragoat" | ||
| yor_trace = "347af3cd-4f70-4632-aca3-4d5e30ffc0b6" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| metadata_options { | |
| http_tokens = "required" | |
| } | |
| } |
AWS EC2 instance not configured with Instance Metadata Service v2 (IMDSv2)
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_79
How to Fix
resource "aws_instance" "example" {
...
instance_type = "t2.micro"
+ metadata_options {
...
+ http_endpoint = "enabled"
+ http_tokens = "required"
+ }
...
}Description
The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata.
You can access instance metadata from a running instance using one of the following methods:
- Instance Metadata Service Version 1 (IMDSv1) -- a request/response method
- Instance Metadata Service Version 2 (IMDSv2) -- a session-oriented method
As a request/response method IMDSv1 is prone to local misconfigurations:
- Open proxies, open NATs and routers, server-side reflection vulnerabilities.
- One way or another, local software might access local-only data.
| }) | ||
| } | ||
|
|
||
| resource "aws_subnet" "web_subnet2" { |
There was a problem hiding this comment.
AWS VPC subnets should not allow automatic public IP assignment
Resource: aws_subnet.web_subnet2 | Checkov ID: CKV_AWS_130
How to Fix
resource "aws_subnet" "test" {
...
+ map_public_ip_on_launch = false
}Description
VPC subnet is a part of the VPC having its own rules for traffic.
Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.
| git_repo = "terragoat" | ||
| yor_trace = "c5509daf-10f0-46af-9e03-41989212521d" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| encrypted = true | |
| } |
AWS EBS volumes are not encrypted
Resource: aws_ebs_volume.web_host_storage | Checkov ID: CKV_AWS_3
How to Fix
resource "aws_ebs_volume" "example" {
...
availability_zone = "${var.availability_zone}"
+ encrypted = true
...
}Description
Encrypting EBS volumes ensures that replicated copies of your images are secure even if they are accidentally exposed.
AWS EBS encryption uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.
Storing EBS volumes in their encrypted state reduces the risk of data exposure or data loss.
We recommend you encrypt all data stored in the EBS.
| git_repo = "terragoat" | ||
| yor_trace = "347af3cd-4f70-4632-aca3-4d5e30ffc0b6" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| monitoring = true | |
| } |
AWS EC2 instance detailed monitoring disabled
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_126
How to Fix
resource "aws_instance" "test" {
+ monitoring = true
}Description
Enabling detailed monitoring for Amazon Elastic Compute Cloud (EC2) instances can provide you with additional data and insights about the performance and utilization of your instances.
: Detailed monitoring can provide you with more data about the utilization of your instances, which can be helpful for capacity planning and optimization.
| @@ -0,0 +1,308 @@ | |||
| resource "aws_instance" "web_host" { | |||
There was a problem hiding this comment.
EC2 user data exposes secrets
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_46
How to Fix
resource "aws_instance" "web" {
...
instance_type = "t3.micro"
- user_data = "access_key=123456ABCDEFGHIJZTLA and secret_key=AAAaa+Aa4AAaAA6aAkA0Ad+Aa8aA1aaaAAAaAaA"
}Description
User Data is a metadata field of an EC2 instance that allows custom code to run after the instance is launched.
It contains code exposed to any entity which has the most basic access to EC2, even read-only configurations.
This code is not encrypted.
Removing secrets from easily-accessed unencrypted places reduces the risk of passwords, private keys and more from being exposed to third parties.
| @@ -0,0 +1,308 @@ | |||
| resource "aws_instance" "web_host" { | |||
There was a problem hiding this comment.
EBS volumes do not have encrypted launch configurations
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_8
How to Fix
resource "aws_launch_configuration" "example" {
...
instance_type = "t2.micro"
+ root_block_device {
+ encrypted = true
+ }
...
}Description
Amazon Elastic Block Store (EBS) volumes allow you to create encrypted launch configurations when creating EC2 instances and auto scaling.
When the entire EBS volume is encrypted, data stored at rest on the volume, disk I/O, snapshots created from the volume, and data in-transit between EBS and EC2 are all encrypted.
| }) | ||
| } | ||
|
|
||
| resource "aws_subnet" "web_subnet" { |
There was a problem hiding this comment.
AWS VPC subnets should not allow automatic public IP assignment
Resource: aws_subnet.web_subnet | Checkov ID: CKV_AWS_130
How to Fix
resource "aws_subnet" "test" {
...
+ map_public_ip_on_launch = false
}Description
VPC subnet is a part of the VPC having its own rules for traffic.
Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.
| }) | ||
| } | ||
|
|
||
| resource "aws_subnet" "web_subnet2" { |
There was a problem hiding this comment.
AWS VPC subnets should not allow automatic public IP assignment
Resource: aws_subnet.web_subnet2 | Checkov ID: CKV_AWS_130
How to Fix
resource "aws_subnet" "test" {
...
+ map_public_ip_on_launch = false
}Description
VPC subnet is a part of the VPC having its own rules for traffic.
Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.
| sudo apt-get install -y apache2 | ||
| sudo systemctl start apache2 | ||
| sudo systemctl enable apache2 | ||
| export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA |
There was a problem hiding this comment.
AWS Access Keys
Resource: fc3f784491eba6121c3bfcc1652a2c57d27b16cb | Checkov ID: CKV_SECRET_2
Description
AWS Access Keys are long-term credentials for an IAM user or the AWS account root user.
You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
| } | ||
| } | ||
|
|
||
| resource "aws_vpc" "web_vpc" { |
There was a problem hiding this comment.
AWS Default Security Group does not restrict all traffic
Resource: aws_vpc.web_vpc | Checkov ID: CKV2_AWS_12
How to Fix
resource "aws_vpc" "issue_vpc" {
cidr_block = "10.0.0.0/16"
}
resource "aws_default_security_group" "default" {
vpc_id = aws_vpc.issue_vpc.id
- ingress {
- protocol = "-1"
- self = true
- from_port = 0
- to_port = 0
- }
- egress {
- from_port = 0
- to_port = 0
- protocol = "-1"
- cidr_blocks = ["0.0.0.0/0"]
- }
}Description
A VPC comes with a default security group that has an initial setting denying all inbound traffic, allowing all outbound traffic, and allowing all traffic between instances assigned to the security group.
If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group.
Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources.
We recommend that your default security group restricts all inbound and outbound traffic.
The default VPC in every region should have its default security group updated to comply with this recommendation.
Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.
Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups.
This in-turn reduces the exposure of those resources.
NOTE: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly. VPC flow logging can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering, discovering the minimum ports required by systems in the environment.
Even if the VPC flow logging recommendation described is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.
| git_repo = "terragoat" | ||
| yor_trace = "347af3cd-4f70-4632-aca3-4d5e30ffc0b6" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| metadata_options { | |
| http_tokens = "required" | |
| } | |
| } |
AWS EC2 instance not configured with Instance Metadata Service v2 (IMDSv2)
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_79
How to Fix
resource "aws_instance" "example" {
...
instance_type = "t2.micro"
+ metadata_options {
...
+ http_endpoint = "enabled"
+ http_tokens = "required"
+ }
...
}Description
The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata.
You can access instance metadata from a running instance using one of the following methods:
- Instance Metadata Service Version 1 (IMDSv1) -- a request/response method
- Instance Metadata Service Version 2 (IMDSv2) -- a session-oriented method
As a request/response method IMDSv1 is prone to local misconfigurations:
- Open proxies, open NATs and routers, server-side reflection vulnerabilities.
- One way or another, local software might access local-only data.
| git_repo = "terragoat" | ||
| yor_trace = "c5509daf-10f0-46af-9e03-41989212521d" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| encrypted = true | |
| } |
AWS EBS volumes are not encrypted
Resource: aws_ebs_volume.web_host_storage | Checkov ID: CKV_AWS_3
How to Fix
resource "aws_ebs_volume" "example" {
...
availability_zone = "${var.availability_zone}"
+ encrypted = true
...
}Description
Encrypting EBS volumes ensures that replicated copies of your images are secure even if they are accidentally exposed.
AWS EBS encryption uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.
Storing EBS volumes in their encrypted state reduces the risk of data exposure or data loss.
We recommend you encrypt all data stored in the EBS.
![prisma-cloud-devsecops-stage[bot]](https://avatars.githubusercontent.com/in/135556?s=60&v=4){kind=small}
| sudo apt-get install -y apache2 | ||
| sudo systemctl start apache2 | ||
| sudo systemctl enable apache2 | ||
| export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA |
There was a problem hiding this comment.
AWS Access Keys
Resource: fc3f784491eba6121c3bfcc1652a2c57d27b16cb | Policy ID : BC_GIT_2 | Checkov check ID: CKV_SECRET_2
Description
AWS Access Keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
| sudo systemctl start apache2 | ||
| sudo systemctl enable apache2 | ||
| export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA | ||
| export AWS_SECRET_ACCESS_KEY=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 |
There was a problem hiding this comment.
Base64 High Entropy Strings
Resource: c00f1a6e4b20aa64691d50781b810756d6254b8e | Policy ID : BC_GIT_6 | Checkov check ID: CKV_SECRET_6
Description
Entropy checks help detect unstructured secrets by measuring the entropy level of a single string. Entropy is a concept used to assign a numerical score to how unpredictable a password is or the likelihood of highly random data in a string of characters. Strings with a high entropy score are flagged as suspected secrets.
| @@ -0,0 +1,308 @@ | |||
| resource "aws_instance" "web_host" { | |||
There was a problem hiding this comment.
esterTest1
Resource: aws_instance.web_host | Policy ID: 803920923337065472_AWS_1688975050442
Description
aaa| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "flowbucket" { |
There was a problem hiding this comment.
| resource "aws_s3_bucket" "flowbucket" { | |
| } | |
| resource "aws_s3_bucket" "flowbucket_log_bucket" { | |
| bucket = "flowbucket-log-bucket" | |
| } | |
| resource "aws_s3_bucket_logging" "flowbucket" { | |
| bucket = aws_s3_bucket.flowbucket.id | |
| target_bucket = aws_s3_bucket.flowbucket_log_bucket.id | |
| target_prefix = "log/" | |
| } | |
AWS Access logging not enabled on S3 buckets
Resource: aws_s3_bucket.flowbucket | Policy ID: 803920923337065472_AWS_1659557921639 | Checkov ID: CKV_AWS_18
Description
https://docs.bridgecrew.io/docs/s3_13-enable-logging| @@ -0,0 +1,308 @@ | |||
| resource "aws_instance" "web_host" { | |||
There was a problem hiding this comment.
| resource "aws_instance" "web_host" { | |
| metadata_options { | |
| http_tokens = "required" | |
| } | |
| } |
AWS EC2 instance not configured with Instance Metadata Service v2 (IMDSv2)
Resource: aws_instance.web_host | Policy ID: 803920923337065472_AWS_1680679565088 | Checkov ID: CKV_AWS_79
Description
Refer the documentation for more details, https://docs.bridgecrew.io/docs/bc_aws_general_31| }) | ||
| } | ||
|
|
||
| resource "aws_subnet" "web_subnet" { |
There was a problem hiding this comment.
AWS VPC subnets should not allow automatic public IP assignment
Resource: aws_subnet.web_subnet | Policy ID: 803920923337065472_AWS_1669848378055 | Checkov ID: CKV_AWS_130
Description
https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default| }) | ||
| } | ||
|
|
||
| resource "aws_subnet" "web_subnet2" { |
There was a problem hiding this comment.
AWS VPC subnets should not allow automatic public IP assignment
Resource: aws_subnet.web_subnet2 | Policy ID: 803920923337065472_AWS_1669848378055 | Checkov ID: CKV_AWS_130
Description
https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default| @@ -0,0 +1,308 @@ | |||
| resource "aws_instance" "web_host" { | |||
There was a problem hiding this comment.
milkana
Resource: aws_instance.web_host | Policy ID: 803920923337065472_AWS_1658067522984
Description
asdasd| @@ -0,0 +1,308 @@ | |||
| resource "aws_instance" "web_host" { | |||
There was a problem hiding this comment.
123
Resource: aws_instance.web_host | Policy ID: 803920923337065472_AWS_1658067522853
Description
asdasd| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "flowbucket" { |
There was a problem hiding this comment.
Copy of S3 bucket MFA Delete is not enabled
Resource: aws_s3_bucket.flowbucket | Policy ID: 803920923337065472_AWS_1672050768899
Description
recommendation":"Refer the documentation for more details, https://docs.bridgecrew.io/docs/bc_aws_s3_24| @@ -0,0 +1,308 @@ | |||
| resource "aws_instance" "web_host" { | |||
There was a problem hiding this comment.
EC2 EBS is not optimized
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_135
How to Fix
resource "aws_instance" "foo" {
...
+ ebs_optimized = true
}Description
Ensuring that EC2 instances are EBS-optimized will help to deliver enhanced performance for EBS workloads.
They provide dedicated throughput to Amazon Elastic Block Store (EBS) volumes, which can result in improved EBS performance.
Additionally, EBS-optimized instances use a separate network connection for EBS traffic, which can reduce network latency and improve the performance of EBS-intensive workloads.
| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "flowbucket" { |
There was a problem hiding this comment.
AWS S3 Object Versioning is disabled
Resource: aws_s3_bucket.flowbucket | Policy ID: 803920923337065472_AWS_1680757299305 | Checkov ID: CKV_AWS_21
Description
Refer the documentation for more details, https://docs.bridgecrew.io/docs/s3_16-enable-versioning
| sudo systemctl start apache2 | ||
| sudo systemctl enable apache2 | ||
| export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA | ||
| export AWS_SECRET_ACCESS_KEY=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 |
There was a problem hiding this comment.
Base64 High Entropy Strings
Resource: c00f1a6e4b20aa64691d50781b810756d6254b8e | Checkov ID: CKV_SECRET_6
Description
Entropy checks help detect unstructured secrets by measuring the entropy level of a single string.
Entropy is a concept used to assign a numerical score to how unpredictable a password is or the likelihood of highly random data in a string of characters.
Strings with a high entropy score are flagged as suspected secrets.
| instance_id = "${aws_instance.web_host.id}" | ||
| } | ||
|
|
||
| resource "aws_security_group" "web-node" { |
There was a problem hiding this comment.
Not every Security Group rule has a description
Resource: aws_security_group.web-node | Checkov ID: CKV_AWS_23
How to Fix
resource "aws_security_group" "examplea" {
name = var.es_domain
description = "Allow inbound traffic to ElasticSearch from VPC CIDR"
vpc_id = var.vpc
ingress {
cidr_blocks = ["10.0.0.0/16"]
+ description = "What does this rule enable"
from_port = 80
protocol = "tcp"
to_port = 80
}
}Description
Descriptions can be up to 255 characters long and can be set and viewed from the AWS Management Console, AWS Command Line Interface (CLI), and the AWS APIs.
We recommend you add descriptive text to each of your Security Group Rules clarifying each rule's goals, this helps prevent developer errors.
| sudo apt-get install -y apache2 | ||
| sudo systemctl start apache2 | ||
| sudo systemctl enable apache2 | ||
| export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA |
There was a problem hiding this comment.
AWS Access Keys
Resource: fc3f784491eba6121c3bfcc1652a2c57d27b16cb | Policy ID: 1011525619932102656_GIT_1682385987037 | Checkov ID: CKV_SECRET_2
Description
https://docs.bridgecrew.io/docs/git_secrets_2| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "flowbucket" { |
There was a problem hiding this comment.
| resource "aws_s3_bucket" "flowbucket" { | |
| } | |
| resource "aws_s3_bucket_server_side_encryption_configuration" "flowbucket" { | |
| bucket = aws_s3_bucket.flowbucket.bucket | |
| rule { | |
| apply_server_side_encryption_by_default { | |
| sse_algorithm = "aws:kms" | |
| } | |
| } | |
| } | |
S3 buckets are not encrypted with KMS
Resource: aws_s3_bucket.flowbucket | Checkov ID: CKV_AWS_145
How to Fix
resource "aws_s3_bucket" "bucket_name" {
bucket = "bucket_good"
}
+ resource "aws_s3_bucket_server_side_encryption_configuration" "good_sse_1" {
+ bucket = aws_s3_bucket.bucket_name.bucket
+
+ rule {
+ apply_server_side_encryption_by_default {
+ kms_master_key_id = aws_kms_key.mykey.arn
+ sse_algorithm = "aws:kms"
+ }
+ }
+ }Description
Encrypting your data and resources with KMS helps protect your data from unauthorized access or tampering.
By encrypting your data, you can ensure that only authorized users can access and decrypt the data, and that the data is protected while in storage or in transit.
Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.
| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "flowbucket" { |
There was a problem hiding this comment.
| resource "aws_s3_bucket" "flowbucket" { | |
| } | |
| resource "aws_s3_bucket_versioning" "flowbucket" { | |
| bucket = aws_s3_bucket.flowbucket.id | |
| versioning_configuration { | |
| status = "Enabled" | |
| } | |
| } | |
AWS S3 Object Versioning is disabled
Resource: aws_s3_bucket.flowbucket | Policy ID: 1011525619932102656_AWS_1681176397476 | Checkov ID: CKV_AWS_21
Description
https://docs.bridgecrew.io/docs/s3_16-enable-versioning| }) | ||
| } | ||
|
|
||
| resource "aws_subnet" "web_subnet" { |
There was a problem hiding this comment.
AWS VPC subnets should not allow automatic public IP assignment
Resource: aws_subnet.web_subnet | Policy ID: 1011525619932102656_AWS_1681176396894 | Checkov ID: CKV_AWS_130
Description
https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default| git_repo = "terragoat" | ||
| yor_trace = "347af3cd-4f70-4632-aca3-4d5e30ffc0b6" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| metadata_options { | |
| http_tokens = "required" | |
| } | |
| } |
AWS EC2 instance not configured with Instance Metadata Service v2 (IMDSv2)
Resource: aws_instance.web_host | Policy ID: 1011525619932102656_AWS_1681172922289 | Checkov ID: CKV_AWS_79
Description
https://docs.bridgecrew.io/docs/bc_aws_general_31| git_repo = "terragoat" | ||
| yor_trace = "347af3cd-4f70-4632-aca3-4d5e30ffc0b6" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| monitoring = true | |
| } |
AWS EC2 instance detailed monitoring disabled
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_126
How to Fix
resource "aws_instance" "test" {
+ monitoring = true
}Description
Enabling detailed monitoring for Amazon Elastic Compute Cloud (EC2) instances can provide you with additional data and insights about the performance and utilization of your instances.
: Detailed monitoring can provide you with more data about the utilization of your instances, which can be helpful for capacity planning and optimization.
| git_repo = "terragoat" | ||
| yor_trace = "347af3cd-4f70-4632-aca3-4d5e30ffc0b6" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| ebs_optimized = true | |
| } |
EC2 EBS is not optimized
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_135
How to Fix
resource "aws_instance" "foo" {
...
+ ebs_optimized = true
}Description
Ensuring that EC2 instances are EBS-optimized will help to deliver enhanced performance for EBS workloads.
They provide dedicated throughput to Amazon Elastic Block Store (EBS) volumes, which can result in improved EBS performance.
Additionally, EBS-optimized instances use a separate network connection for EBS traffic, which can reduce network latency and improve the performance of EBS-intensive workloads.
| git_repo = "terragoat" | ||
| yor_trace = "c5509daf-10f0-46af-9e03-41989212521d" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| encrypted = true | |
| } |
AWS EBS volumes are not encrypted
Resource: aws_ebs_volume.web_host_storage | Checkov ID: CKV_AWS_3
How to Fix
resource "aws_ebs_volume" "example" {
...
availability_zone = "${var.availability_zone}"
+ encrypted = true
...
}Description
Encrypting EBS volumes ensures that replicated copies of your images are secure even if they are accidentally exposed.
AWS EBS encryption uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.
Storing EBS volumes in their encrypted state reduces the risk of data exposure or data loss.
We recommend you encrypt all data stored in the EBS.
| } | ||
| } | ||
|
|
||
| resource "aws_vpc" "web_vpc" { |
There was a problem hiding this comment.
AWS Default Security Group does not restrict all traffic
Resource: aws_vpc.web_vpc | Checkov ID: CKV2_AWS_12
How to Fix
resource "aws_vpc" "issue_vpc" {
cidr_block = "10.0.0.0/16"
}
resource "aws_default_security_group" "default" {
vpc_id = aws_vpc.issue_vpc.id
- ingress {
- protocol = "-1"
- self = true
- from_port = 0
- to_port = 0
- }
- egress {
- from_port = 0
- to_port = 0
- protocol = "-1"
- cidr_blocks = ["0.0.0.0/0"]
- }
}Description
A VPC comes with a default security group that has an initial setting denying all inbound traffic, allowing all outbound traffic, and allowing all traffic between instances assigned to the security group.
If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group.
Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources.
We recommend that your default security group restricts all inbound and outbound traffic.
The default VPC in every region should have its default security group updated to comply with this recommendation.
Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.
Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups.
This in-turn reduces the exposure of those resources.
NOTE: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly. VPC flow logging can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering, discovering the minimum ports required by systems in the environment.
Even if the VPC flow logging recommendation described is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.
| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "flowbucket" { |
There was a problem hiding this comment.
| resource "aws_s3_bucket" "flowbucket" { | |
| } | |
| resource "aws_s3_bucket_server_side_encryption_configuration" "flowbucket" { | |
| bucket = aws_s3_bucket.flowbucket.bucket | |
| rule { | |
| apply_server_side_encryption_by_default { | |
| sse_algorithm = "aws:kms" | |
| } | |
| } | |
| } | |
S3 buckets are not encrypted with KMS
Resource: aws_s3_bucket.flowbucket | Checkov ID: CKV_AWS_145
How to Fix
resource "aws_s3_bucket" "bucket_name" {
bucket = "bucket_good"
}
+ resource "aws_s3_bucket_server_side_encryption_configuration" "good_sse_1" {
+ bucket = aws_s3_bucket.bucket_name.bucket
+
+ rule {
+ apply_server_side_encryption_by_default {
+ kms_master_key_id = aws_kms_key.mykey.arn
+ sse_algorithm = "aws:kms"
+ }
+ }
+ }Description
Encrypting your data and resources with KMS helps protect your data from unauthorized access or tampering.
By encrypting your data, you can ensure that only authorized users can access and decrypt the data, and that the data is protected while in storage or in transit.
Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.
| @@ -0,0 +1,308 @@ | |||
| resource "aws_instance" "web_host" { | |||
There was a problem hiding this comment.
EBS volumes do not have encrypted launch configurations
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_8
How to Fix
resource "aws_launch_configuration" "example" {
...
instance_type = "t2.micro"
+ root_block_device {
+ encrypted = true
+ }
...
}Description
Amazon Elastic Block Store (EBS) volumes allow you to create encrypted launch configurations when creating EC2 instances and auto scaling.
When the entire EBS volume is encrypted, data stored at rest on the volume, disk I/O, snapshots created from the volume, and data in-transit between EBS and EC2 are all encrypted.
| @@ -0,0 +1,308 @@ | |||
| resource "aws_instance" "web_host" { | |||
There was a problem hiding this comment.
EC2 user data exposes secrets
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_46
How to Fix
resource "aws_instance" "web" {
...
instance_type = "t3.micro"
- user_data = "access_key=123456ABCDEFGHIJZTLA and secret_key=AAAaa+Aa4AAaAA6aAkA0Ad+Aa8aA1aaaAAAaAaA"
}Description
User Data is a metadata field of an EC2 instance that allows custom code to run after the instance is launched.
It contains code exposed to any entity which has the most basic access to EC2, even read-only configurations.
This code is not encrypted.
Removing secrets from easily-accessed unencrypted places reduces the risk of passwords, private keys and more from being exposed to third parties.
| }) | ||
| } | ||
|
|
||
| resource "aws_subnet" "web_subnet" { |
There was a problem hiding this comment.
AWS VPC subnets should not allow automatic public IP assignment
Resource: aws_subnet.web_subnet | Checkov ID: CKV_AWS_130
How to Fix
resource "aws_subnet" "test" {
...
+ map_public_ip_on_launch = false
}Description
VPC subnet is a part of the VPC having its own rules for traffic.
Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.
| }) | ||
| } | ||
|
|
||
| resource "aws_subnet" "web_subnet2" { |
There was a problem hiding this comment.
AWS VPC subnets should not allow automatic public IP assignment
Resource: aws_subnet.web_subnet2 | Checkov ID: CKV_AWS_130
How to Fix
resource "aws_subnet" "test" {
...
+ map_public_ip_on_launch = false
}Description
VPC subnet is a part of the VPC having its own rules for traffic.
Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.
| }) | ||
| } | ||
|
|
||
| resource "aws_ebs_volume" "web_host_storage" { |
There was a problem hiding this comment.
| resource "aws_ebs_volume" "web_host_storage" { | |
| encrypted = true | |
| } |
AWS EBS volumes are not encrypted
Resource: aws_ebs_volume.web_host_storage | Checkov ID: CKV_AWS_3
How to Fix
resource "aws_ebs_volume" "example" {
...
availability_zone = "${var.availability_zone}"
+ encrypted = true
...
}Description
Encrypting EBS volumes ensures that replicated copies of your images are secure even if they are accidentally exposed.
AWS EBS encryption uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.
Storing EBS volumes in their encrypted state reduces the risk of data exposure or data loss.
We recommend you encrypt all data stored in the EBS.
| @@ -0,0 +1,308 @@ | |||
| resource "aws_instance" "web_host" { | |||
There was a problem hiding this comment.
| resource "aws_instance" "web_host" { | |
| metadata_options { | |
| http_tokens = "required" | |
| } | |
| } |
AWS EC2 instance not configured with Instance Metadata Service v2 (IMDSv2)
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_79
How to Fix
resource "aws_instance" "example" {
...
instance_type = "t2.micro"
+ metadata_options {
...
+ http_endpoint = "enabled"
+ http_tokens = "required"
+ }
...
}Description
The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata.
You can access instance metadata from a running instance using one of the following methods:
- Instance Metadata Service Version 1 (IMDSv1) -- a request/response method
- Instance Metadata Service Version 2 (IMDSv2) -- a session-oriented method
As a request/response method IMDSv1 is prone to local misconfigurations:
- Open proxies, open NATs and routers, server-side reflection vulnerabilities.
- One way or another, local software might access local-only data.
| @@ -0,0 +1,308 @@ | |||
| resource "aws_instance" "web_host" { | |||
There was a problem hiding this comment.
123
Resource: aws_instance.web_host | Policy ID: 803920923337065472_AWS_1658067522853
Description
asdasd
| instance_id = "${aws_instance.web_host.id}" | ||
| } | ||
|
|
||
| resource "aws_security_group" "web-node" { |
There was a problem hiding this comment.
Not every Security Group rule has a description
Resource: aws_security_group.web-node | Checkov ID: CKV_AWS_23
How to Fix
resource "aws_security_group" "examplea" {
name = var.es_domain
description = "Allow inbound traffic to ElasticSearch from VPC CIDR"
vpc_id = var.vpc
ingress {
cidr_blocks = ["10.0.0.0/16"]
+ description = "What does this rule enable"
from_port = 80
protocol = "tcp"
to_port = 80
}
}Description
Descriptions can be up to 255 characters long and can be set and viewed from the AWS Management Console, AWS Command Line Interface (CLI), and the AWS APIs.
We recommend you add descriptive text to each of your Security Group Rules clarifying each rule's goals, this helps prevent developer errors.
| @@ -0,0 +1,308 @@ | |||
| resource "aws_instance" "web_host" { | |||
There was a problem hiding this comment.
milkanaa
Resource: aws_instance.web_host | Policy ID: 803920923337065472_AWS_1658067522567
Description
asdasddasd asdasd asdasd
| @@ -0,0 +1,308 @@ | |||
| resource "aws_instance" "web_host" { | |||
There was a problem hiding this comment.
milkana
Resource: aws_instance.web_host | Policy ID: 803920923337065472_AWS_1658067522984
Description
asdasd
| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "flowbucket" { |
There was a problem hiding this comment.
Copy of S3 bucket MFA Delete is not enabled
Resource: aws_s3_bucket.flowbucket | Policy ID: 803920923337065472_AWS_1672050768899
Description
recommendation":"Refer the documentation for more details, https://docs.bridgecrew.io/docs/bc_aws_s3_24
| git_repo = "terragoat" | ||
| yor_trace = "347af3cd-4f70-4632-aca3-4d5e30ffc0b6" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| ebs_optimized = true | |
| } |
EC2 EBS is not optimized
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_135
How to Fix
resource "aws_instance" "foo" {
...
+ ebs_optimized = true
}Description
Ensuring that EC2 instances are EBS-optimized will help to deliver enhanced performance for EBS workloads.
They provide dedicated throughput to Amazon Elastic Block Store (EBS) volumes, which can result in improved EBS performance.
Additionally, EBS-optimized instances use a separate network connection for EBS traffic, which can reduce network latency and improve the performance of EBS-intensive workloads.
| git_repo = "terragoat" | ||
| yor_trace = "f058838a-b1e0-4383-b965-7e06e987ffb1" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| } | |
| resource "aws_s3_bucket_versioning" "flowbucket" { | |
| bucket = aws_s3_bucket.flowbucket.id | |
| versioning_configuration { | |
| status = "Enabled" | |
| } | |
| } | |
AWS S3 Object Versioning is disabled
Resource: aws_s3_bucket.flowbucket | Policy ID: 803920923337065472_AWS_1680757299305 | Checkov ID: CKV_AWS_21
Description
Refer the documentation for more details, https://docs.bridgecrew.io/docs/s3_16-enable-versioning
| git_repo = "terragoat" | ||
| yor_trace = "c5509daf-10f0-46af-9e03-41989212521d" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| encrypted = true | |
| } |
AWS EBS volumes are not encrypted
Resource: aws_ebs_volume.web_host_storage | Checkov ID: CKV_AWS_3
How to Fix
resource "aws_ebs_volume" "example" {
...
availability_zone = "${var.availability_zone}"
+ encrypted = true
...
}Description
Encrypting EBS volumes ensures that replicated copies of your images are secure even if they are accidentally exposed.
AWS EBS encryption uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.
Storing EBS volumes in their encrypted state reduces the risk of data exposure or data loss.
We recommend you encrypt all data stored in the EBS.
1 participant
No description provided.