CAS feature

[voysest-pan]

6:44

[prisma-cloud-devsecops]

Prisma Cloud has found errors in this PR ⬇️

[prisma-cloud-devsecops]

  S3 Bucket does not have public access blocks
    Resource: aws_s3_bucket.data | Checkov ID: CKV2_AWS_6

How to Fix

resource "aws_s3_bucket" "bucket_good_1" {
  bucket = "bucket_good"
}


+ resource "aws_s3_bucket_public_access_block" "access_good_1" {
+   bucket = aws_s3_bucket.bucket_good_1.id
+ 
+   block_public_acls   = true
+   block_public_policy = true
+ }

Description

When you create an S3 bucket, it is good practice to set the additional resource aws_s3_bucket_public_access_block to ensure the bucket is never accidentally public.
We recommend you ensure S3 bucket has public access blocks.
If the public access block is not attached it defaults to False.

[prisma-cloud-devsecops]

Suggested change

	}
	}
	resource "aws_s3_bucket_versioning" "data" {
	bucket = aws_s3_bucket.data.id
	versioning_configuration {
	status = "Enabled"
	}
	}
	resource "aws_s3_bucket" "data_destination" {
	# checkov:skip=CKV_AWS_144:the resource is auto generated to be a destination for replication
	bucket = aws_s3_bucket.data.id
	versioning_configuration {
	status = "Enabled"
	}
	}
	resource "aws_iam_role" "data_replication" {
	name = "aws-iam-role"
	assume_role_policy = <<POLICY
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Action": "sts:AssumeRole",
	"Principal": {
	"Service": "s3.amazonaws.com"
	},
	"Effect": "Allow",
	"Sid": ""
	}
	]
	}
	POLICY
	}
	resource "aws_s3_bucket_replication_configuration" "data" {
	depends_on = [aws_s3_bucket_versioning.data]
	role = aws_iam_role.data_replication.arn
	bucket = aws_s3_bucket.data.id
	rule {
	id = "foobar"
	status = "Enabled"
	destination {
	bucket = aws_s3_bucket.data_destination.arn
	storage_class = "STANDARD"
	}
	}
	}

  S3 bucket cross-region replication disabled
    Resource: aws_s3_bucket.data | Checkov ID: CKV_AWS_144

How to Fix

resource "aws_s3_bucket" "east" {
  bucket = "tf-test-bucket-east-12345"
}

+ resource "aws_s3_bucket_versioning" "east" {
+   bucket = aws_s3_bucket.east.id
+   versioning_configuration {
+     status = "Enabled"
+   }
+ }

+ resource "aws_s3_bucket" "west" {
+   provider = aws.west
+   bucket   = "tf-test-bucket-west-12345"
+ }

+ resource "aws_s3_bucket_versioning" "west" {
+   provider = aws.west

+   bucket = aws_s3_bucket.west.id
+   versioning_configuration {
+     status = "Enabled"
+   }
+ }

+ resource "aws_s3_bucket_replication_configuration" "east_to_west" {
+   depends_on = [aws_s3_bucket_versioning.east]
+   role   = aws_iam_role.east_replication.arn
+   bucket = aws_s3_bucket.east.id
+ 
+   rule {
+     status = "Enabled"
+ 
+     destination {
+       bucket        = aws_s3_bucket.west.arn
+       storage_class = "STANDARD"
+     }
+   }
+ }

Description

Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets.
By default, replication supports copying new S3 objects after it is enabled. It also requires versioning for the buckets involved. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.

[prisma-cloud-devsecops]

Suggested change

	}
	}
	resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
	bucket = aws_s3_bucket.data.bucket
	rule {
	apply_server_side_encryption_by_default {
	sse_algorithm = "aws:kms"
	}
	}
	}

  S3 buckets are not encrypted with KMS
    Resource: aws_s3_bucket.data | Checkov ID: CKV_AWS_145

How to Fix

resource "aws_s3_bucket" "bucket_name" {
  bucket = "bucket_good"
}

+ resource "aws_s3_bucket_server_side_encryption_configuration" "good_sse_1" {
+   bucket = aws_s3_bucket.bucket_name.bucket
+
+   rule {
+     apply_server_side_encryption_by_default {
+       kms_master_key_id = aws_kms_key.mykey.arn
+       sse_algorithm     = "aws:kms"
+     }
+   }
+ }

Description

Encrypting your data and resources with KMS helps protect your data from unauthorized access or tampering.
By encrypting your data, you can ensure that only authorized users can access and decrypt the data, and that the data is protected while in storage or in transit.
Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.

[prisma-cloud-devsecops]

Suggested change

	acl = "public-read"
	acl = "private"

  AWS S3 bucket ACL grants READ permission to everyone
    Resource: aws_s3_bucket.data | Checkov ID: CKV_AWS_20

How to Fix

resource "aws_s3_bucket_acl" "data" {
  bucket = aws_s3_bucket.private_acl_v4.id
-  acl    = "public-read"
+  acl    = "private"
}

Description

Unprotected S3 buckets are one of the major causes of data theft and intrusions.
An S3 bucket that allows READ access to everyone can provide attackers the ability to read object data within the bucket, which can lead to the exposure of sensitive data.
The only S3 buckets that should be globally accessible for unauthenticated users or for Any AWS Authenticate Users are those used for hosting static websites.A bucket ACL helps manage access to S3 bucket data. We recommend ensuring AWS S3 buckets are not publicly accessible for READ actions to protect S3 data from unauthorized users and exposing sensitive data to public access.

[prisma-cloud-devsecops]

  AWS S3 Object Versioning is disabled
    Resource: aws_s3_bucket.data | Policy ID: 1072679844523138048_AWS_1681275844102 | Checkov ID: CKV_AWS_21

Description

https://docs.bridgecrew.io/docs/s3_16-enable-versioning