-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CAS feature #4
base: main
Are you sure you want to change the base?
CAS feature #4
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prisma Cloud has found errors in this PR ⬇️
@@ -0,0 +1,18 @@ | |||
# AV S3 | |||
resource "aws_s3_bucket" "data" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
S3 Bucket does not have public access blocks
Resource: aws_s3_bucket.data | Checkov ID: CKV2_AWS_6
How to Fix
resource "aws_s3_bucket" "bucket_good_1" {
bucket = "bucket_good"
}
+ resource "aws_s3_bucket_public_access_block" "access_good_1" {
+ bucket = aws_s3_bucket.bucket_good_1.id
+
+ block_public_acls = true
+ block_public_policy = true
+ }
Description
When you create an S3 bucket, it is good practice to set the additional resource aws_s3_bucket_public_access_block to ensure the bucket is never accidentally public.
We recommend you ensure S3 bucket has public access blocks.
If the public access block is not attached it defaults to False.
versioning { | ||
enabled = "${var.versioning_enabled}" | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
} | |
} | |
resource "aws_s3_bucket_versioning" "data" { | |
bucket = aws_s3_bucket.data.id | |
versioning_configuration { | |
status = "Enabled" | |
} | |
} | |
resource "aws_s3_bucket" "data_destination" { | |
# checkov:skip=CKV_AWS_144:the resource is auto generated to be a destination for replication | |
bucket = aws_s3_bucket.data.id | |
versioning_configuration { | |
status = "Enabled" | |
} | |
} | |
resource "aws_iam_role" "data_replication" { | |
name = "aws-iam-role" | |
assume_role_policy = <<POLICY | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": "sts:AssumeRole", | |
"Principal": { | |
"Service": "s3.amazonaws.com" | |
}, | |
"Effect": "Allow", | |
"Sid": "" | |
} | |
] | |
} | |
POLICY | |
} | |
resource "aws_s3_bucket_replication_configuration" "data" { | |
depends_on = [aws_s3_bucket_versioning.data] | |
role = aws_iam_role.data_replication.arn | |
bucket = aws_s3_bucket.data.id | |
rule { | |
id = "foobar" | |
status = "Enabled" | |
destination { | |
bucket = aws_s3_bucket.data_destination.arn | |
storage_class = "STANDARD" | |
} | |
} | |
} | |
S3 bucket cross-region replication disabled
Resource: aws_s3_bucket.data | Checkov ID: CKV_AWS_144
How to Fix
resource "aws_s3_bucket" "east" {
bucket = "tf-test-bucket-east-12345"
}
+ resource "aws_s3_bucket_versioning" "east" {
+ bucket = aws_s3_bucket.east.id
+ versioning_configuration {
+ status = "Enabled"
+ }
+ }
+ resource "aws_s3_bucket" "west" {
+ provider = aws.west
+ bucket = "tf-test-bucket-west-12345"
+ }
+ resource "aws_s3_bucket_versioning" "west" {
+ provider = aws.west
+ bucket = aws_s3_bucket.west.id
+ versioning_configuration {
+ status = "Enabled"
+ }
+ }
+ resource "aws_s3_bucket_replication_configuration" "east_to_west" {
+ depends_on = [aws_s3_bucket_versioning.east]
+ role = aws_iam_role.east_replication.arn
+ bucket = aws_s3_bucket.east.id
+
+ rule {
+ status = "Enabled"
+
+ destination {
+ bucket = aws_s3_bucket.west.arn
+ storage_class = "STANDARD"
+ }
+ }
+ }
Description
Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets.
By default, replication supports copying new S3 objects after it is enabled. It also requires versioning for the buckets involved. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.
versioning { | ||
enabled = "${var.versioning_enabled}" | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
} | |
} | |
resource "aws_s3_bucket_server_side_encryption_configuration" "data" { | |
bucket = aws_s3_bucket.data.bucket | |
rule { | |
apply_server_side_encryption_by_default { | |
sse_algorithm = "aws:kms" | |
} | |
} | |
} | |
S3 buckets are not encrypted with KMS
Resource: aws_s3_bucket.data | Checkov ID: CKV_AWS_145
How to Fix
resource "aws_s3_bucket" "bucket_name" {
bucket = "bucket_good"
}
+ resource "aws_s3_bucket_server_side_encryption_configuration" "good_sse_1" {
+ bucket = aws_s3_bucket.bucket_name.bucket
+
+ rule {
+ apply_server_side_encryption_by_default {
+ kms_master_key_id = aws_kms_key.mykey.arn
+ sse_algorithm = "aws:kms"
+ }
+ }
+ }
Description
Encrypting your data and resources with KMS helps protect your data from unauthorized access or tampering.
By encrypting your data, you can ensure that only authorized users can access and decrypt the data, and that the data is protected while in storage or in transit.
Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.
# bucket does not have access logs | ||
# bucket does not have versioning | ||
bucket = "${local.resource_prefix.value}-data2" | ||
acl = "public-read" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
acl = "public-read" | |
acl = "private" |
AWS S3 bucket ACL grants READ permission to everyone
Resource: aws_s3_bucket.data | Checkov ID: CKV_AWS_20
How to Fix
resource "aws_s3_bucket_acl" "data" {
bucket = aws_s3_bucket.private_acl_v4.id
- acl = "public-read"
+ acl = "private"
}
Description
Unprotected S3 buckets are one of the major causes of data theft and intrusions.
An S3 bucket that allows READ access to everyone can provide attackers the ability to read object data within the bucket, which can lead to the exposure of sensitive data.
The only S3 buckets that should be globally accessible for unauthenticated users or for Any AWS Authenticate Users are those used for hosting static websites.A bucket ACL helps manage access to S3 bucket data. We recommend ensuring AWS S3 buckets are not publicly accessible for READ actions to protect S3 data from unauthorized users and exposing sensitive data to public access.
@@ -0,0 +1,18 @@ | |||
# AV S3 | |||
resource "aws_s3_bucket" "data" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
6:44