Repository | cloudposse / terraform-aws-cicd |
Description | Terraform Module for CI/CD with AWS Code Pipeline and Code Build |
Stars | 186 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:52:28,112 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:28,112 [MainThread ] [WARNI] Failed to download module cloudposse/codebuild/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:52:28,112 [MainThread ] [WARNI] Failed to download module cloudposse/repository-webhooks/github:0.12.1 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 63, Failed checks: 12, Skipped checks: 2
Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
FAILED for resource: module.cicd.aws_iam_policy_document.default
File: /main.tf:89-114
Calling File: /examples/complete/main.tf:5-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation.html
89 | data "aws_iam_policy_document" "default" {
90 | count = local.enabled ? 1 : 0
91 |
92 | statement {
93 | sid = ""
94 |
95 | actions = [
96 | "elasticbeanstalk:*",
97 | "ec2:*",
98 | "elasticloadbalancing:*",
99 | "autoscaling:*",
100 | "cloudwatch:*",
101 | "s3:*",
102 | "sns:*",
103 | "cloudformation:*",
104 | "rds:*",
105 | "sqs:*",
106 | "ecs:*",
107 | "iam:PassRole",
108 | "logs:PutRetentionPolicy",
109 | ]
110 |
111 | resources = ["*"]
112 | effect = "Allow"
113 | }
114 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.cicd.aws_iam_policy_document.default
File: /main.tf:89-114
Calling File: /examples/complete/main.tf:5-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
89 | data "aws_iam_policy_document" "default" {
90 | count = local.enabled ? 1 : 0
91 |
92 | statement {
93 | sid = ""
94 |
95 | actions = [
96 | "elasticbeanstalk:*",
97 | "ec2:*",
98 | "elasticloadbalancing:*",
99 | "autoscaling:*",
100 | "cloudwatch:*",
101 | "s3:*",
102 | "sns:*",
103 | "cloudformation:*",
104 | "rds:*",
105 | "sqs:*",
106 | "ecs:*",
107 | "iam:PassRole",
108 | "logs:PutRetentionPolicy",
109 | ]
110 |
111 | resources = ["*"]
112 | effect = "Allow"
113 | }
114 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.cicd.aws_iam_policy_document.default
File: /main.tf:89-114
Calling File: /examples/complete/main.tf:5-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
89 | data "aws_iam_policy_document" "default" {
90 | count = local.enabled ? 1 : 0
91 |
92 | statement {
93 | sid = ""
94 |
95 | actions = [
96 | "elasticbeanstalk:*",
97 | "ec2:*",
98 | "elasticloadbalancing:*",
99 | "autoscaling:*",
100 | "cloudwatch:*",
101 | "s3:*",
102 | "sns:*",
103 | "cloudformation:*",
104 | "rds:*",
105 | "sqs:*",
106 | "ecs:*",
107 | "iam:PassRole",
108 | "logs:PutRetentionPolicy",
109 | ]
110 |
111 | resources = ["*"]
112 | effect = "Allow"
113 | }
114 | }
Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: module.cicd.aws_iam_policy_document.default
File: /main.tf:89-114
Calling File: /examples/complete/main.tf:5-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure.html
89 | data "aws_iam_policy_document" "default" {
90 | count = local.enabled ? 1 : 0
91 |
92 | statement {
93 | sid = ""
94 |
95 | actions = [
96 | "elasticbeanstalk:*",
97 | "ec2:*",
98 | "elasticloadbalancing:*",
99 | "autoscaling:*",
100 | "cloudwatch:*",
101 | "s3:*",
102 | "sns:*",
103 | "cloudformation:*",
104 | "rds:*",
105 | "sqs:*",
106 | "ecs:*",
107 | "iam:PassRole",
108 | "logs:PutRetentionPolicy",
109 | ]
110 |
111 | resources = ["*"]
112 | effect = "Allow"
113 | }
114 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.cicd.aws_iam_policy_document.default
File: /main.tf:89-114
Calling File: /examples/complete/main.tf:5-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
89 | data "aws_iam_policy_document" "default" {
90 | count = local.enabled ? 1 : 0
91 |
92 | statement {
93 | sid = ""
94 |
95 | actions = [
96 | "elasticbeanstalk:*",
97 | "ec2:*",
98 | "elasticloadbalancing:*",
99 | "autoscaling:*",
100 | "cloudwatch:*",
101 | "s3:*",
102 | "sns:*",
103 | "cloudformation:*",
104 | "rds:*",
105 | "sqs:*",
106 | "ecs:*",
107 | "iam:PassRole",
108 | "logs:PutRetentionPolicy",
109 | ]
110 |
111 | resources = ["*"]
112 | effect = "Allow"
113 | }
114 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.cicd.aws_iam_policy_document.default
File: /main.tf:89-114
Calling File: /examples/complete/main.tf:5-19
89 | data "aws_iam_policy_document" "default" {
90 | count = local.enabled ? 1 : 0
91 |
92 | statement {
93 | sid = ""
94 |
95 | actions = [
96 | "elasticbeanstalk:*",
97 | "ec2:*",
98 | "elasticloadbalancing:*",
99 | "autoscaling:*",
100 | "cloudwatch:*",
101 | "s3:*",
102 | "sns:*",
103 | "cloudformation:*",
104 | "rds:*",
105 | "sqs:*",
106 | "ecs:*",
107 | "iam:PassRole",
108 | "logs:PutRetentionPolicy",
109 | ]
110 |
111 | resources = ["*"]
112 | effect = "Allow"
113 | }
114 | }
Check: CKV_AWS_219: "Ensure Code Pipeline Artifact store is using a KMS CMK"
FAILED for resource: module.cicd.aws_codepipeline.default
File: /main.tf:248-342
Calling File: /examples/complete/main.tf:5-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-codepipeline-artifactstore-is-not-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.cicd.aws_s3_bucket.default
File: /main.tf:15-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
15 | resource "aws_s3_bucket" "default" {
16 | #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
17 | #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
18 | #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).
19 | count = local.enabled ? 1 : 0
20 | bucket = module.this.id
21 | acl = "private"
22 | force_destroy = var.force_destroy
23 | tags = module.this.tags
24 |
25 | versioning {
26 | enabled = var.versioning_enabled
27 | }
28 |
29 | dynamic "logging" {
30 | for_each = var.access_log_bucket_name != "" ? [1] : []
31 | content {
32 | target_bucket = var.access_log_bucket_name
33 | target_prefix = "logs/${module.this.id}/"
34 | }
35 | }
36 |
37 | dynamic "server_side_encryption_configuration" {
38 | for_each = var.s3_bucket_encryption_enabled ? [1] : []
39 |
40 | content {
41 | rule {
42 | apply_server_side_encryption_by_default {
43 | sse_algorithm = "AES256"
44 | }
45 | }
46 | }
47 | }
48 |
49 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.cicd.aws_s3_bucket.default
File: /main.tf:15-49
15 | resource "aws_s3_bucket" "default" {
16 | #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
17 | #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
18 | #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).
19 | count = local.enabled ? 1 : 0
20 | bucket = module.this.id
21 | acl = "private"
22 | force_destroy = var.force_destroy
23 | tags = module.this.tags
24 |
25 | versioning {
26 | enabled = var.versioning_enabled
27 | }
28 |
29 | dynamic "logging" {
30 | for_each = var.access_log_bucket_name != "" ? [1] : []
31 | content {
32 | target_bucket = var.access_log_bucket_name
33 | target_prefix = "logs/${module.this.id}/"
34 | }
35 | }
36 |
37 | dynamic "server_side_encryption_configuration" {
38 | for_each = var.s3_bucket_encryption_enabled ? [1] : []
39 |
40 | content {
41 | rule {
42 | apply_server_side_encryption_by_default {
43 | sse_algorithm = "AES256"
44 | }
45 | }
46 | }
47 | }
48 |
49 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.cicd.aws_s3_bucket.default
File: /main.tf:15-49
15 | resource "aws_s3_bucket" "default" {
16 | #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
17 | #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
18 | #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).
19 | count = local.enabled ? 1 : 0
20 | bucket = module.this.id
21 | acl = "private"
22 | force_destroy = var.force_destroy
23 | tags = module.this.tags
24 |
25 | versioning {
26 | enabled = var.versioning_enabled
27 | }
28 |
29 | dynamic "logging" {
30 | for_each = var.access_log_bucket_name != "" ? [1] : []
31 | content {
32 | target_bucket = var.access_log_bucket_name
33 | target_prefix = "logs/${module.this.id}/"
34 | }
35 | }
36 |
37 | dynamic "server_side_encryption_configuration" {
38 | for_each = var.s3_bucket_encryption_enabled ? [1] : []
39 |
40 | content {
41 | rule {
42 | apply_server_side_encryption_by_default {
43 | sse_algorithm = "AES256"
44 | }
45 | }
46 | }
47 | }
48 |
49 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.cicd.aws_s3_bucket.default
File: /main.tf:15-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
15 | resource "aws_s3_bucket" "default" {
16 | #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
17 | #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
18 | #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).
19 | count = local.enabled ? 1 : 0
20 | bucket = module.this.id
21 | acl = "private"
22 | force_destroy = var.force_destroy
23 | tags = module.this.tags
24 |
25 | versioning {
26 | enabled = var.versioning_enabled
27 | }
28 |
29 | dynamic "logging" {
30 | for_each = var.access_log_bucket_name != "" ? [1] : []
31 | content {
32 | target_bucket = var.access_log_bucket_name
33 | target_prefix = "logs/${module.this.id}/"
34 | }
35 | }
36 |
37 | dynamic "server_side_encryption_configuration" {
38 | for_each = var.s3_bucket_encryption_enabled ? [1] : []
39 |
40 | content {
41 | rule {
42 | apply_server_side_encryption_by_default {
43 | sse_algorithm = "AES256"
44 | }
45 | }
46 | }
47 | }
48 |
49 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.cicd.aws_s3_bucket.default
File: /main.tf:15-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
15 | resource "aws_s3_bucket" "default" {
16 | #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
17 | #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
18 | #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).
19 | count = local.enabled ? 1 : 0
20 | bucket = module.this.id
21 | acl = "private"
22 | force_destroy = var.force_destroy
23 | tags = module.this.tags
24 |
25 | versioning {
26 | enabled = var.versioning_enabled
27 | }
28 |
29 | dynamic "logging" {
30 | for_each = var.access_log_bucket_name != "" ? [1] : []
31 | content {
32 | target_bucket = var.access_log_bucket_name
33 | target_prefix = "logs/${module.this.id}/"
34 | }
35 | }
36 |
37 | dynamic "server_side_encryption_configuration" {
38 | for_each = var.s3_bucket_encryption_enabled ? [1] : []
39 |
40 | content {
41 | rule {
42 | apply_server_side_encryption_by_default {
43 | sse_algorithm = "AES256"
44 | }
45 | }
46 | }
47 | }
48 |
49 | }
github_actions scan results:
Passed checks: 40, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools