Repository | cloudposse / terraform-aws-cloudfront-s3-cdn |
Description | Terraform module to easily provision CloudFront CDN backed by an S3 origin |
Stars | 256 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:50:46,812 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:46,812 [MainThread ] [WARNI] Failed to download module cloudposse/s3-log-storage/aws:1.4.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:46,812 [MainThread ] [WARNI] Failed to download module cloudposse/route53-alias/aws:0.13.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:46,812 [MainThread ] [WARNI] Failed to download module cloudposse/iam-role/aws:0.16.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:46,813 [MainThread ] [WARNI] Failed to download module cloudposse/s3-bucket/aws:3.1.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:50:46,813 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.24.1 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 102, Failed checks: 7, Skipped checks: 20
Check: CKV_AWS_283: "Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource"
FAILED for resource: aws_iam_policy_document.document
File: /examples/complete/main.tf:15-31
15 | data "aws_iam_policy_document" "document" {
16 | count = local.enabled ? 1 : 0
17 |
18 | statement {
19 | sid = "TemplateTest"
20 |
21 | actions = ["s3:GetObject"]
22 | resources = [
23 | "arn:${join("", data.aws_partition.current[*].partition)}:s3:::$${bucket_name}$${origin_path}testprefix/*"
24 | ]
25 |
26 | principals {
27 | type = "AWS"
28 | identifiers = ["*"]
29 | }
30 | }
31 | }
Check: CKV_AWS_56: "Ensure S3 bucket has 'restrict_public_bucket' enabled"
FAILED for resource: module.cloudfront_s3_cdn.aws_s3_bucket_public_access_block.origin[0]
File: /main.tf:307-319
Calling File: /examples/complete/main.tf:80-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-22.html
307 | resource "aws_s3_bucket_public_access_block" "origin" {
308 | count = (local.create_s3_origin_bucket || local.override_origin_bucket_policy) ? 1 : 0
309 |
310 | bucket = local.bucket
311 |
312 | # Allows the bucket to be publicly accessible by policy
313 | block_public_policy = var.block_origin_public_access_enabled
314 | restrict_public_buckets = var.block_origin_public_access_enabled
315 |
316 | # Always block ACL access. We're using policies instead
317 | block_public_acls = true
318 | ignore_public_acls = true
319 | }
Check: CKV_AWS_54: "Ensure S3 bucket has block public policy enabled"
FAILED for resource: module.cloudfront_s3_cdn.aws_s3_bucket_public_access_block.origin[0]
File: /main.tf:307-319
Calling File: /examples/complete/main.tf:80-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-20.html
307 | resource "aws_s3_bucket_public_access_block" "origin" {
308 | count = (local.create_s3_origin_bucket || local.override_origin_bucket_policy) ? 1 : 0
309 |
310 | bucket = local.bucket
311 |
312 | # Allows the bucket to be publicly accessible by policy
313 | block_public_policy = var.block_origin_public_access_enabled
314 | restrict_public_buckets = var.block_origin_public_access_enabled
315 |
316 | # Always block ACL access. We're using policies instead
317 | block_public_acls = true
318 | ignore_public_acls = true
319 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: module.lambda_at_edge.aws_lambda_function.default
File: /modules/lambda@edge/main.tf:71-85
Calling File: /examples/complete/lambda-at-edge.tf:6-95
71 | resource "aws_lambda_function" "default" {
72 | #bridgecrew:skip=BC_AWS_GENERAL_64:Lambda@Edge functions associated with CF distributions do not support DLQs.
73 | #bridgecrew:skip=BC_AWS_SERVERLESS_4:Lambda@Edge functions do not support X-Ray tracing.
74 | #bridgecrew:skip=BC_AWS_GENERAL_65:Lambda@Edge functions cannot be configured for connectivity inside a VPC.
75 | #bridgecrew:skip=BC_AWS_GENERAL_63:Lambda@Edge functions cannot be configured for reserved concurrency.
76 | for_each = local.functions
77 |
78 | function_name = module.function_label[each.key].id
79 | runtime = each.value.runtime
80 | handler = each.value.handler
81 | role = module.role[each.key].arn
82 | filename = each.value.source_zip != null ? data.local_file.lambda_zip[each.key].filename : data.archive_file.lambda_zip[each.key].output_path
83 | source_code_hash = each.value.source_zip != null ? sha256(data.local_file.lambda_zip[each.key].content_base64) : data.archive_file.lambda_zip[each.key].output_base64sha256
84 | publish = true
85 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.cloudfront_s3_cdn.aws_s3_bucket.origin
File: /main.tf:248-305
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: module.cloudfront_s3_cdn.aws_s3_bucket_ownership_controls.origin
File: /main.tf:321-331
321 | resource "aws_s3_bucket_ownership_controls" "origin" {
322 | count = local.create_s3_origin_bucket ? 1 : 0
323 |
324 | bucket = local.bucket
325 |
326 | rule {
327 | object_ownership = var.s3_object_ownership
328 | }
329 |
330 | depends_on = [time_sleep.wait_for_aws_s3_bucket_settings]
331 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.cloudfront_s3_cdn.aws_s3_bucket.origin
File: /main.tf:248-305
Code lines for this resource are too many. Please use IDE of your choice to review the file.
github_actions scan results:
Passed checks: 40, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools