Repository | cloudposse / terraform-aws-ec2-bastion-server |
Description | Terraform module to define a generic Bastion host with parameterized user_data and support for AWS SSM Session Manager for remote access with IAM authentication. |
Stars | 131 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:55:33,480 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:33,481 [MainThread ] [WARNI] Failed to download module cloudposse/security-group/aws:0.3.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:33,481 [MainThread ] [WARNI] Failed to download module cloudposse/route53-cluster-hostname/aws:0.12.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:33,481 [MainThread ] [WARNI] Failed to download module cloudposse/vpc/aws:0.25.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:33,481 [MainThread ] [WARNI] Failed to download module cloudposse/dynamic-subnets/aws:0.39.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:33,481 [MainThread ] [WARNI] Failed to download module cloudposse/key-pair/aws:0.18.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 24, Failed checks: 5, Skipped checks: 2
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.ec2_bastion.aws_iam_policy_document.main
File: /iam.tf:41-103
Calling File: /examples/complete/main.tf:37-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.ec2_bastion.aws_iam_policy_document.main
File: /iam.tf:41-103
Calling File: /examples/complete/main.tf:37-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.ec2_bastion.aws_iam_policy_document.main
File: /iam.tf:41-103
Calling File: /examples/complete/main.tf:37-51
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.ec2_bastion.aws_instance.default
File: /main.tf:54-93
Calling File: /examples/complete/main.tf:37-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
54 | resource "aws_instance" "default" {
55 | #bridgecrew:skip=BC_AWS_PUBLIC_12: Skipping `EC2 Should Not Have Public IPs` check. NAT instance requires public IP.
56 | #bridgecrew:skip=BC_AWS_GENERAL_31: Skipping `Ensure Instance Metadata Service Version 1 is not enabled` check until BridgeCrew support condition evaluation. See https://github.com/bridgecrewio/checkov/issues/793
57 | count = module.this.enabled ? 1 : 0
58 | ami = coalesce(var.ami, join("", data.aws_ami.default.*.id))
59 | instance_type = var.instance_type
60 | user_data = length(var.user_data_base64) > 0 ? var.user_data_base64 : local.user_data_templated
61 | vpc_security_group_ids = compact(concat(module.security_group.*.id, var.security_groups))
62 | iam_instance_profile = local.instance_profile
63 | associate_public_ip_address = var.associate_public_ip_address
64 | key_name = var.key_name
65 | subnet_id = var.subnets[0]
66 | monitoring = var.monitoring
67 | disable_api_termination = var.disable_api_termination
68 |
69 | metadata_options {
70 | http_endpoint = (var.metadata_http_endpoint_enabled) ? "enabled" : "disabled"
71 | http_put_response_hop_limit = var.metadata_http_put_response_hop_limit
72 | http_tokens = (var.metadata_http_tokens_required) ? "required" : "optional"
73 | }
74 |
75 | root_block_device {
76 | encrypted = var.root_block_device_encrypted
77 | volume_size = var.root_block_device_volume_size
78 | }
79 |
80 | # Optional block; skipped if var.ebs_block_device_volume_size is zero
81 | dynamic "ebs_block_device" {
82 | for_each = var.ebs_block_device_volume_size > 0 ? [1] : []
83 |
84 | content {
85 | encrypted = var.ebs_block_device_encrypted
86 | volume_size = var.ebs_block_device_volume_size
87 | delete_on_termination = var.ebs_delete_on_termination
88 | device_name = var.ebs_device_name
89 | }
90 | }
91 |
92 | tags = module.this.tags
93 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.ec2_bastion.aws_instance.default
File: /main.tf:54-93
Calling File: /examples/complete/main.tf:37-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
54 | resource "aws_instance" "default" {
55 | #bridgecrew:skip=BC_AWS_PUBLIC_12: Skipping `EC2 Should Not Have Public IPs` check. NAT instance requires public IP.
56 | #bridgecrew:skip=BC_AWS_GENERAL_31: Skipping `Ensure Instance Metadata Service Version 1 is not enabled` check until BridgeCrew support condition evaluation. See https://github.com/bridgecrewio/checkov/issues/793
57 | count = module.this.enabled ? 1 : 0
58 | ami = coalesce(var.ami, join("", data.aws_ami.default.*.id))
59 | instance_type = var.instance_type
60 | user_data = length(var.user_data_base64) > 0 ? var.user_data_base64 : local.user_data_templated
61 | vpc_security_group_ids = compact(concat(module.security_group.*.id, var.security_groups))
62 | iam_instance_profile = local.instance_profile
63 | associate_public_ip_address = var.associate_public_ip_address
64 | key_name = var.key_name
65 | subnet_id = var.subnets[0]
66 | monitoring = var.monitoring
67 | disable_api_termination = var.disable_api_termination
68 |
69 | metadata_options {
70 | http_endpoint = (var.metadata_http_endpoint_enabled) ? "enabled" : "disabled"
71 | http_put_response_hop_limit = var.metadata_http_put_response_hop_limit
72 | http_tokens = (var.metadata_http_tokens_required) ? "required" : "optional"
73 | }
74 |
75 | root_block_device {
76 | encrypted = var.root_block_device_encrypted
77 | volume_size = var.root_block_device_volume_size
78 | }
79 |
80 | # Optional block; skipped if var.ebs_block_device_volume_size is zero
81 | dynamic "ebs_block_device" {
82 | for_each = var.ebs_block_device_volume_size > 0 ? [1] : []
83 |
84 | content {
85 | encrypted = var.ebs_block_device_encrypted
86 | volume_size = var.ebs_block_device_volume_size
87 | delete_on_termination = var.ebs_delete_on_termination
88 | device_name = var.ebs_device_name
89 | }
90 | }
91 |
92 | tags = module.this.tags
93 | }
github_actions scan results:
Passed checks: 40, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools