Repository | cloudposse / terraform-aws-ecs-codepipeline |
Description | Terraform Module for CI/CD with AWS Code Pipeline and Code Build for ECS https://cloudposse.com/ |
Stars | 142 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:55:12,062 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:12,062 [MainThread ] [WARNI] Failed to download module cloudposse/codebuild/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:12,062 [MainThread ] [WARNI] Failed to download module cloudposse/repository-webhooks/github:0.13.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:12,062 [MainThread ] [WARNI] Failed to download module cloudposse/vpc/aws:0.18.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:12,062 [MainThread ] [WARNI] Failed to download module cloudposse/dynamic-subnets/aws:0.39.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:12,063 [MainThread ] [WARNI] Failed to download module cloudposse/ecs-container-definition/aws:0.46.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:55:12,063 [MainThread ] [WARNI] Failed to download module cloudposse/ecs-alb-service-task/aws:0.42.3 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 82, Failed checks: 16, Skipped checks: 0
Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
FAILED for resource: aws_ecs_cluster.default
File: /examples/complete/main.tf:26-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
26 | resource "aws_ecs_cluster" "default" {
27 | name = module.this.id
28 | tags = module.this.tags
29 | }
Check: CKV_AWS_219: "Ensure Code Pipeline Artifact store is using a KMS CMK"
FAILED for resource: module.ecs_codepipeline.aws_codepipeline.default[0]
File: /main.tf:260-340
Calling File: /examples/complete/main.tf:70-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-codepipeline-artifactstore-is-not-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_219: "Ensure Code Pipeline Artifact store is using a KMS CMK"
FAILED for resource: module.ecs_codepipeline.aws_codepipeline.bitbucket
File: /main.tf:343-418
Calling File: /examples/complete/main.tf:70-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-codepipeline-artifactstore-is-not-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
FAILED for resource: module.ecs_codepipeline.aws_iam_policy_document.default
File: /main.tf:64-85
Calling File: /examples/complete/main.tf:70-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation.html
64 | data "aws_iam_policy_document" "default" {
65 | statement {
66 | sid = ""
67 |
68 | actions = [
69 | "ec2:*",
70 | "elasticloadbalancing:*",
71 | "autoscaling:*",
72 | "cloudwatch:*",
73 | "s3:*",
74 | "sns:*",
75 | "cloudformation:*",
76 | "rds:*",
77 | "sqs:*",
78 | "ecs:*",
79 | "iam:PassRole"
80 | ]
81 |
82 | resources = ["*"]
83 | effect = "Allow"
84 | }
85 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.ecs_codepipeline.aws_iam_policy_document.default
File: /main.tf:64-85
Calling File: /examples/complete/main.tf:70-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
64 | data "aws_iam_policy_document" "default" {
65 | statement {
66 | sid = ""
67 |
68 | actions = [
69 | "ec2:*",
70 | "elasticloadbalancing:*",
71 | "autoscaling:*",
72 | "cloudwatch:*",
73 | "s3:*",
74 | "sns:*",
75 | "cloudformation:*",
76 | "rds:*",
77 | "sqs:*",
78 | "ecs:*",
79 | "iam:PassRole"
80 | ]
81 |
82 | resources = ["*"]
83 | effect = "Allow"
84 | }
85 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.ecs_codepipeline.aws_iam_policy_document.default
File: /main.tf:64-85
Calling File: /examples/complete/main.tf:70-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
64 | data "aws_iam_policy_document" "default" {
65 | statement {
66 | sid = ""
67 |
68 | actions = [
69 | "ec2:*",
70 | "elasticloadbalancing:*",
71 | "autoscaling:*",
72 | "cloudwatch:*",
73 | "s3:*",
74 | "sns:*",
75 | "cloudformation:*",
76 | "rds:*",
77 | "sqs:*",
78 | "ecs:*",
79 | "iam:PassRole"
80 | ]
81 |
82 | resources = ["*"]
83 | effect = "Allow"
84 | }
85 | }
Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: module.ecs_codepipeline.aws_iam_policy_document.default
File: /main.tf:64-85
Calling File: /examples/complete/main.tf:70-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure.html
64 | data "aws_iam_policy_document" "default" {
65 | statement {
66 | sid = ""
67 |
68 | actions = [
69 | "ec2:*",
70 | "elasticloadbalancing:*",
71 | "autoscaling:*",
72 | "cloudwatch:*",
73 | "s3:*",
74 | "sns:*",
75 | "cloudformation:*",
76 | "rds:*",
77 | "sqs:*",
78 | "ecs:*",
79 | "iam:PassRole"
80 | ]
81 |
82 | resources = ["*"]
83 | effect = "Allow"
84 | }
85 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.ecs_codepipeline.aws_iam_policy_document.default
File: /main.tf:64-85
Calling File: /examples/complete/main.tf:70-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
64 | data "aws_iam_policy_document" "default" {
65 | statement {
66 | sid = ""
67 |
68 | actions = [
69 | "ec2:*",
70 | "elasticloadbalancing:*",
71 | "autoscaling:*",
72 | "cloudwatch:*",
73 | "s3:*",
74 | "sns:*",
75 | "cloudformation:*",
76 | "rds:*",
77 | "sqs:*",
78 | "ecs:*",
79 | "iam:PassRole"
80 | ]
81 |
82 | resources = ["*"]
83 | effect = "Allow"
84 | }
85 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.ecs_codepipeline.aws_iam_policy_document.default
File: /main.tf:64-85
Calling File: /examples/complete/main.tf:70-92
64 | data "aws_iam_policy_document" "default" {
65 | statement {
66 | sid = ""
67 |
68 | actions = [
69 | "ec2:*",
70 | "elasticloadbalancing:*",
71 | "autoscaling:*",
72 | "cloudwatch:*",
73 | "s3:*",
74 | "sns:*",
75 | "cloudformation:*",
76 | "rds:*",
77 | "sqs:*",
78 | "ecs:*",
79 | "iam:PassRole"
80 | ]
81 |
82 | resources = ["*"]
83 | effect = "Allow"
84 | }
85 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.ecs_codepipeline.aws_s3_bucket.default
File: /main.tf:13-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
13 | resource "aws_s3_bucket" "default" {
14 | count = module.this.enabled ? 1 : 0
15 | bucket = module.codepipeline_label.id
16 | acl = "private"
17 | force_destroy = var.s3_bucket_force_destroy
18 | tags = module.codepipeline_label.tags
19 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.ecs_codepipeline.aws_s3_bucket.default
File: /main.tf:13-19
13 | resource "aws_s3_bucket" "default" {
14 | count = module.this.enabled ? 1 : 0
15 | bucket = module.codepipeline_label.id
16 | acl = "private"
17 | force_destroy = var.s3_bucket_force_destroy
18 | tags = module.codepipeline_label.tags
19 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.ecs_codepipeline.aws_s3_bucket.default
File: /main.tf:13-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
13 | resource "aws_s3_bucket" "default" {
14 | count = module.this.enabled ? 1 : 0
15 | bucket = module.codepipeline_label.id
16 | acl = "private"
17 | force_destroy = var.s3_bucket_force_destroy
18 | tags = module.codepipeline_label.tags
19 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.ecs_codepipeline.aws_s3_bucket.default
File: /main.tf:13-19
13 | resource "aws_s3_bucket" "default" {
14 | count = module.this.enabled ? 1 : 0
15 | bucket = module.codepipeline_label.id
16 | acl = "private"
17 | force_destroy = var.s3_bucket_force_destroy
18 | tags = module.codepipeline_label.tags
19 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.ecs_codepipeline.aws_s3_bucket.default
File: /main.tf:13-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
13 | resource "aws_s3_bucket" "default" {
14 | count = module.this.enabled ? 1 : 0
15 | bucket = module.codepipeline_label.id
16 | acl = "private"
17 | force_destroy = var.s3_bucket_force_destroy
18 | tags = module.codepipeline_label.tags
19 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.ecs_codepipeline.aws_s3_bucket.default
File: /main.tf:13-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
13 | resource "aws_s3_bucket" "default" {
14 | count = module.this.enabled ? 1 : 0
15 | bucket = module.codepipeline_label.id
16 | acl = "private"
17 | force_destroy = var.s3_bucket_force_destroy
18 | tags = module.codepipeline_label.tags
19 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.ecs_codepipeline.aws_s3_bucket.default
File: /main.tf:13-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
13 | resource "aws_s3_bucket" "default" {
14 | count = module.this.enabled ? 1 : 0
15 | bucket = module.codepipeline_label.id
16 | acl = "private"
17 | force_destroy = var.s3_bucket_force_destroy
18 | tags = module.codepipeline_label.tags
19 | }
github_actions scan results:
Passed checks: 40, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools