Repository | cloudposse / terraform-aws-s3-bucket |
Description | Terraform module that creates an S3 bucket with an optional IAM user for external CI/CD systems |
Stars | 151 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:54:47,624 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:47,625 [MainThread ] [WARNI] Failed to download module cloudposse/iam-s3-user/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 132, Failed checks: 27, Skipped checks: 0
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: module.s3_bucket.aws_s3_bucket_lifecycle_configuration.default[0]
File: /lifecycle.tf:159-248
Calling File: /examples/complete/main.tf:9-47
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket_lifecycle_configuration.default[0]
File: /lifecycle.tf:159-248
Calling File: /examples/complete/replication.tf:33-46
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket_lifecycle_configuration.default[0]
File: /lifecycle.tf:159-248
Calling File: /examples/complete/replication.tf:48-61
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.s3_bucket.aws_s3_bucket.default
File: /main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket.default
File: /main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket.default
File: /main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.s3_bucket.aws_s3_bucket.default
File: /main.tf:33-41
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket.default
File: /main.tf:33-41
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket.default
File: /main.tf:33-41
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: module.s3_bucket.aws_s3_bucket_ownership_controls.default
File: /main.tf:509-518
509 | resource "aws_s3_bucket_ownership_controls" "default" {
510 | count = local.enabled ? 1 : 0
511 |
512 | bucket = local.bucket_id
513 |
514 | rule {
515 | object_ownership = var.s3_object_ownership
516 | }
517 | depends_on = [time_sleep.wait_for_aws_s3_bucket_settings]
518 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket_ownership_controls.default
File: /main.tf:509-518
509 | resource "aws_s3_bucket_ownership_controls" "default" {
510 | count = local.enabled ? 1 : 0
511 |
512 | bucket = local.bucket_id
513 |
514 | rule {
515 | object_ownership = var.s3_object_ownership
516 | }
517 | depends_on = [time_sleep.wait_for_aws_s3_bucket_settings]
518 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket_ownership_controls.default
File: /main.tf:509-518
509 | resource "aws_s3_bucket_ownership_controls" "default" {
510 | count = local.enabled ? 1 : 0
511 |
512 | bucket = local.bucket_id
513 |
514 | rule {
515 | object_ownership = var.s3_object_ownership
516 | }
517 | depends_on = [time_sleep.wait_for_aws_s3_bucket_settings]
518 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.s3_bucket.aws_s3_bucket.default
File: /main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket.default
File: /main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket.default
File: /main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.s3_bucket.aws_s3_bucket.default
File: /main.tf:33-41
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket.default
File: /main.tf:33-41
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket.default
File: /main.tf:33-41
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.s3_bucket.aws_s3_bucket.default
File: /main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket.default
File: /main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket.default
File: /main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.s3_bucket.aws_s3_bucket.default
File: /main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket.default
File: /main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket.default
File: /main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.s3_bucket.aws_s3_bucket.default
File: /main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket.default
File: /main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket.default
File: /main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
33 | resource "aws_s3_bucket" "default" {
34 | count = local.enabled ? 1 : 0
35 | bucket = local.bucket_name
36 | force_destroy = var.force_destroy
37 |
38 | object_lock_enabled = local.object_lock_enabled
39 |
40 | tags = module.this.tags
41 | }
github_actions scan results:
Passed checks: 40, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools