Repository | marcincuber / eks |
Description | AWS EKS - kubernetes project |
Stars | 222 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:51:14,612 [MainThread ] [WARNI] Failed to download module umotif-public/bastion/aws:~>2.0.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:14,612 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:3.18.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:14,612 [MainThread ] [WARNI] Failed to download module native-cube/vpc-flow-logs/aws:~>1.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:14,612 [MainThread ] [WARNI] Failed to download module native-cube/kms/aws:~>1.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:14,612 [MainThread ] [WARNI] Failed to download module native-cube/eks-node-group/aws:~>1.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:14,613 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:5.1.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:14,613 [MainThread ] [WARNI] Failed to download module native-cube/vpc-flow-logs/aws:~>2.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:14,613 [MainThread ] [WARNI] Failed to download module native-cube/eks-node-group/aws:~>1.1.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 514, Failed checks: 79, Skipped checks: 0
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.cluster[0]
File: /legacy/terraform-aws/cluster.tf:31-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
31 | resource "aws_eks_cluster" "cluster" {
32 | count = var.create_cluster ? 1 : 0
33 |
34 | enabled_cluster_log_types = var.eks_enabled_log_types
35 | name = local.name_prefix
36 | role_arn = aws_iam_role.cluster.arn
37 | version = var.eks_version
38 |
39 | vpc_config {
40 | subnet_ids = flatten([module.vpc.public_subnets, module.vpc.private_subnets])
41 | security_group_ids = []
42 | endpoint_private_access = "true"
43 | endpoint_public_access = "true"
44 | }
45 |
46 | encryption_config {
47 | resources = ["secrets"]
48 | provider {
49 | key_arn = module.kms-eks.key_arn
50 | }
51 | }
52 |
53 | tags = var.tags
54 |
55 | depends_on = [
56 | aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy,
57 | aws_iam_role_policy_attachment.cluster_AmazonEKSServicePolicy,
58 | aws_cloudwatch_log_group.cluster
59 | ]
60 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.cluster[0]
File: /legacy/terraform-aws/cluster.tf:31-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
31 | resource "aws_eks_cluster" "cluster" {
32 | count = var.create_cluster ? 1 : 0
33 |
34 | enabled_cluster_log_types = var.eks_enabled_log_types
35 | name = local.name_prefix
36 | role_arn = aws_iam_role.cluster.arn
37 | version = var.eks_version
38 |
39 | vpc_config {
40 | subnet_ids = flatten([module.vpc.public_subnets, module.vpc.private_subnets])
41 | security_group_ids = []
42 | endpoint_private_access = "true"
43 | endpoint_public_access = "true"
44 | }
45 |
46 | encryption_config {
47 | resources = ["secrets"]
48 | provider {
49 | key_arn = module.kms-eks.key_arn
50 | }
51 | }
52 |
53 | tags = var.tags
54 |
55 | depends_on = [
56 | aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy,
57 | aws_iam_role_policy_attachment.cluster_AmazonEKSServicePolicy,
58 | aws_cloudwatch_log_group.cluster
59 | ]
60 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.cluster[0]
File: /legacy/terraform-aws/cluster.tf:31-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
31 | resource "aws_eks_cluster" "cluster" {
32 | count = var.create_cluster ? 1 : 0
33 |
34 | enabled_cluster_log_types = var.eks_enabled_log_types
35 | name = local.name_prefix
36 | role_arn = aws_iam_role.cluster.arn
37 | version = var.eks_version
38 |
39 | vpc_config {
40 | subnet_ids = flatten([module.vpc.public_subnets, module.vpc.private_subnets])
41 | security_group_ids = []
42 | endpoint_private_access = "true"
43 | endpoint_public_access = "true"
44 | }
45 |
46 | encryption_config {
47 | resources = ["secrets"]
48 | provider {
49 | key_arn = module.kms-eks.key_arn
50 | }
51 | }
52 |
53 | tags = var.tags
54 |
55 | depends_on = [
56 | aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy,
57 | aws_iam_role_policy_attachment.cluster_AmazonEKSServicePolicy,
58 | aws_cloudwatch_log_group.cluster
59 | ]
60 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.cluster
File: /legacy/terraform-aws/cluster.tf:62-67
62 | resource "aws_cloudwatch_log_group" "cluster" {
63 | name = "/aws/eks/${local.name_prefix}/cluster"
64 | retention_in_days = 7
65 |
66 | tags = var.tags
67 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.cluster
File: /legacy/terraform-aws/cluster.tf:62-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
62 | resource "aws_cloudwatch_log_group" "cluster" {
63 | name = "/aws/eks/${local.name_prefix}/cluster"
64 | retention_in_days = 7
65 |
66 | tags = var.tags
67 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy_document.karpenter_controller
File: /legacy/terraform-aws/data.tf:51-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
51 | data "aws_iam_policy_document" "karpenter_controller" {
52 | count = var.create_cluster ? 1 : 0
53 |
54 | statement {
55 | actions = [
56 | "ec2:CreateLaunchTemplate",
57 | "ec2:CreateFleet",
58 | "ec2:RunInstances",
59 | "ec2:CreateTags",
60 | "ec2:TerminateInstances",
61 | "ec2:DeleteLaunchTemplate",
62 | "ec2:DescribeLaunchTemplates",
63 | "ec2:DescribeInstances",
64 | "ec2:DescribeSecurityGroups",
65 | "ec2:DescribeSubnets",
66 | "ec2:DescribeImages",
67 | "ec2:DescribeInstanceTypes",
68 | "ec2:DescribeInstanceTypeOfferings",
69 | "ec2:DescribeAvailabilityZones",
70 | "ec2:DescribeSpotPriceHistory",
71 | "ssm:GetParameter",
72 | "pricing:GetProducts"
73 | ]
74 |
75 | resources = ["*"]
76 | }
77 |
78 | statement {
79 | actions = [
80 | "iam:PassRole",
81 | ]
82 |
83 | resources = [aws_iam_role.eks_node_karpenter[0].arn]
84 | }
85 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.karpenter_controller
File: /legacy/terraform-aws/data.tf:51-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
51 | data "aws_iam_policy_document" "karpenter_controller" {
52 | count = var.create_cluster ? 1 : 0
53 |
54 | statement {
55 | actions = [
56 | "ec2:CreateLaunchTemplate",
57 | "ec2:CreateFleet",
58 | "ec2:RunInstances",
59 | "ec2:CreateTags",
60 | "ec2:TerminateInstances",
61 | "ec2:DeleteLaunchTemplate",
62 | "ec2:DescribeLaunchTemplates",
63 | "ec2:DescribeInstances",
64 | "ec2:DescribeSecurityGroups",
65 | "ec2:DescribeSubnets",
66 | "ec2:DescribeImages",
67 | "ec2:DescribeInstanceTypes",
68 | "ec2:DescribeInstanceTypeOfferings",
69 | "ec2:DescribeAvailabilityZones",
70 | "ec2:DescribeSpotPriceHistory",
71 | "ssm:GetParameter",
72 | "pricing:GetProducts"
73 | ]
74 |
75 | resources = ["*"]
76 | }
77 |
78 | statement {
79 | actions = [
80 | "iam:PassRole",
81 | ]
82 |
83 | resources = [aws_iam_role.eks_node_karpenter[0].arn]
84 | }
85 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.karpenter_controller
File: /legacy/terraform-aws/data.tf:51-85
51 | data "aws_iam_policy_document" "karpenter_controller" {
52 | count = var.create_cluster ? 1 : 0
53 |
54 | statement {
55 | actions = [
56 | "ec2:CreateLaunchTemplate",
57 | "ec2:CreateFleet",
58 | "ec2:RunInstances",
59 | "ec2:CreateTags",
60 | "ec2:TerminateInstances",
61 | "ec2:DeleteLaunchTemplate",
62 | "ec2:DescribeLaunchTemplates",
63 | "ec2:DescribeInstances",
64 | "ec2:DescribeSecurityGroups",
65 | "ec2:DescribeSubnets",
66 | "ec2:DescribeImages",
67 | "ec2:DescribeInstanceTypes",
68 | "ec2:DescribeInstanceTypeOfferings",
69 | "ec2:DescribeAvailabilityZones",
70 | "ec2:DescribeSpotPriceHistory",
71 | "ssm:GetParameter",
72 | "pricing:GetProducts"
73 | ]
74 |
75 | resources = ["*"]
76 | }
77 |
78 | statement {
79 | actions = [
80 | "iam:PassRole",
81 | ]
82 |
83 | resources = [aws_iam_role.eks_node_karpenter[0].arn]
84 | }
85 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.node_drainer
File: /legacy/terraform-aws/node-drainer.tf:1-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
1 | resource "aws_lambda_function" "node_drainer" {
2 | count = var.enable_spot_workers && var.create_cluster ? length(module.vpc.private_subnets) : 0
3 |
4 | filename = "node_drainer.zip"
5 | function_name = "${local.name_prefix}-node-drainer-function-${count.index}"
6 | role = aws_iam_role.node_drainer.arn
7 | handler = "handler.lambda_handler"
8 | memory_size = "256"
9 | timeout = "300"
10 |
11 | source_code_hash = filebase64sha256("node_drainer.zip")
12 |
13 | runtime = "python3.7"
14 |
15 | environment {
16 | variables = {
17 | CLUSTER_NAME = aws_eks_cluster.cluster[0].id
18 | REGION = var.region
19 | }
20 | }
21 |
22 | vpc_config {
23 | subnet_ids = module.vpc.private_subnets
24 | security_group_ids = [aws_security_group.nonmanaged_workers_sg[0].id]
25 | }
26 |
27 | tags = var.tags
28 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.node_drainer
File: /legacy/terraform-aws/node-drainer.tf:1-28
1 | resource "aws_lambda_function" "node_drainer" {
2 | count = var.enable_spot_workers && var.create_cluster ? length(module.vpc.private_subnets) : 0
3 |
4 | filename = "node_drainer.zip"
5 | function_name = "${local.name_prefix}-node-drainer-function-${count.index}"
6 | role = aws_iam_role.node_drainer.arn
7 | handler = "handler.lambda_handler"
8 | memory_size = "256"
9 | timeout = "300"
10 |
11 | source_code_hash = filebase64sha256("node_drainer.zip")
12 |
13 | runtime = "python3.7"
14 |
15 | environment {
16 | variables = {
17 | CLUSTER_NAME = aws_eks_cluster.cluster[0].id
18 | REGION = var.region
19 | }
20 | }
21 |
22 | vpc_config {
23 | subnet_ids = module.vpc.private_subnets
24 | security_group_ids = [aws_security_group.nonmanaged_workers_sg[0].id]
25 | }
26 |
27 | tags = var.tags
28 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.node_drainer
File: /legacy/terraform-aws/node-drainer.tf:1-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
1 | resource "aws_lambda_function" "node_drainer" {
2 | count = var.enable_spot_workers && var.create_cluster ? length(module.vpc.private_subnets) : 0
3 |
4 | filename = "node_drainer.zip"
5 | function_name = "${local.name_prefix}-node-drainer-function-${count.index}"
6 | role = aws_iam_role.node_drainer.arn
7 | handler = "handler.lambda_handler"
8 | memory_size = "256"
9 | timeout = "300"
10 |
11 | source_code_hash = filebase64sha256("node_drainer.zip")
12 |
13 | runtime = "python3.7"
14 |
15 | environment {
16 | variables = {
17 | CLUSTER_NAME = aws_eks_cluster.cluster[0].id
18 | REGION = var.region
19 | }
20 | }
21 |
22 | vpc_config {
23 | subnet_ids = module.vpc.private_subnets
24 | security_group_ids = [aws_security_group.nonmanaged_workers_sg[0].id]
25 | }
26 |
27 | tags = var.tags
28 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.node_drainer
File: /legacy/terraform-aws/node-drainer.tf:1-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
1 | resource "aws_lambda_function" "node_drainer" {
2 | count = var.enable_spot_workers && var.create_cluster ? length(module.vpc.private_subnets) : 0
3 |
4 | filename = "node_drainer.zip"
5 | function_name = "${local.name_prefix}-node-drainer-function-${count.index}"
6 | role = aws_iam_role.node_drainer.arn
7 | handler = "handler.lambda_handler"
8 | memory_size = "256"
9 | timeout = "300"
10 |
11 | source_code_hash = filebase64sha256("node_drainer.zip")
12 |
13 | runtime = "python3.7"
14 |
15 | environment {
16 | variables = {
17 | CLUSTER_NAME = aws_eks_cluster.cluster[0].id
18 | REGION = var.region
19 | }
20 | }
21 |
22 | vpc_config {
23 | subnet_ids = module.vpc.private_subnets
24 | security_group_ids = [aws_security_group.nonmanaged_workers_sg[0].id]
25 | }
26 |
27 | tags = var.tags
28 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.node_drainer
File: /legacy/terraform-aws/node-drainer.tf:1-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
1 | resource "aws_lambda_function" "node_drainer" {
2 | count = var.enable_spot_workers && var.create_cluster ? length(module.vpc.private_subnets) : 0
3 |
4 | filename = "node_drainer.zip"
5 | function_name = "${local.name_prefix}-node-drainer-function-${count.index}"
6 | role = aws_iam_role.node_drainer.arn
7 | handler = "handler.lambda_handler"
8 | memory_size = "256"
9 | timeout = "300"
10 |
11 | source_code_hash = filebase64sha256("node_drainer.zip")
12 |
13 | runtime = "python3.7"
14 |
15 | environment {
16 | variables = {
17 | CLUSTER_NAME = aws_eks_cluster.cluster[0].id
18 | REGION = var.region
19 | }
20 | }
21 |
22 | vpc_config {
23 | subnet_ids = module.vpc.private_subnets
24 | security_group_ids = [aws_security_group.nonmanaged_workers_sg[0].id]
25 | }
26 |
27 | tags = var.tags
28 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.node_drainer
File: /legacy/terraform-aws/node-drainer.tf:103-125
103 | resource "aws_iam_policy" "node_drainer" {
104 | name = "${local.name_prefix}-node-drainer-policy"
105 |
106 | policy = <
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools