Repository | nicor88 / aws-ecs-airflow |
Description | Run Airflow in AWS ECS(Elastic Container Service) using Fargate tasks |
Stars | 153 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 73, Failed checks: 46, Skipped checks: 0
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.flower
File: /infrastructure/airflow_flower.tf:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "flower" {
2 | name = "${var.project_name}-${var.stage}-flower-sg"
3 | description = "Allow all inbound traffic for Flower"
4 | vpc_id = aws_vpc.vpc.id
5 |
6 | ingress {
7 | from_port = 5555
8 | to_port = 5555
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | egress {
14 | from_port = 0
15 | to_port = 0
16 | protocol = "-1"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 |
20 | tags = {
21 | Name = "${var.project_name}-${var.stage}-flower-sg"
22 | }
23 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.scheduler
File: /infrastructure/airflow_scheduler.tf:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "scheduler" {
2 | name = "${var.project_name}-${var.stage}-scheduler-sg"
3 | description = "Airflow scheduler security group"
4 | vpc_id = aws_vpc.vpc.id
5 |
6 | egress {
7 | from_port = 0
8 | to_port = 0
9 | protocol = "-1"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | tags = {
14 | Name = "${var.project_name}-${var.stage}-scheduler-sg"
15 | }
16 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.application_load_balancer
File: /infrastructure/airflow_web_server.tf:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "application_load_balancer" {
2 | name = "${var.project_name}-${var.stage}-alb-web-sg"
3 | description = "Allow all inbound traffic"
4 | vpc_id = aws_vpc.vpc.id
5 |
6 | ingress {
7 | from_port = 80
8 | to_port = 80
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | egress {
14 | from_port = 0
15 | to_port = 0
16 | protocol = "-1"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 |
20 | tags = {
21 | Name = "${var.project_name}-${var.stage}-alb-web-sg"
22 | }
23 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.application_load_balancer
File: /infrastructure/airflow_web_server.tf:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
1 | resource "aws_security_group" "application_load_balancer" {
2 | name = "${var.project_name}-${var.stage}-alb-web-sg"
3 | description = "Allow all inbound traffic"
4 | vpc_id = aws_vpc.vpc.id
5 |
6 | ingress {
7 | from_port = 80
8 | to_port = 80
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | egress {
14 | from_port = 0
15 | to_port = 0
16 | protocol = "-1"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 |
20 | tags = {
21 | Name = "${var.project_name}-${var.stage}-alb-web-sg"
22 | }
23 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.web_server_ecs_internal
File: /infrastructure/airflow_web_server.tf:26-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
26 | resource "aws_security_group" "web_server_ecs_internal" {
27 | name = "${var.project_name}-${var.stage}-web-server-ecs-internal-sg"
28 | description = "Allow all inbound traffic"
29 | vpc_id = aws_vpc.vpc.id
30 |
31 | ingress {
32 | from_port = 8080
33 | to_port = 8080
34 | protocol = "tcp"
35 | security_groups = [aws_security_group.application_load_balancer.id]
36 | cidr_blocks = ["0.0.0.0/0"]
37 | }
38 |
39 | egress {
40 | from_port = 0
41 | to_port = 0
42 | protocol = "-1"
43 | cidr_blocks = ["0.0.0.0/0"]
44 | }
45 |
46 | tags = {
47 | Name = "${var.project_name}-${var.stage}-web-server-ecs-internal-sg"
48 | }
49 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_alb.airflow_alb
File: /infrastructure/airflow_web_server_lb.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
1 | resource "aws_alb" "airflow_alb" {
2 | name = "${var.project_name}-${var.stage}-alb"
3 | subnets = [aws_subnet.public-subnet-1.id, aws_subnet.public-subnet-2.id, aws_subnet.public-subnet-3.id]
4 | security_groups = [aws_security_group.application_load_balancer.id]
5 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_alb.airflow_alb
File: /infrastructure/airflow_web_server_lb.tf:1-5
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
1 | resource "aws_alb" "airflow_alb" {
2 | name = "${var.project_name}-${var.stage}-alb"
3 | subnets = [aws_subnet.public-subnet-1.id, aws_subnet.public-subnet-2.id, aws_subnet.public-subnet-3.id]
4 | security_groups = [aws_security_group.application_load_balancer.id]
5 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_alb.airflow_alb
File: /infrastructure/airflow_web_server_lb.tf:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
1 | resource "aws_alb" "airflow_alb" {
2 | name = "${var.project_name}-${var.stage}-alb"
3 | subnets = [aws_subnet.public-subnet-1.id, aws_subnet.public-subnet-2.id, aws_subnet.public-subnet-3.id]
4 | security_groups = [aws_security_group.application_load_balancer.id]
5 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_alb_listener.airflow_web_server
File: /infrastructure/airflow_web_server_lb.tf:26-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
26 | resource "aws_alb_listener" "airflow_web_server" {
27 | load_balancer_arn = aws_alb.airflow_alb.id
28 | port = "80"
29 | protocol = "HTTP"
30 |
31 | default_action {
32 | target_group_arn = aws_alb_target_group.airflow_web_server.id
33 | type = "forward"
34 | }
35 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.workers
File: /infrastructure/airflow_workers.tf:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "workers" {
2 | name = "${var.project_name}-${var.stage}-workers-sg"
3 | description = "Airflow Celery Workers security group"
4 | vpc_id = aws_vpc.vpc.id
5 |
6 | ingress {
7 | from_port = 8793
8 | to_port = 8793
9 | protocol = "tcp"
10 | cidr_blocks = ["${var.base_cidr_block}/16"]
11 | }
12 |
13 | egress {
14 | from_port = 0
15 | to_port = 0
16 | protocol = "-1"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 |
20 | tags = {
21 | Name = "${var.project_name}-${var.stage}-workers-sg"
22 | }
23 | }
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: aws_ecr_repository.docker_repository
File: /infrastructure/ecs.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html
1 | resource "aws_ecr_repository" "docker_repository" {
2 | name = "${var.project_name}-${var.stage}"
3 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: aws_ecr_repository.docker_repository
File: /infrastructure/ecs.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html
1 | resource "aws_ecr_repository" "docker_repository" {
2 | name = "${var.project_name}-${var.stage}"
3 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: aws_ecr_repository.docker_repository
File: /infrastructure/ecs.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html
1 | resource "aws_ecr_repository" "docker_repository" {
2 | name = "${var.project_name}-${var.stage}"
3 | }
Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
FAILED for resource: aws_ecs_cluster.ecs_cluster
File: /infrastructure/ecs.tf:28-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
28 | resource "aws_ecs_cluster" "ecs_cluster" {
29 | name = "${var.project_name}-${var.stage}"
30 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.log_group
File: /infrastructure/ecs.tf:32-35
32 | resource "aws_cloudwatch_log_group" "log_group" {
33 | name = "${var.log_group_name}/${var.project_name}-${var.stage}"
34 | retention_in_days = 5
35 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.log_group
File: /infrastructure/ecs.tf:32-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
32 | resource "aws_cloudwatch_log_group" "log_group" {
33 | name = "${var.log_group_name}/${var.project_name}-${var.stage}"
34 | retention_in_days = 5
35 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.ecs_task_policy
File: /infrastructure/ecs.tf:59-87
59 | resource "aws_iam_policy" "ecs_task_policy" {
60 | name = "${var.project_name}-${var.stage}"
61 |
62 | policy = <
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools