Repository | nozaq / terraform-aws-remote-state-s3-backend |
Description | A terraform module to set up remote state management with S3 backend for your account. |
Stars | 143 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 75, Failed checks: 19, Skipped checks: 0
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: module.remote_state.aws_s3_bucket_lifecycle_configuration.state[0]
File: /bucket.tf:110-135
Calling File: /examples/simple/main.tf:21-28
110 | resource "aws_s3_bucket_lifecycle_configuration" "state" {
111 | count = local.define_lifecycle_rule ? 1 : 0
112 | bucket = aws_s3_bucket.state.id
113 |
114 | rule {
115 | id = "auto-archive"
116 | status = "Enabled"
117 |
118 | dynamic "noncurrent_version_transition" {
119 | for_each = var.noncurrent_version_transitions
120 |
121 | content {
122 | noncurrent_days = noncurrent_version_transition.value.days
123 | storage_class = noncurrent_version_transition.value.storage_class
124 | }
125 | }
126 |
127 | dynamic "noncurrent_version_expiration" {
128 | for_each = var.noncurrent_version_expiration != null ? [var.noncurrent_version_expiration] : []
129 |
130 | content {
131 | noncurrent_days = noncurrent_version_expiration.value.days
132 | }
133 | }
134 | }
135 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: module.remote_state.aws_dynamodb_table.lock
File: /dynamo.tf:12-42
Calling File: /examples/simple/main.tf:21-28
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
12 | resource "aws_dynamodb_table" "lock" {
13 | name = var.dynamodb_table_name
14 | billing_mode = var.dynamodb_table_billing_mode
15 | hash_key = local.lock_key_id
16 |
17 | attribute {
18 | name = local.lock_key_id
19 | type = "S"
20 | }
21 |
22 | server_side_encryption {
23 | enabled = var.dynamodb_enable_server_side_encryption
24 | kms_key_arn = aws_kms_key.this.arn
25 | }
26 |
27 | point_in_time_recovery {
28 | enabled = true
29 | }
30 |
31 | dynamic "replica" {
32 | for_each = var.enable_replication == true ? [1] : []
33 | content {
34 | region_name = data.aws_region.replica[0].name
35 | kms_key_arn = var.dynamodb_enable_server_side_encryption ? aws_kms_key.replica[0].arn : null
36 | }
37 | }
38 | stream_enabled = var.enable_replication
39 | stream_view_type = var.enable_replication ? "NEW_AND_OLD_IMAGES" : null
40 |
41 | tags = var.tags
42 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.terraform
File: /examples/simple-static-bucket-name/main.tf:33-35
33 | resource "aws_iam_user" "terraform" {
34 | name = "TerraformUser"
35 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.remote_state_access
File: /examples/simple-static-bucket-name/main.tf:37-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
37 | resource "aws_iam_user_policy_attachment" "remote_state_access" {
38 | user = aws_iam_user.terraform.name
39 | policy_arn = module.remote_state.terraform_iam_policy.arn
40 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.terraform
File: /examples/simple/main.tf:30-32
30 | resource "aws_iam_user" "terraform" {
31 | name = "TerraformUser"
32 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy_attachment.remote_state_access
File: /examples/simple/main.tf:34-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
34 | resource "aws_iam_user_policy_attachment" "remote_state_access" {
35 | user = aws_iam_user.terraform.name
36 | policy_arn = module.remote_state.terraform_iam_policy.arn
37 | }
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: module.remote_state.aws_s3_bucket_lifecycle_configuration.replica[0]
File: /replica.tf:222-249
Calling File: /examples/simple/main.tf:21-28
222 | resource "aws_s3_bucket_lifecycle_configuration" "replica" {
223 | count = var.enable_replication && local.define_lifecycle_rule ? 1 : 0
224 | provider = aws.replica
225 |
226 | bucket = aws_s3_bucket.replica[0].id
227 |
228 | rule {
229 | id = "auto-archive"
230 | status = "Enabled"
231 |
232 | dynamic "noncurrent_version_transition" {
233 | for_each = var.noncurrent_version_transitions
234 |
235 | content {
236 | noncurrent_days = noncurrent_version_transition.value.days
237 | storage_class = noncurrent_version_transition.value.storage_class
238 | }
239 | }
240 |
241 | dynamic "noncurrent_version_expiration" {
242 | for_each = var.noncurrent_version_expiration != null ? [var.noncurrent_version_expiration] : []
243 |
244 | content {
245 | noncurrent_days = noncurrent_version_expiration.value.days
246 | }
247 | }
248 | }
249 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.remote_state.aws_s3_bucket.replica[0]
File: /replica.tf:165-174
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
165 | resource "aws_s3_bucket" "replica" {
166 | count = var.enable_replication ? 1 : 0
167 | provider = aws.replica
168 |
169 | bucket_prefix = var.override_s3_bucket_name ? null : var.replica_bucket_prefix
170 | bucket = var.override_s3_bucket_name ? var.s3_bucket_name_replica : null
171 | force_destroy = var.s3_bucket_force_destroy
172 |
173 | tags = var.tags
174 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.remote_state.aws_s3_bucket.state
File: /bucket.tf:61-67
61 | resource "aws_s3_bucket" "state" {
62 | bucket_prefix = var.override_s3_bucket_name ? null : var.state_bucket_prefix
63 | bucket = var.override_s3_bucket_name ? var.s3_bucket_name : null
64 | force_destroy = var.s3_bucket_force_destroy
65 |
66 | tags = var.tags
67 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.remote_state.aws_s3_bucket.replica[0]
File: /replica.tf:165-174
165 | resource "aws_s3_bucket" "replica" {
166 | count = var.enable_replication ? 1 : 0
167 | provider = aws.replica
168 |
169 | bucket_prefix = var.override_s3_bucket_name ? null : var.replica_bucket_prefix
170 | bucket = var.override_s3_bucket_name ? var.s3_bucket_name_replica : null
171 | force_destroy = var.s3_bucket_force_destroy
172 |
173 | tags = var.tags
174 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: module.remote_state.aws_s3_bucket_ownership_controls.state
File: /bucket.tf:69-75
69 | resource "aws_s3_bucket_ownership_controls" "state" {
70 | bucket = aws_s3_bucket.state.id
71 |
72 | rule {
73 | object_ownership = "BucketOwnerPreferred"
74 | }
75 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: module.remote_state.aws_s3_bucket_ownership_controls.replica[0]
File: /replica.tf:176-185
176 | resource "aws_s3_bucket_ownership_controls" "replica" {
177 | count = var.enable_replication ? 1 : 0
178 | provider = aws.replica
179 |
180 | bucket = aws_s3_bucket.replica[0].id
181 |
182 | rule {
183 | object_ownership = "BucketOwnerPreferred"
184 | }
185 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: module.remote_state.aws_kms_key.this
File: /bucket.tf:12-18
12 | resource "aws_kms_key" "this" {
13 | description = var.kms_key_description
14 | deletion_window_in_days = var.kms_key_deletion_window_in_days
15 | enable_key_rotation = var.kms_key_enable_key_rotation
16 |
17 | tags = var.tags
18 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: module.remote_state.aws_kms_key.replica[0]
File: /replica.tf:14-23
14 | resource "aws_kms_key" "replica" {
15 | count = var.enable_replication ? 1 : 0
16 | provider = aws.replica
17 |
18 | description = var.kms_key_description
19 | deletion_window_in_days = var.kms_key_deletion_window_in_days
20 | enable_key_rotation = var.kms_key_enable_key_rotation
21 |
22 | tags = var.tags
23 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.remote_state.aws_s3_bucket.replica[0]
File: /replica.tf:165-174
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
165 | resource "aws_s3_bucket" "replica" {
166 | count = var.enable_replication ? 1 : 0
167 | provider = aws.replica
168 |
169 | bucket_prefix = var.override_s3_bucket_name ? null : var.replica_bucket_prefix
170 | bucket = var.override_s3_bucket_name ? var.s3_bucket_name_replica : null
171 | force_destroy = var.s3_bucket_force_destroy
172 |
173 | tags = var.tags
174 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.remote_state.aws_s3_bucket.replica[0]
File: /replica.tf:165-174
165 | resource "aws_s3_bucket" "replica" {
166 | count = var.enable_replication ? 1 : 0
167 | provider = aws.replica
168 |
169 | bucket_prefix = var.override_s3_bucket_name ? null : var.replica_bucket_prefix
170 | bucket = var.override_s3_bucket_name ? var.s3_bucket_name_replica : null
171 | force_destroy = var.s3_bucket_force_destroy
172 |
173 | tags = var.tags
174 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.remote_state.aws_s3_bucket.replica[0]
File: /replica.tf:165-174
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
165 | resource "aws_s3_bucket" "replica" {
166 | count = var.enable_replication ? 1 : 0
167 | provider = aws.replica
168 |
169 | bucket_prefix = var.override_s3_bucket_name ? null : var.replica_bucket_prefix
170 | bucket = var.override_s3_bucket_name ? var.s3_bucket_name_replica : null
171 | force_destroy = var.s3_bucket_force_destroy
172 |
173 | tags = var.tags
174 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.remote_state.aws_s3_bucket.replica[0]
File: /replica.tf:165-174
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
165 | resource "aws_s3_bucket" "replica" {
166 | count = var.enable_replication ? 1 : 0
167 | provider = aws.replica
168 |
169 | bucket_prefix = var.override_s3_bucket_name ? null : var.replica_bucket_prefix
170 | bucket = var.override_s3_bucket_name ? var.s3_bucket_name_replica : null
171 | force_destroy = var.s3_bucket_force_destroy
172 |
173 | tags = var.tags
174 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.remote_state.aws_s3_bucket.replica[0]
File: /replica.tf:165-174
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
165 | resource "aws_s3_bucket" "replica" {
166 | count = var.enable_replication ? 1 : 0
167 | provider = aws.replica
168 |
169 | bucket_prefix = var.override_s3_bucket_name ? null : var.replica_bucket_prefix
170 | bucket = var.override_s3_bucket_name ? var.s3_bucket_name_replica : null
171 | force_destroy = var.s3_bucket_force_destroy
172 |
173 | tags = var.tags
174 | }
github_actions scan results:
Passed checks: 46, Failed checks: 2, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(CI)
File: /.github/workflows/main.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(release-please)
File: /.github/workflows/release-please.yml:0-1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools