Repository | ozbillwang / terraform-best-practices |
Description | Terraform Best Practices for AWS users |
Stars | 1639 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 17, Failed checks: 14, Skipped checks: 0
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.source
File: /lambda/lambda.tf:43-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
43 | resource "aws_lambda_function" "source" {
44 | filename = "${path.module}/source.zip"
45 | source_code_hash = "${data.archive_file.source.output_base64sha256}"
46 | function_name = "lamda"
47 | role = "${aws_iam_role.lambda.arn}"
48 | handler = "main.handler"
49 | runtime = "python2.7"
50 | timeout = 120
51 | publish = true
52 |
53 | environment {
54 | variables = {
55 | HASH = "${base64sha256(file("source/main.py"))}-${base64sha256(file("source/requirements.txt"))}"
56 | }
57 | }
58 |
59 | lifecycle {
60 | ignore_changes = ["source_code_hash", "last_modified"]
61 | }
62 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.source
File: /lambda/lambda.tf:43-62
43 | resource "aws_lambda_function" "source" {
44 | filename = "${path.module}/source.zip"
45 | source_code_hash = "${data.archive_file.source.output_base64sha256}"
46 | function_name = "lamda"
47 | role = "${aws_iam_role.lambda.arn}"
48 | handler = "main.handler"
49 | runtime = "python2.7"
50 | timeout = 120
51 | publish = true
52 |
53 | environment {
54 | variables = {
55 | HASH = "${base64sha256(file("source/main.py"))}-${base64sha256(file("source/requirements.txt"))}"
56 | }
57 | }
58 |
59 | lifecycle {
60 | ignore_changes = ["source_code_hash", "last_modified"]
61 | }
62 | }
Check: CKV_AWS_363: "Ensure Lambda Runtime is not deprecated"
FAILED for resource: aws_lambda_function.source
File: /lambda/lambda.tf:43-62
43 | resource "aws_lambda_function" "source" {
44 | filename = "${path.module}/source.zip"
45 | source_code_hash = "${data.archive_file.source.output_base64sha256}"
46 | function_name = "lamda"
47 | role = "${aws_iam_role.lambda.arn}"
48 | handler = "main.handler"
49 | runtime = "python2.7"
50 | timeout = 120
51 | publish = true
52 |
53 | environment {
54 | variables = {
55 | HASH = "${base64sha256(file("source/main.py"))}-${base64sha256(file("source/requirements.txt"))}"
56 | }
57 | }
58 |
59 | lifecycle {
60 | ignore_changes = ["source_code_hash", "last_modified"]
61 | }
62 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.source
File: /lambda/lambda.tf:43-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
43 | resource "aws_lambda_function" "source" {
44 | filename = "${path.module}/source.zip"
45 | source_code_hash = "${data.archive_file.source.output_base64sha256}"
46 | function_name = "lamda"
47 | role = "${aws_iam_role.lambda.arn}"
48 | handler = "main.handler"
49 | runtime = "python2.7"
50 | timeout = 120
51 | publish = true
52 |
53 | environment {
54 | variables = {
55 | HASH = "${base64sha256(file("source/main.py"))}-${base64sha256(file("source/requirements.txt"))}"
56 | }
57 | }
58 |
59 | lifecycle {
60 | ignore_changes = ["source_code_hash", "last_modified"]
61 | }
62 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.source
File: /lambda/lambda.tf:43-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
43 | resource "aws_lambda_function" "source" {
44 | filename = "${path.module}/source.zip"
45 | source_code_hash = "${data.archive_file.source.output_base64sha256}"
46 | function_name = "lamda"
47 | role = "${aws_iam_role.lambda.arn}"
48 | handler = "main.handler"
49 | runtime = "python2.7"
50 | timeout = 120
51 | publish = true
52 |
53 | environment {
54 | variables = {
55 | HASH = "${base64sha256(file("source/main.py"))}-${base64sha256(file("source/requirements.txt"))}"
56 | }
57 | }
58 |
59 | lifecycle {
60 | ignore_changes = ["source_code_hash", "last_modified"]
61 | }
62 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.source
File: /lambda/lambda.tf:43-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
43 | resource "aws_lambda_function" "source" {
44 | filename = "${path.module}/source.zip"
45 | source_code_hash = "${data.archive_file.source.output_base64sha256}"
46 | function_name = "lamda"
47 | role = "${aws_iam_role.lambda.arn}"
48 | handler = "main.handler"
49 | runtime = "python2.7"
50 | timeout = 120
51 | publish = true
52 |
53 | environment {
54 | variables = {
55 | HASH = "${base64sha256(file("source/main.py"))}-${base64sha256(file("source/requirements.txt"))}"
56 | }
57 | }
58 |
59 | lifecycle {
60 | ignore_changes = ["source_code_hash", "last_modified"]
61 | }
62 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.source
File: /lambda/lambda.tf:43-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
43 | resource "aws_lambda_function" "source" {
44 | filename = "${path.module}/source.zip"
45 | source_code_hash = "${data.archive_file.source.output_base64sha256}"
46 | function_name = "lamda"
47 | role = "${aws_iam_role.lambda.arn}"
48 | handler = "main.handler"
49 | runtime = "python2.7"
50 | timeout = 120
51 | publish = true
52 |
53 | environment {
54 | variables = {
55 | HASH = "${base64sha256(file("source/main.py"))}-${base64sha256(file("source/requirements.txt"))}"
56 | }
57 | }
58 |
59 | lifecycle {
60 | ignore_changes = ["source_code_hash", "last_modified"]
61 | }
62 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.terraform_lock
File: /s3-backend/main.tf:64-73
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
64 | resource "aws_dynamodb_table" "terraform_lock" {
65 | name = "terraform-lock"
66 | billing_mode = "PAY_PER_REQUEST"
67 | hash_key = "LockID"
68 |
69 | attribute {
70 | name = "LockID"
71 | type = "S"
72 | }
73 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.terraform_lock
File: /s3-backend/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
64 | resource "aws_dynamodb_table" "terraform_lock" {
65 | name = "terraform-lock"
66 | billing_mode = "PAY_PER_REQUEST"
67 | hash_key = "LockID"
68 |
69 | attribute {
70 | name = "LockID"
71 | type = "S"
72 | }
73 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /s3-backend/main.tf:31-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
31 | resource "aws_s3_bucket" "terraform_state" {
32 | # With account id, this S3 bucket names can be *globally* unique.
33 | bucket = "${local.account_id}-terraform-states"
34 |
35 | # Enable versioning so we can see the full revision history of our
36 | # state files
37 | versioning {
38 | enabled = true
39 | }
40 |
41 | # Enable server-side encryption by default
42 | server_side_encryption_configuration {
43 | rule {
44 | apply_server_side_encryption_by_default {
45 | sse_algorithm = "AES256"
46 | }
47 | }
48 | }
49 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /s3-backend/main.tf:31-49
31 | resource "aws_s3_bucket" "terraform_state" {
32 | # With account id, this S3 bucket names can be *globally* unique.
33 | bucket = "${local.account_id}-terraform-states"
34 |
35 | # Enable versioning so we can see the full revision history of our
36 | # state files
37 | versioning {
38 | enabled = true
39 | }
40 |
41 | # Enable server-side encryption by default
42 | server_side_encryption_configuration {
43 | rule {
44 | apply_server_side_encryption_by_default {
45 | sse_algorithm = "AES256"
46 | }
47 | }
48 | }
49 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.terraform_state
File: /s3-backend/main.tf:31-49
31 | resource "aws_s3_bucket" "terraform_state" {
32 | # With account id, this S3 bucket names can be *globally* unique.
33 | bucket = "${local.account_id}-terraform-states"
34 |
35 | # Enable versioning so we can see the full revision history of our
36 | # state files
37 | versioning {
38 | enabled = true
39 | }
40 |
41 | # Enable server-side encryption by default
42 | server_side_encryption_configuration {
43 | rule {
44 | apply_server_side_encryption_by_default {
45 | sse_algorithm = "AES256"
46 | }
47 | }
48 | }
49 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /s3-backend/main.tf:31-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
31 | resource "aws_s3_bucket" "terraform_state" {
32 | # With account id, this S3 bucket names can be *globally* unique.
33 | bucket = "${local.account_id}-terraform-states"
34 |
35 | # Enable versioning so we can see the full revision history of our
36 | # state files
37 | versioning {
38 | enabled = true
39 | }
40 |
41 | # Enable server-side encryption by default
42 | server_side_encryption_configuration {
43 | rule {
44 | apply_server_side_encryption_by_default {
45 | sse_algorithm = "AES256"
46 | }
47 | }
48 | }
49 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.terraform_state
File: /s3-backend/main.tf:31-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
31 | resource "aws_s3_bucket" "terraform_state" {
32 | # With account id, this S3 bucket names can be *globally* unique.
33 | bucket = "${local.account_id}-terraform-states"
34 |
35 | # Enable versioning so we can see the full revision history of our
36 | # state files
37 | versioning {
38 | enabled = true
39 | }
40 |
41 | # Enable server-side encryption by default
42 | server_side_encryption_configuration {
43 | rule {
44 | apply_server_side_encryption_by_default {
45 | sse_algorithm = "AES256"
46 | }
47 | }
48 | }
49 | }
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools