Repository | terraform-community-modules / tf_aws_bastion_s3_keys |
Description | A Terraform module for creating bastion host on AWS EC2 and populate its ~/.ssh/authorized_keys with public keys from bucket |
Stars | 191 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:51:58,555 [MainThread ] [WARNI] Failed to download module github.com/terraform-community-modules/tf_aws_ubuntu_ami/ebs:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 38, Failed checks: 21, Skipped checks: 0
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ssh_ingress
File: /main.tf:11-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
11 | resource "aws_security_group_rule" "ssh_ingress" {
12 | type = "ingress"
13 | from_port = "22"
14 | to_port = "22"
15 | protocol = "tcp"
16 | cidr_blocks = var.allowed_cidr
17 | ipv6_cidr_blocks = var.allowed_ipv6_cidr
18 | security_group_id = aws_security_group.bastion.id
19 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group_rule.ssh_ingress
File: /main.tf:11-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
11 | resource "aws_security_group_rule" "ssh_ingress" {
12 | type = "ingress"
13 | from_port = "22"
14 | to_port = "22"
15 | protocol = "tcp"
16 | cidr_blocks = var.allowed_cidr
17 | ipv6_cidr_blocks = var.allowed_ipv6_cidr
18 | security_group_id = aws_security_group.bastion.id
19 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.bastion_all_egress
File: /main.tf:31-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
31 | resource "aws_security_group_rule" "bastion_all_egress" {
32 | type = "egress"
33 | from_port = "0"
34 | to_port = "65535"
35 | protocol = "all"
36 |
37 | cidr_blocks = [
38 | "0.0.0.0/0",
39 | ]
40 |
41 | ipv6_cidr_blocks = [
42 | "::/0",
43 | ]
44 |
45 | security_group_id = aws_security_group.bastion.id
46 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_launch_configuration.bastion
File: /main.tf:76-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
76 | resource "aws_launch_configuration" "bastion" {
77 | name_prefix = "${var.name}-"
78 | image_id = var.ami
79 | instance_type = var.instance_type
80 | user_data = data.template_file.user_data.rendered
81 | enable_monitoring = var.enable_monitoring
82 |
83 | security_groups = compact(
84 | concat(
85 | [aws_security_group.bastion.id],
86 | split(",", var.security_group_ids),
87 | ),
88 | )
89 |
90 | root_block_device {
91 | volume_size = var.instance_volume_size_gb
92 | }
93 |
94 | iam_instance_profile = var.iam_instance_profile
95 | associate_public_ip_address = var.associate_public_ip_address
96 | key_name = var.key_name
97 |
98 | lifecycle {
99 | create_before_destroy = true
100 | }
101 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_configuration.bastion
File: /main.tf:76-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
76 | resource "aws_launch_configuration" "bastion" {
77 | name_prefix = "${var.name}-"
78 | image_id = var.ami
79 | instance_type = var.instance_type
80 | user_data = data.template_file.user_data.rendered
81 | enable_monitoring = var.enable_monitoring
82 |
83 | security_groups = compact(
84 | concat(
85 | [aws_security_group.bastion.id],
86 | split(",", var.security_group_ids),
87 | ),
88 | )
89 |
90 | root_block_device {
91 | volume_size = var.instance_volume_size_gb
92 | }
93 |
94 | iam_instance_profile = var.iam_instance_profile
95 | associate_public_ip_address = var.associate_public_ip_address
96 | key_name = var.key_name
97 |
98 | lifecycle {
99 | create_before_destroy = true
100 | }
101 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.bastion
File: /main.tf:103-147
103 | resource "aws_autoscaling_group" "bastion" {
104 | name = var.apply_changes_immediately ? aws_launch_configuration.bastion.name : var.name
105 |
106 | vpc_zone_identifier = var.subnet_ids
107 |
108 | desired_capacity = "1"
109 | min_size = "1"
110 | max_size = "1"
111 | health_check_grace_period = "60"
112 | health_check_type = "EC2"
113 | force_delete = false
114 | wait_for_capacity_timeout = 0
115 | launch_configuration = aws_launch_configuration.bastion.name
116 |
117 | enabled_metrics = [
118 | "GroupMinSize",
119 | "GroupMaxSize",
120 | "GroupDesiredCapacity",
121 | "GroupInServiceInstances",
122 | "GroupPendingInstances",
123 | "GroupStandbyInstances",
124 | "GroupTerminatingInstances",
125 | "GroupTotalInstances",
126 | ]
127 |
128 | tags = concat(
129 | [
130 | {
131 | "key" = "Name"
132 | "value" = var.name
133 | "propagate_at_launch" = true
134 | },
135 | {
136 | "key" = "EIP"
137 | "value" = var.eip
138 | "propagate_at_launch" = true
139 | },
140 | ],
141 | var.extra_tags,
142 | )
143 |
144 | lifecycle {
145 | create_before_destroy = true
146 | }
147 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_role_policy.s3_readonly-allow_associateaddress_policy
File: /samples/iam_allow_associateaddress.tf:28-49
28 | resource "aws_iam_role_policy" "s3_readonly-allow_associateaddress_policy" {
29 | name = "s3_readonly-allow_associateaddress-policy"
30 | role = "${aws_iam_role.s3_readonly-allow_associateaddress.id}"
31 |
32 | policy = <
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools