Repository | testdrivenio / django-ecs-terraform |
Description | Deploying Django to AWS ECS with Terraform |
Stars | 117 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 55, Failed checks: 33, Skipped checks: 0
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.load-balancer
File: /terraform/03_securitygroups.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
2 | resource "aws_security_group" "load-balancer" {
3 | name = "load_balancer_security_group"
4 | description = "Controls access to the ALB"
5 | vpc_id = aws_vpc.production-vpc.id
6 |
7 | ingress {
8 | from_port = 80
9 | to_port = 80
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 |
14 | ingress {
15 | from_port = 443
16 | to_port = 443
17 | protocol = "tcp"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | egress {
22 | from_port = 0
23 | to_port = 0
24 | protocol = "-1"
25 | cidr_blocks = ["0.0.0.0/0"]
26 | }
27 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.load-balancer
File: /terraform/03_securitygroups.tf:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
2 | resource "aws_security_group" "load-balancer" {
3 | name = "load_balancer_security_group"
4 | description = "Controls access to the ALB"
5 | vpc_id = aws_vpc.production-vpc.id
6 |
7 | ingress {
8 | from_port = 80
9 | to_port = 80
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 |
14 | ingress {
15 | from_port = 443
16 | to_port = 443
17 | protocol = "tcp"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | egress {
22 | from_port = 0
23 | to_port = 0
24 | protocol = "-1"
25 | cidr_blocks = ["0.0.0.0/0"]
26 | }
27 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.ecs
File: /terraform/03_securitygroups.tf:30-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
30 | resource "aws_security_group" "ecs" {
31 | name = "ecs_security_group"
32 | description = "Allows inbound access from the ALB only"
33 | vpc_id = aws_vpc.production-vpc.id
34 |
35 | ingress {
36 | from_port = 0
37 | to_port = 0
38 | protocol = "-1"
39 | security_groups = [aws_security_group.load-balancer.id]
40 | }
41 |
42 | ingress {
43 | from_port = 22
44 | to_port = 22
45 | protocol = "tcp"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | }
48 |
49 | egress {
50 | from_port = 0
51 | to_port = 0
52 | protocol = "-1"
53 | cidr_blocks = ["0.0.0.0/0"]
54 | }
55 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.ecs
File: /terraform/03_securitygroups.tf:30-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
30 | resource "aws_security_group" "ecs" {
31 | name = "ecs_security_group"
32 | description = "Allows inbound access from the ALB only"
33 | vpc_id = aws_vpc.production-vpc.id
34 |
35 | ingress {
36 | from_port = 0
37 | to_port = 0
38 | protocol = "-1"
39 | security_groups = [aws_security_group.load-balancer.id]
40 | }
41 |
42 | ingress {
43 | from_port = 22
44 | to_port = 22
45 | protocol = "tcp"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | }
48 |
49 | egress {
50 | from_port = 0
51 | to_port = 0
52 | protocol = "-1"
53 | cidr_blocks = ["0.0.0.0/0"]
54 | }
55 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.rds
File: /terraform/03_securitygroups.tf:58-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
58 | resource "aws_security_group" "rds" {
59 | name = "rds-security-group"
60 | description = "Allows inbound access from ECS only"
61 | vpc_id = aws_vpc.production-vpc.id
62 |
63 | ingress {
64 | protocol = "tcp"
65 | from_port = "5432"
66 | to_port = "5432"
67 | security_groups = [aws_security_group.ecs.id]
68 | }
69 |
70 | egress {
71 | protocol = "-1"
72 | from_port = 0
73 | to_port = 0
74 | cidr_blocks = ["0.0.0.0/0"]
75 | }
76 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.production
File: /terraform/04_loadbalancer.tf:2-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
2 | resource "aws_lb" "production" {
3 | name = "${var.ecs_cluster_name}-alb"
4 | load_balancer_type = "application"
5 | internal = false
6 | security_groups = [aws_security_group.load-balancer.id]
7 | subnets = [aws_subnet.public-subnet-1.id, aws_subnet.public-subnet-2.id]
8 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.production
File: /terraform/04_loadbalancer.tf:2-8
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
2 | resource "aws_lb" "production" {
3 | name = "${var.ecs_cluster_name}-alb"
4 | load_balancer_type = "application"
5 | internal = false
6 | security_groups = [aws_security_group.load-balancer.id]
7 | subnets = [aws_subnet.public-subnet-1.id, aws_subnet.public-subnet-2.id]
8 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.production
File: /terraform/04_loadbalancer.tf:2-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
2 | resource "aws_lb" "production" {
3 | name = "${var.ecs_cluster_name}-alb"
4 | load_balancer_type = "application"
5 | internal = false
6 | security_groups = [aws_security_group.load-balancer.id]
7 | subnets = [aws_subnet.public-subnet-1.id, aws_subnet.public-subnet-2.id]
8 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.django-log-group
File: /terraform/06_logs.tf:1-4
1 | resource "aws_cloudwatch_log_group" "django-log-group" {
2 | name = "/ecs/django-app"
3 | retention_in_days = var.log_retention_in_days
4 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.django-log-group
File: /terraform/06_logs.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
1 | resource "aws_cloudwatch_log_group" "django-log-group" {
2 | name = "/ecs/django-app"
3 | retention_in_days = var.log_retention_in_days
4 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.nginx-log-group
File: /terraform/06_logs.tf:11-14
11 | resource "aws_cloudwatch_log_group" "nginx-log-group" {
12 | name = "/ecs/nginx"
13 | retention_in_days = var.log_retention_in_days
14 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.nginx-log-group
File: /terraform/06_logs.tf:11-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
11 | resource "aws_cloudwatch_log_group" "nginx-log-group" {
12 | name = "/ecs/nginx"
13 | retention_in_days = var.log_retention_in_days
14 | }
Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
FAILED for resource: aws_ecs_cluster.production
File: /terraform/08_ecs.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
1 | resource "aws_ecs_cluster" "production" {
2 | name = "${var.ecs_cluster_name}-cluster"
3 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_launch_configuration.ecs
File: /terraform/08_ecs.tf:5-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
5 | resource "aws_launch_configuration" "ecs" {
6 | name = "${var.ecs_cluster_name}-cluster"
7 | image_id = lookup(var.amis, var.region)
8 | instance_type = var.instance_type
9 | security_groups = [aws_security_group.ecs.id]
10 | iam_instance_profile = aws_iam_instance_profile.ecs.name
11 | key_name = aws_key_pair.production.key_name
12 | associate_public_ip_address = true
13 | user_data = "#!/bin/bash\necho ECS_CLUSTER='${var.ecs_cluster_name}-cluster' > /etc/ecs/ecs.config"
14 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_configuration.ecs
File: /terraform/08_ecs.tf:5-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
5 | resource "aws_launch_configuration" "ecs" {
6 | name = "${var.ecs_cluster_name}-cluster"
7 | image_id = lookup(var.amis, var.region)
8 | instance_type = var.instance_type
9 | security_groups = [aws_security_group.ecs.id]
10 | iam_instance_profile = aws_iam_instance_profile.ecs.name
11 | key_name = aws_key_pair.production.key_name
12 | associate_public_ip_address = true
13 | user_data = "#!/bin/bash\necho ECS_CLUSTER='${var.ecs_cluster_name}-cluster' > /etc/ecs/ecs.config"
14 | }
Check: CKV_AWS_153: "Autoscaling groups should supply tags to launch configurations"
FAILED for resource: aws_autoscaling_group.ecs-cluster
File: /terraform/09_auto_scaling.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.html
1 | resource "aws_autoscaling_group" "ecs-cluster" {
2 | name = "${var.ecs_cluster_name}_auto_scaling_group"
3 | min_size = var.autoscale_min
4 | max_size = var.autoscale_max
5 | desired_capacity = var.autoscale_desired
6 | health_check_type = "EC2"
7 | launch_configuration = aws_launch_configuration.ecs.name
8 | vpc_zone_identifier = [aws_subnet.private-subnet-1.id, aws_subnet.private-subnet-2.id]
9 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.ecs-cluster
File: /terraform/09_auto_scaling.tf:1-9
1 | resource "aws_autoscaling_group" "ecs-cluster" {
2 | name = "${var.ecs_cluster_name}_auto_scaling_group"
3 | min_size = var.autoscale_min
4 | max_size = var.autoscale_max
5 | desired_capacity = var.autoscale_desired
6 | health_check_type = "EC2"
7 | launch_configuration = aws_launch_configuration.ecs.name
8 | vpc_zone_identifier = [aws_subnet.private-subnet-1.id, aws_subnet.private-subnet-2.id]
9 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.production
File: /terraform/10_rds.tf:6-24
6 | resource "aws_db_instance" "production" {
7 | identifier = "production"
8 | name = var.rds_db_name
9 | username = var.rds_username
10 | password = var.rds_password
11 | port = "5432"
12 | engine = "postgres"
13 | engine_version = "12.3"
14 | instance_class = var.rds_instance_class
15 | allocated_storage = "20"
16 | storage_encrypted = false
17 | vpc_security_group_ids = [aws_security_group.rds.id]
18 | db_subnet_group_name = aws_db_subnet_group.production.name
19 | multi_az = false
20 | storage_type = "gp2"
21 | publicly_accessible = false
22 | backup_retention_period = 7
23 | skip_final_snapshot = true
24 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.production
File: /terraform/10_rds.tf:6-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
6 | resource "aws_db_instance" "production" {
7 | identifier = "production"
8 | name = var.rds_db_name
9 | username = var.rds_username
10 | password = var.rds_password
11 | port = "5432"
12 | engine = "postgres"
13 | engine_version = "12.3"
14 | instance_class = var.rds_instance_class
15 | allocated_storage = "20"
16 | storage_encrypted = false
17 | vpc_security_group_ids = [aws_security_group.rds.id]
18 | db_subnet_group_name = aws_db_subnet_group.production.name
19 | multi_az = false
20 | storage_type = "gp2"
21 | publicly_accessible = false
22 | backup_retention_period = 7
23 | skip_final_snapshot = true
24 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.production
File: /terraform/10_rds.tf:6-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
6 | resource "aws_db_instance" "production" {
7 | identifier = "production"
8 | name = var.rds_db_name
9 | username = var.rds_username
10 | password = var.rds_password
11 | port = "5432"
12 | engine = "postgres"
13 | engine_version = "12.3"
14 | instance_class = var.rds_instance_class
15 | allocated_storage = "20"
16 | storage_encrypted = false
17 | vpc_security_group_ids = [aws_security_group.rds.id]
18 | db_subnet_group_name = aws_db_subnet_group.production.name
19 | multi_az = false
20 | storage_type = "gp2"
21 | publicly_accessible = false
22 | backup_retention_period = 7
23 | skip_final_snapshot = true
24 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.production
File: /terraform/10_rds.tf:6-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
6 | resource "aws_db_instance" "production" {
7 | identifier = "production"
8 | name = var.rds_db_name
9 | username = var.rds_username
10 | password = var.rds_password
11 | port = "5432"
12 | engine = "postgres"
13 | engine_version = "12.3"
14 | instance_class = var.rds_instance_class
15 | allocated_storage = "20"
16 | storage_encrypted = false
17 | vpc_security_group_ids = [aws_security_group.rds.id]
18 | db_subnet_group_name = aws_db_subnet_group.production.name
19 | multi_az = false
20 | storage_type = "gp2"
21 | publicly_accessible = false
22 | backup_retention_period = 7
23 | skip_final_snapshot = true
24 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.production
File: /terraform/10_rds.tf:6-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
6 | resource "aws_db_instance" "production" {
7 | identifier = "production"
8 | name = var.rds_db_name
9 | username = var.rds_username
10 | password = var.rds_password
11 | port = "5432"
12 | engine = "postgres"
13 | engine_version = "12.3"
14 | instance_class = var.rds_instance_class
15 | allocated_storage = "20"
16 | storage_encrypted = false
17 | vpc_security_group_ids = [aws_security_group.rds.id]
18 | db_subnet_group_name = aws_db_subnet_group.production.name
19 | multi_az = false
20 | storage_type = "gp2"
21 | publicly_accessible = false
22 | backup_retention_period = 7
23 | skip_final_snapshot = true
24 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.production
File: /terraform/10_rds.tf:6-24
6 | resource "aws_db_instance" "production" {
7 | identifier = "production"
8 | name = var.rds_db_name
9 | username = var.rds_username
10 | password = var.rds_password
11 | port = "5432"
12 | engine = "postgres"
13 | engine_version = "12.3"
14 | instance_class = var.rds_instance_class
15 | allocated_storage = "20"
16 | storage_encrypted = false
17 | vpc_security_group_ids = [aws_security_group.rds.id]
18 | db_subnet_group_name = aws_db_subnet_group.production.name
19 | multi_az = false
20 | storage_type = "gp2"
21 | publicly_accessible = false
22 | backup_retention_period = 7
23 | skip_final_snapshot = true
24 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.production
File: /terraform/10_rds.tf:6-24
6 | resource "aws_db_instance" "production" {
7 | identifier = "production"
8 | name = var.rds_db_name
9 | username = var.rds_username
10 | password = var.rds_password
11 | port = "5432"
12 | engine = "postgres"
13 | engine_version = "12.3"
14 | instance_class = var.rds_instance_class
15 | allocated_storage = "20"
16 | storage_encrypted = false
17 | vpc_security_group_ids = [aws_security_group.rds.id]
18 | db_subnet_group_name = aws_db_subnet_group.production.name
19 | multi_az = false
20 | storage_type = "gp2"
21 | publicly_accessible = false
22 | backup_retention_period = 7
23 | skip_final_snapshot = true
24 | }
Check: CKV_AWS_250: "Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/)"
FAILED for resource: aws_db_instance.production
File: /terraform/10_rds.tf:6-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-postgresql-instances-use-a-non-vulnerable-version-of-log-fdw-extension.html
6 | resource "aws_db_instance" "production" {
7 | identifier = "production"
8 | name = var.rds_db_name
9 | username = var.rds_username
10 | password = var.rds_password
11 | port = "5432"
12 | engine = "postgres"
13 | engine_version = "12.3"
14 | instance_class = var.rds_instance_class
15 | allocated_storage = "20"
16 | storage_encrypted = false
17 | vpc_security_group_ids = [aws_security_group.rds.id]
18 | db_subnet_group_name = aws_db_subnet_group.production.name
19 | multi_az = false
20 | storage_type = "gp2"
21 | publicly_accessible = false
22 | backup_retention_period = 7
23 | skip_final_snapshot = true
24 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.production
File: /terraform/10_rds.tf:6-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
6 | resource "aws_db_instance" "production" {
7 | identifier = "production"
8 | name = var.rds_db_name
9 | username = var.rds_username
10 | password = var.rds_password
11 | port = "5432"
12 | engine = "postgres"
13 | engine_version = "12.3"
14 | instance_class = var.rds_instance_class
15 | allocated_storage = "20"
16 | storage_encrypted = false
17 | vpc_security_group_ids = [aws_security_group.rds.id]
18 | db_subnet_group_name = aws_db_subnet_group.production.name
19 | multi_az = false
20 | storage_type = "gp2"
21 | publicly_accessible = false
22 | backup_retention_period = 7
23 | skip_final_snapshot = true
24 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.production
File: /terraform/10_rds.tf:6-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
6 | resource "aws_db_instance" "production" {
7 | identifier = "production"
8 | name = var.rds_db_name
9 | username = var.rds_username
10 | password = var.rds_password
11 | port = "5432"
12 | engine = "postgres"
13 | engine_version = "12.3"
14 | instance_class = var.rds_instance_class
15 | allocated_storage = "20"
16 | storage_encrypted = false
17 | vpc_security_group_ids = [aws_security_group.rds.id]
18 | db_subnet_group_name = aws_db_subnet_group.production.name
19 | multi_az = false
20 | storage_type = "gp2"
21 | publicly_accessible = false
22 | backup_retention_period = 7
23 | skip_final_snapshot = true
24 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.production
File: /terraform/10_rds.tf:6-24
6 | resource "aws_db_instance" "production" {
7 | identifier = "production"
8 | name = var.rds_db_name
9 | username = var.rds_username
10 | password = var.rds_password
11 | port = "5432"
12 | engine = "postgres"
13 | engine_version = "12.3"
14 | instance_class = var.rds_instance_class
15 | allocated_storage = "20"
16 | storage_encrypted = false
17 | vpc_security_group_ids = [aws_security_group.rds.id]
18 | db_subnet_group_name = aws_db_subnet_group.production.name
19 | multi_az = false
20 | storage_type = "gp2"
21 | publicly_accessible = false
22 | backup_retention_period = 7
23 | skip_final_snapshot = true
24 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.production-vpc
File: /terraform/02_network.tf:2-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
2 | resource "aws_vpc" "production-vpc" {
3 | cidr_block = "10.0.0.0/16"
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_alb_listener.ecs-alb-http-listener
File: /terraform/04_loadbalancer.tf:29-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
29 | resource "aws_alb_listener" "ecs-alb-http-listener" {
30 | load_balancer_arn = aws_lb.production.id
31 | port = "443"
32 | protocol = "HTTPS"
33 | ssl_policy = "ELBSecurityPolicy-2016-08"
34 | certificate_arn = var.certificate_arn
35 | depends_on = [aws_alb_target_group.default-target-group]
36 |
37 | default_action {
38 | type = "forward"
39 | target_group_arn = aws_alb_target_group.default-target-group.arn
40 | }
41 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.production
File: /terraform/04_loadbalancer.tf:2-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
2 | resource "aws_lb" "production" {
3 | name = "${var.ecs_cluster_name}-alb"
4 | load_balancer_type = "application"
5 | internal = false
6 | security_groups = [aws_security_group.load-balancer.id]
7 | subnets = [aws_subnet.public-subnet-1.id, aws_subnet.public-subnet-2.id]
8 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.production
File: /terraform/10_rds.tf:6-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
6 | resource "aws_db_instance" "production" {
7 | identifier = "production"
8 | name = var.rds_db_name
9 | username = var.rds_username
10 | password = var.rds_password
11 | port = "5432"
12 | engine = "postgres"
13 | engine_version = "12.3"
14 | instance_class = var.rds_instance_class
15 | allocated_storage = "20"
16 | storage_encrypted = false
17 | vpc_security_group_ids = [aws_security_group.rds.id]
18 | db_subnet_group_name = aws_db_subnet_group.production.name
19 | multi_az = false
20 | storage_type = "gp2"
21 | publicly_accessible = false
22 | backup_retention_period = 7
23 | skip_final_snapshot = true
24 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.production-vpc
File: /terraform/02_network.tf:2-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
2 | resource "aws_vpc" "production-vpc" {
3 | cidr_block = "10.0.0.0/16"
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 | }
dockerfile scan results:
Passed checks: 105, Failed checks: 4, Skipped checks: 0
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /app/Dockerfile.
File: /app/Dockerfile:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # pull official base image
2 | FROM python:3.9.0-slim-buster
3 |
4 | # set work directory
5 | WORKDIR /usr/src/app
6 |
7 | # set environment variables
8 | ENV PYTHONDONTWRITEBYTECODE 1
9 | ENV PYTHONUNBUFFERED 1
10 |
11 | # install psycopg2 dependencies
12 | RUN apt-get update \
13 | && apt-get -y install gcc postgresql \
14 | && apt-get clean
15 |
16 | # install dependencies
17 | RUN pip install --upgrade pip
18 | COPY ./requirements.txt .
19 | RUN pip install -r requirements.txt
20 |
21 | # copy project
22 | COPY . .
23 |
24 | # collect static files
25 | RUN python manage.py collectstatic --no-input
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /app/Dockerfile.
File: /app/Dockerfile:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # pull official base image
2 | FROM python:3.9.0-slim-buster
3 |
4 | # set work directory
5 | WORKDIR /usr/src/app
6 |
7 | # set environment variables
8 | ENV PYTHONDONTWRITEBYTECODE 1
9 | ENV PYTHONUNBUFFERED 1
10 |
11 | # install psycopg2 dependencies
12 | RUN apt-get update \
13 | && apt-get -y install gcc postgresql \
14 | && apt-get clean
15 |
16 | # install dependencies
17 | RUN pip install --upgrade pip
18 | COPY ./requirements.txt .
19 | RUN pip install -r requirements.txt
20 |
21 | # copy project
22 | COPY . .
23 |
24 | # collect static files
25 | RUN python manage.py collectstatic --no-input
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /nginx/Dockerfile.
File: /nginx/Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM nginx:1.19.0-alpine
2 |
3 | RUN rm /etc/nginx/conf.d/default.conf
4 | COPY nginx.conf /etc/nginx/conf.d
5 | EXPOSE 80
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /nginx/Dockerfile.
File: /nginx/Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM nginx:1.19.0-alpine
2 |
3 | RUN rm /etc/nginx/conf.d/default.conf
4 | COPY nginx.conf /etc/nginx/conf.d
5 | EXPOSE 80
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools