Repository | trussworks / terraform-aws-ecs-service |
Description | Creates an ECS Service. |
Stars | 112 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 15:04:06,386 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:~>2.64.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 146, Failed checks: 27, Skipped checks: 0
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy_document.cloudwatch_logs_allow_kms
File: /examples/load-balancer/main.tf:25-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
25 | data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
26 | statement {
27 | sid = "Enable IAM User Permissions"
28 | effect = "Allow"
29 |
30 | principals {
31 | type = "AWS"
32 | identifiers = [
33 | "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
34 | ]
35 | }
36 |
37 | actions = [
38 | "kms:*",
39 | ]
40 | resources = ["*"]
41 | }
42 |
43 | statement {
44 | sid = "Allow logs KMS access"
45 | effect = "Allow"
46 |
47 | principals {
48 | type = "Service"
49 | identifiers = ["logs.${var.region}.amazonaws.com"]
50 | }
51 |
52 | actions = [
53 | "kms:Encrypt*",
54 | "kms:Decrypt*",
55 | "kms:ReEncrypt*",
56 | "kms:GenerateDataKey*",
57 | "kms:Describe*"
58 | ]
59 | resources = ["*"]
60 | }
61 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.cloudwatch_logs_allow_kms
File: /examples/load-balancer/main.tf:25-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
25 | data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
26 | statement {
27 | sid = "Enable IAM User Permissions"
28 | effect = "Allow"
29 |
30 | principals {
31 | type = "AWS"
32 | identifiers = [
33 | "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
34 | ]
35 | }
36 |
37 | actions = [
38 | "kms:*",
39 | ]
40 | resources = ["*"]
41 | }
42 |
43 | statement {
44 | sid = "Allow logs KMS access"
45 | effect = "Allow"
46 |
47 | principals {
48 | type = "Service"
49 | identifiers = ["logs.${var.region}.amazonaws.com"]
50 | }
51 |
52 | actions = [
53 | "kms:Encrypt*",
54 | "kms:Decrypt*",
55 | "kms:ReEncrypt*",
56 | "kms:GenerateDataKey*",
57 | "kms:Describe*"
58 | ]
59 | resources = ["*"]
60 | }
61 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cloudwatch_logs_allow_kms
File: /examples/load-balancer/main.tf:25-61
25 | data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
26 | statement {
27 | sid = "Enable IAM User Permissions"
28 | effect = "Allow"
29 |
30 | principals {
31 | type = "AWS"
32 | identifiers = [
33 | "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
34 | ]
35 | }
36 |
37 | actions = [
38 | "kms:*",
39 | ]
40 | resources = ["*"]
41 | }
42 |
43 | statement {
44 | sid = "Allow logs KMS access"
45 | effect = "Allow"
46 |
47 | principals {
48 | type = "Service"
49 | identifiers = ["logs.${var.region}.amazonaws.com"]
50 | }
51 |
52 | actions = [
53 | "kms:Encrypt*",
54 | "kms:Decrypt*",
55 | "kms:ReEncrypt*",
56 | "kms:GenerateDataKey*",
57 | "kms:Describe*"
58 | ]
59 | resources = ["*"]
60 | }
61 | }
Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
FAILED for resource: aws_ecs_cluster.main
File: /examples/load-balancer/main.tf:74-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
74 | resource "aws_ecs_cluster" "main" {
75 | name = var.test_name
76 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.main
File: /examples/load-balancer/main.tf:81-87
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
81 | resource "aws_lb" "main" {
82 | name = var.test_name
83 | internal = false
84 | load_balancer_type = var.associate_alb == true && var.associate_nlb == false ? "application" : "network"
85 | security_groups = var.associate_alb == true && var.associate_nlb == false ? [aws_security_group.lb_sg.id] : null
86 | subnets = module.vpc.public_subnets
87 | }
Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
FAILED for resource: aws_lb.main
File: /examples/load-balancer/main.tf:81-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html
81 | resource "aws_lb" "main" {
82 | name = var.test_name
83 | internal = false
84 | load_balancer_type = var.associate_alb == true && var.associate_nlb == false ? "application" : "network"
85 | security_groups = var.associate_alb == true && var.associate_nlb == false ? [aws_security_group.lb_sg.id] : null
86 | subnets = module.vpc.public_subnets
87 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.main
File: /examples/load-balancer/main.tf:81-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
81 | resource "aws_lb" "main" {
82 | name = var.test_name
83 | internal = false
84 | load_balancer_type = var.associate_alb == true && var.associate_nlb == false ? "application" : "network"
85 | security_groups = var.associate_alb == true && var.associate_nlb == false ? [aws_security_group.lb_sg.id] : null
86 | subnets = module.vpc.public_subnets
87 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.http[0]
File: /examples/load-balancer/main.tf:89-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
89 | resource "aws_lb_listener" "http" {
90 | count = length(local.hello_world_container_ports)
91 |
92 | load_balancer_arn = aws_lb.main.id
93 | port = element(local.hello_world_container_ports, count.index)
94 | protocol = local.protocol
95 |
96 | default_action {
97 | target_group_arn = aws_lb_target_group.http[count.index].id
98 | type = "forward"
99 | }
100 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.lb_sg
File: /examples/load-balancer/main.tf:127-130
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
127 | resource "aws_security_group" "lb_sg" {
128 | name = "lb-${var.test_name}"
129 | vpc_id = module.vpc.vpc_id
130 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.app_lb_allow_outbound
File: /examples/load-balancer/main.tf:132-140
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
132 | resource "aws_security_group_rule" "app_lb_allow_outbound" {
133 | security_group_id = aws_security_group.lb_sg.id
134 |
135 | type = "egress"
136 | from_port = 0
137 | to_port = 0
138 | protocol = "-1"
139 | cidr_blocks = ["0.0.0.0/0"]
140 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.app_lb_allow_all_http[0]
File: /examples/load-balancer/main.tf:142-151
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
142 | resource "aws_security_group_rule" "app_lb_allow_all_http" {
143 | count = length(local.hello_world_container_ports)
144 | security_group_id = aws_security_group.lb_sg.id
145 |
146 | type = "ingress"
147 | from_port = element(local.hello_world_container_ports, count.index)
148 | to_port = element(local.hello_world_container_ports, count.index)
149 | protocol = "tcp"
150 | cidr_blocks = ["0.0.0.0/0"]
151 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.http[1]
File: /examples/load-balancer/main.tf:89-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
89 | resource "aws_lb_listener" "http" {
90 | count = length(local.hello_world_container_ports)
91 |
92 | load_balancer_arn = aws_lb.main.id
93 | port = element(local.hello_world_container_ports, count.index)
94 | protocol = local.protocol
95 |
96 | default_action {
97 | target_group_arn = aws_lb_target_group.http[count.index].id
98 | type = "forward"
99 | }
100 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.app_lb_allow_all_http[1]
File: /examples/load-balancer/main.tf:142-151
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
142 | resource "aws_security_group_rule" "app_lb_allow_all_http" {
143 | count = length(local.hello_world_container_ports)
144 | security_group_id = aws_security_group.lb_sg.id
145 |
146 | type = "ingress"
147 | from_port = element(local.hello_world_container_ports, count.index)
148 | to_port = element(local.hello_world_container_ports, count.index)
149 | protocol = "tcp"
150 | cidr_blocks = ["0.0.0.0/0"]
151 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy_document.cloudwatch_logs_allow_kms
File: /examples/no-load-balancer/main.tf:23-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
23 | data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
24 | statement {
25 | sid = "Enable IAM User Permissions"
26 | effect = "Allow"
27 |
28 | principals {
29 | type = "AWS"
30 | identifiers = [
31 | "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
32 | ]
33 | }
34 |
35 | actions = [
36 | "kms:*",
37 | ]
38 | resources = ["*"]
39 | }
40 |
41 | statement {
42 | sid = "Allow logs KMS access"
43 | effect = "Allow"
44 |
45 | principals {
46 | type = "Service"
47 | identifiers = ["logs.${var.region}.amazonaws.com"]
48 | }
49 |
50 | actions = [
51 | "kms:Encrypt*",
52 | "kms:Decrypt*",
53 | "kms:ReEncrypt*",
54 | "kms:GenerateDataKey*",
55 | "kms:Describe*"
56 | ]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.cloudwatch_logs_allow_kms
File: /examples/no-load-balancer/main.tf:23-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
23 | data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
24 | statement {
25 | sid = "Enable IAM User Permissions"
26 | effect = "Allow"
27 |
28 | principals {
29 | type = "AWS"
30 | identifiers = [
31 | "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
32 | ]
33 | }
34 |
35 | actions = [
36 | "kms:*",
37 | ]
38 | resources = ["*"]
39 | }
40 |
41 | statement {
42 | sid = "Allow logs KMS access"
43 | effect = "Allow"
44 |
45 | principals {
46 | type = "Service"
47 | identifiers = ["logs.${var.region}.amazonaws.com"]
48 | }
49 |
50 | actions = [
51 | "kms:Encrypt*",
52 | "kms:Decrypt*",
53 | "kms:ReEncrypt*",
54 | "kms:GenerateDataKey*",
55 | "kms:Describe*"
56 | ]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cloudwatch_logs_allow_kms
File: /examples/no-load-balancer/main.tf:23-59
23 | data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
24 | statement {
25 | sid = "Enable IAM User Permissions"
26 | effect = "Allow"
27 |
28 | principals {
29 | type = "AWS"
30 | identifiers = [
31 | "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
32 | ]
33 | }
34 |
35 | actions = [
36 | "kms:*",
37 | ]
38 | resources = ["*"]
39 | }
40 |
41 | statement {
42 | sid = "Allow logs KMS access"
43 | effect = "Allow"
44 |
45 | principals {
46 | type = "Service"
47 | identifiers = ["logs.${var.region}.amazonaws.com"]
48 | }
49 |
50 | actions = [
51 | "kms:Encrypt*",
52 | "kms:Decrypt*",
53 | "kms:ReEncrypt*",
54 | "kms:GenerateDataKey*",
55 | "kms:Describe*"
56 | ]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
FAILED for resource: aws_ecs_cluster.main
File: /examples/no-load-balancer/main.tf:72-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
72 | resource "aws_ecs_cluster" "main" {
73 | name = var.test_name
74 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ecs_allow_http[0]
File: /examples/no-load-balancer/main.tf:108-118
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
108 | resource "aws_security_group_rule" "ecs_allow_http" {
109 | count = length(local.hello_world_container_ports)
110 |
111 | security_group_id = aws_security_group.ecs_allow_http.id
112 |
113 | type = "ingress"
114 | from_port = element(local.hello_world_container_ports, count.index)
115 | to_port = element(local.hello_world_container_ports, count.index)
116 | protocol = "tcp"
117 | cidr_blocks = ["0.0.0.0/0"]
118 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ecs_allow_http[1]
File: /examples/no-load-balancer/main.tf:108-118
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
108 | resource "aws_security_group_rule" "ecs_allow_http" {
109 | count = length(local.hello_world_container_ports)
110 |
111 | security_group_id = aws_security_group.ecs_allow_http.id
112 |
113 | type = "ingress"
114 | from_port = element(local.hello_world_container_ports, count.index)
115 | to_port = element(local.hello_world_container_ports, count.index)
116 | protocol = "tcp"
117 | cidr_blocks = ["0.0.0.0/0"]
118 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.ecs-service.aws_iam_policy_document.instance_role_policy_doc
File: /main.tf:234-297
Calling File: /examples/no-load-balancer/main.tf:76-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.ecs-service.aws_iam_policy_document.instance_role_policy_doc
File: /main.tf:234-297
Calling File: /examples/no-load-balancer/main.tf:76-95
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.ecs-service.aws_iam_policy_document.task_execution_role_policy_doc
File: /main.tf:322-349
Calling File: /examples/no-load-balancer/main.tf:76-95
322 | data "aws_iam_policy_document" "task_execution_role_policy_doc" {
323 | statement {
324 | actions = [
325 | "logs:CreateLogStream",
326 | "logs:PutLogEvents",
327 | ]
328 |
329 | resources = ["${aws_cloudwatch_log_group.main.arn}:*"]
330 | }
331 |
332 | statement {
333 | actions = [
334 | "ecr:GetAuthorizationToken",
335 | ]
336 |
337 | resources = ["*"]
338 | }
339 |
340 | statement {
341 | actions = [
342 | "ecr:BatchCheckLayerAvailability",
343 | "ecr:GetDownloadUrlForLayer",
344 | "ecr:BatchGetImage",
345 | ]
346 |
347 | resources = var.ecr_repo_arns
348 | }
349 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.ecs-service.aws_cloudwatch_log_group.main
File: /main.tf:90-101
Calling File: /examples/no-load-balancer/main.tf:76-95
90 | resource "aws_cloudwatch_log_group" "main" {
91 | name = local.awslogs_group
92 | retention_in_days = var.logs_cloudwatch_retention
93 |
94 | kms_key_id = var.kms_key_id
95 |
96 | tags = {
97 | Name = "${var.name}-${var.environment}"
98 | Environment = var.environment
99 | Automation = "Terraform"
100 | }
101 | }
Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
FAILED for resource: module.ecs-service.aws_ecs_service.main
File: /main.tf:506-578
Calling File: /examples/no-load-balancer/main.tf:76-95
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.http[0]
File: /examples/load-balancer/main.tf:89-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
89 | resource "aws_lb_listener" "http" {
90 | count = length(local.hello_world_container_ports)
91 |
92 | load_balancer_arn = aws_lb.main.id
93 | port = element(local.hello_world_container_ports, count.index)
94 | protocol = local.protocol
95 |
96 | default_action {
97 | target_group_arn = aws_lb_target_group.http[count.index].id
98 | type = "forward"
99 | }
100 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.http[1]
File: /examples/load-balancer/main.tf:89-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
89 | resource "aws_lb_listener" "http" {
90 | count = length(local.hello_world_container_ports)
91 |
92 | load_balancer_arn = aws_lb.main.id
93 | port = element(local.hello_world_container_ports, count.index)
94 | protocol = local.protocol
95 |
96 | default_action {
97 | target_group_arn = aws_lb_target_group.http[count.index].id
98 | type = "forward"
99 | }
100 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.ecs-service.aws_security_group.ecs_sg[0]
File: /main.tf:149-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
149 | resource "aws_security_group" "ecs_sg" {
150 | count = var.manage_ecs_security_group ? 1 : 0
151 | name = "ecs-${var.name}-${var.environment}"
152 | description = "${var.name}-${var.environment} container security group"
153 | vpc_id = var.ecs_vpc_id
154 |
155 | tags = {
156 | Name = "ecs-${var.name}-${var.environment}"
157 | Environment = var.environment
158 | Automation = "Terraform"
159 | }
160 | }
github_actions scan results:
Passed checks: 7, Failed checks: 1, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(validate-tf)
File: /.github/workflows/validate.yml:0-1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools