Repository | turnerlabs / terraform-ecs-fargate |
Description | A Terraform template used for provisioning web application stacks on AWS ECS Fargate |
Stars | 404 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:49:10,467 [MainThread ] [WARNI] Failed to download module github.com/turnerlabs/terraform-remote-state?ref=v4.0.2:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 195, Failed checks: 35, Skipped checks: 0
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: aws_ecr_repository.app
File: /base/ecr.tf:15-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html
15 | resource "aws_ecr_repository" "app" {
16 | name = var.app
17 | image_tag_mutability = var.image_tag_mutability
18 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: aws_ecr_repository.app
File: /base/ecr.tf:15-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html
15 | resource "aws_ecr_repository" "app" {
16 | name = var.app
17 | image_tag_mutability = var.image_tag_mutability
18 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.cicd
File: /env/dev/cicd.tf:2-4
2 | resource "aws_iam_user" "cicd" {
3 | name = "srv_${var.app}_${var.environment}_cicd"
4 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.cicd_policy
File: /env/dev/cicd.tf:11-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cicd_policy
File: /env/dev/cicd.tf:11-61
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.ecs_event_stream
File: /env/dev/ecs-event-stream.tf:55-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
55 | resource "aws_lambda_function" "ecs_event_stream" {
56 | function_name = "${var.app}-${var.environment}-ecs-event-stream"
57 | role = aws_iam_role.ecs_event_stream.arn
58 | filename = data.archive_file.lambda_zip.output_path
59 | source_code_hash = data.archive_file.lambda_zip.output_base64sha256
60 | handler = "index.handler"
61 | runtime = "nodejs14.x"
62 | tags = var.tags
63 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.ecs_event_stream
File: /env/dev/ecs-event-stream.tf:55-63
55 | resource "aws_lambda_function" "ecs_event_stream" {
56 | function_name = "${var.app}-${var.environment}-ecs-event-stream"
57 | role = aws_iam_role.ecs_event_stream.arn
58 | filename = data.archive_file.lambda_zip.output_path
59 | source_code_hash = data.archive_file.lambda_zip.output_base64sha256
60 | handler = "index.handler"
61 | runtime = "nodejs14.x"
62 | tags = var.tags
63 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.ecs_event_stream
File: /env/dev/ecs-event-stream.tf:55-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
55 | resource "aws_lambda_function" "ecs_event_stream" {
56 | function_name = "${var.app}-${var.environment}-ecs-event-stream"
57 | role = aws_iam_role.ecs_event_stream.arn
58 | filename = data.archive_file.lambda_zip.output_path
59 | source_code_hash = data.archive_file.lambda_zip.output_base64sha256
60 | handler = "index.handler"
61 | runtime = "nodejs14.x"
62 | tags = var.tags
63 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.ecs_event_stream
File: /env/dev/ecs-event-stream.tf:55-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
55 | resource "aws_lambda_function" "ecs_event_stream" {
56 | function_name = "${var.app}-${var.environment}-ecs-event-stream"
57 | role = aws_iam_role.ecs_event_stream.arn
58 | filename = data.archive_file.lambda_zip.output_path
59 | source_code_hash = data.archive_file.lambda_zip.output_base64sha256
60 | handler = "index.handler"
61 | runtime = "nodejs14.x"
62 | tags = var.tags
63 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.ecs_event_stream
File: /env/dev/ecs-event-stream.tf:55-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
55 | resource "aws_lambda_function" "ecs_event_stream" {
56 | function_name = "${var.app}-${var.environment}-ecs-event-stream"
57 | role = aws_iam_role.ecs_event_stream.arn
58 | filename = data.archive_file.lambda_zip.output_path
59 | source_code_hash = data.archive_file.lambda_zip.output_base64sha256
60 | handler = "index.handler"
61 | runtime = "nodejs14.x"
62 | tags = var.tags
63 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.logs
File: /env/dev/ecs.tf:189-193
189 | resource "aws_cloudwatch_log_group" "logs" {
190 | name = "/fargate/service/${var.app}-${var.environment}"
191 | retention_in_days = var.logs_retention_in_days
192 | tags = var.tags
193 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.logs
File: /env/dev/ecs.tf:189-193
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
189 | resource "aws_cloudwatch_log_group" "logs" {
190 | name = "/fargate/service/${var.app}-${var.environment}"
191 | retention_in_days = var.logs_retention_in_days
192 | tags = var.tags
193 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_alb_listener.http
File: /env/dev/lb-http.tf:4-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
4 | resource "aws_alb_listener" "http" {
5 | load_balancer_arn = aws_alb.main.id
6 | port = var.lb_port
7 | protocol = var.lb_protocol
8 |
9 | default_action {
10 | target_group_arn = aws_alb_target_group.main.id
11 | type = "forward"
12 | }
13 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group_rule.ingress_lb_http
File: /env/dev/lb-http.tf:15-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
15 | resource "aws_security_group_rule" "ingress_lb_http" {
16 | type = "ingress"
17 | description = var.lb_protocol
18 | from_port = var.lb_port
19 | to_port = var.lb_port
20 | protocol = "tcp"
21 | cidr_blocks = ["0.0.0.0/0"]
22 | security_group_id = aws_security_group.nsg_lb.id
23 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_alb.main
File: /env/dev/lb.tf:40-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
40 | resource "aws_alb" "main" {
41 | name = "${var.app}-${var.environment}"
42 |
43 | # launch lbs in public or private subnets based on "internal" variable
44 | internal = var.internal
45 | subnets = split(
46 | ",",
47 | var.internal == true ? var.private_subnets : var.public_subnets,
48 | )
49 | security_groups = [aws_security_group.nsg_lb.id]
50 | tags = var.tags
51 |
52 | # enable access logs in order to get support from aws
53 | access_logs {
54 | enabled = true
55 | bucket = aws_s3_bucket.lb_access_logs.bucket
56 | }
57 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_alb.main
File: /env/dev/lb.tf:40-57
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
40 | resource "aws_alb" "main" {
41 | name = "${var.app}-${var.environment}"
42 |
43 | # launch lbs in public or private subnets based on "internal" variable
44 | internal = var.internal
45 | subnets = split(
46 | ",",
47 | var.internal == true ? var.private_subnets : var.public_subnets,
48 | )
49 | security_groups = [aws_security_group.nsg_lb.id]
50 | tags = var.tags
51 |
52 | # enable access logs in order to get support from aws
53 | access_logs {
54 | enabled = true
55 | bucket = aws_s3_bucket.lb_access_logs.bucket
56 | }
57 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.lambda_policy_logs_logz
File: /env/dev/logs-logzio.tf:31-54
31 | resource "aws_iam_role_policy" "lambda_policy_logs_logz" {
32 | name = "${var.app}-${var.environment}-logz-role"
33 | role = aws_iam_role.iam_for_lambda_logz.id
34 |
35 | policy = <
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools