Repository | umotif-public / terraform-aws-waf-webaclv2 |
Description | Terraform module to configure WAF V2 Web ACL with managed rules for Application Load Balancer |
Stars | 122 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:56:15,594 [MainThread ] [WARNI] Failed to download module umotif-public/alb/aws:~>2.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 22, Failed checks: 15, Skipped checks: 0
Check: CKV_AWS_241: "Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK"
FAILED for resource: aws_kinesis_firehose_delivery_stream.test_stream
File: /examples/wafv2-logging-configuration/main.tf:106-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kinesis-firehose-delivery-streams-are-encrypted-with-cmk.html
106 | resource "aws_kinesis_firehose_delivery_stream" "test_stream" {
107 | name = "aws-waf-logs-kinesis-firehose-test-stream"
108 | destination = "extended_s3"
109 |
110 | extended_s3_configuration {
111 | role_arn = aws_iam_role.firehose.arn
112 | bucket_arn = aws_s3_bucket.bucket.arn
113 | }
114 | }
Check: CKV_AWS_240: "Ensure Kinesis Firehose delivery stream is encrypted"
FAILED for resource: aws_kinesis_firehose_delivery_stream.test_stream
File: /examples/wafv2-logging-configuration/main.tf:106-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kinesis-firehoses-delivery-stream-is-encrypted.html
106 | resource "aws_kinesis_firehose_delivery_stream" "test_stream" {
107 | name = "aws-waf-logs-kinesis-firehose-test-stream"
108 | destination = "extended_s3"
109 |
110 | extended_s3_configuration {
111 | role_arn = aws_iam_role.firehose.arn
112 | bucket_arn = aws_s3_bucket.bucket.arn
113 | }
114 | }
Check: CKV_AWS_342: "Ensure WAF rule has any actions"
FAILED for resource: module.waf.aws_wafv2_web_acl.main[0]
File: /main.tf:4-6821
Calling File: /examples/wafv2-sizeconstraint-rules/main.tf:4-152
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: module.waf.aws_wafv2_web_acl.main[0]
File: /main.tf:4-6821
Calling File: /examples/wafv2-ip-rules/main.tf:29-225
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_342: "Ensure WAF rule has any actions"
FAILED for resource: module.wafv2.aws_wafv2_web_acl.main[0]
File: /main.tf:4-6821
Calling File: /examples/wafv2-logging-configuration/main.tf:119-234
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
FAILED for resource: module.waf.aws_wafv2_web_acl.main[0]
File: /main.tf:4-6821
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
FAILED for resource: module.wafv2.aws_wafv2_web_acl.main[0]
File: /main.tf:4-6821
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.bucket
File: /examples/wafv2-logging-configuration/main.tf:33-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
33 | resource "aws_s3_bucket" "bucket" {
34 | bucket = "${var.name_prefix}-aws-waf-firehose-stream-test-bucket"
35 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.bucket
File: /examples/wafv2-logging-configuration/main.tf:33-35
33 | resource "aws_s3_bucket" "bucket" {
34 | bucket = "${var.name_prefix}-aws-waf-firehose-stream-test-bucket"
35 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: aws_s3_bucket_ownership_controls.bucket
File: /examples/wafv2-logging-configuration/main.tf:37-42
37 | resource "aws_s3_bucket_ownership_controls" "bucket" {
38 | bucket = aws_s3_bucket.bucket.id
39 | rule {
40 | object_ownership = "BucketOwnerPreferred"
41 | }
42 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.bucket
File: /examples/wafv2-logging-configuration/main.tf:33-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
33 | resource "aws_s3_bucket" "bucket" {
34 | bucket = "${var.name_prefix}-aws-waf-firehose-stream-test-bucket"
35 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.bucket
File: /examples/wafv2-logging-configuration/main.tf:33-35
33 | resource "aws_s3_bucket" "bucket" {
34 | bucket = "${var.name_prefix}-aws-waf-firehose-stream-test-bucket"
35 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.bucket
File: /examples/wafv2-logging-configuration/main.tf:33-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
33 | resource "aws_s3_bucket" "bucket" {
34 | bucket = "${var.name_prefix}-aws-waf-firehose-stream-test-bucket"
35 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.bucket
File: /examples/wafv2-logging-configuration/main.tf:33-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
33 | resource "aws_s3_bucket" "bucket" {
34 | bucket = "${var.name_prefix}-aws-waf-firehose-stream-test-bucket"
35 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.bucket
File: /examples/wafv2-logging-configuration/main.tf:33-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
33 | resource "aws_s3_bucket" "bucket" {
34 | bucket = "${var.name_prefix}-aws-waf-firehose-stream-test-bucket"
35 | }
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools