Skip to content

Testproduct#19

Open
shaharsa wants to merge 2 commits into
mainfrom
testproduct
Open

Testproduct#19
shaharsa wants to merge 2 commits into
mainfrom
testproduct

Conversation

@shaharsa

Copy link
Copy Markdown
Contributor

No description provided.

@prisma-cloud-devsecops prisma-cloud-devsecops Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prisma Cloud has found errors in this PR ⬇️

Comment thread s3.tf
@@ -0,0 +1,22 @@
resource "aws_s3_bucket" "data" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  S3 buckets are not encrypted with KMS
    Resource: aws_s3_bucket.data | Checkov ID: CKV_AWS_145

How to Fix

resource "aws_s3_bucket" "bucket_name" {
  bucket = "bucket_good"
}

+ resource "aws_s3_bucket_server_side_encryption_configuration" "good_sse_1" {
+   bucket = aws_s3_bucket.bucket_name.bucket
+
+   rule {
+     apply_server_side_encryption_by_default {
+       kms_master_key_id = aws_kms_key.mykey.arn
+       sse_algorithm     = "aws:kms"
+     }
+   }
+ }

Description

Encrypting your data and resources with KMS helps protect your data from unauthorized access or tampering.
By encrypting your data, you can ensure that only authorized users can access and decrypt the data, and that the data is protected while in storage or in transit.
Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.

Comment thread s3.tf
@@ -0,0 +1,22 @@
resource "aws_s3_bucket" "data" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  S3 bucket cross-region replication disabled
    Resource: aws_s3_bucket.data | Checkov ID: CKV_AWS_144

How to Fix

resource "aws_s3_bucket" "east" {
  bucket = "tf-test-bucket-east-12345"
}

+ resource "aws_s3_bucket_versioning" "east" {
+   bucket = aws_s3_bucket.east.id
+   versioning_configuration {
+     status = "Enabled"
+   }
+ }

+ resource "aws_s3_bucket" "west" {
+   provider = aws.west
+   bucket   = "tf-test-bucket-west-12345"
+ }

+ resource "aws_s3_bucket_versioning" "west" {
+   provider = aws.west

+   bucket = aws_s3_bucket.west.id
+   versioning_configuration {
+     status = "Enabled"
+   }
+ }

+ resource "aws_s3_bucket_replication_configuration" "east_to_west" {
+   depends_on = [aws_s3_bucket_versioning.east]
+   role   = aws_iam_role.east_replication.arn
+   bucket = aws_s3_bucket.east.id
+ 
+   rule {
+     status = "Enabled"
+ 
+     destination {
+       bucket        = aws_s3_bucket.west.arn
+       storage_class = "STANDARD"
+     }
+   }
+ }

Description

Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets.
By default, replication supports copying new S3 objects after it is enabled. It also requires versioning for the buckets involved. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.

Comment thread s3.tf
@@ -0,0 +1,22 @@
resource "aws_s3_bucket" "data" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  S3 Bucket does not have public access blocks
    Resource: aws_s3_bucket.data | Checkov ID: CKV2_AWS_6

How to Fix

resource "aws_s3_bucket" "bucket_good_1" {
  bucket = "bucket_good"
}


+ resource "aws_s3_bucket_public_access_block" "access_good_1" {
+   bucket = aws_s3_bucket.bucket_good_1.id
+ 
+   block_public_acls   = true
+   block_public_policy = true
+ }

Description

When you create an S3 bucket, it is good practice to set the additional resource aws_s3_bucket_public_access_block to ensure the bucket is never accidentally public.
We recommend you ensure S3 bucket has public access blocks.
If the public access block is not attached it defaults to False.

Comment thread s3.tf
@@ -0,0 +1,22 @@
resource "aws_s3_bucket" "data" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  AWS Access logging not enabled on S3 buckets
    Resource: aws_s3_bucket.data | Checkov ID: CKV_AWS_18

How to Fix

+ resource "aws_s3_bucket_logging" "example" {
+   bucket = aws_s3_bucket.example.id
+ 
+   target_bucket = aws_s3_bucket.log_bucket.id
+   target_prefix = "log/"
+ }

Description

Checks for S3 buckets without access logging turned on. Access logging allows customers to view complete audit trail on sensitive workloads such as S3 buckets. It is recommended that Access logging is turned on for all S3 buckets to meet audit & compliance requirement

Comment thread s3.tf
@@ -0,0 +1,22 @@
resource "aws_s3_bucket" "data" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  AWS S3 Object Versioning is disabled
    Resource: aws_s3_bucket.data | Checkov ID: CKV_AWS_21

How to Fix

+ resource "aws_s3_bucket_versioning" "example" {
+   bucket = aws_s3_bucket.example.id
+ 
+   versioning_configuration {
+     status = "Enabled"
+   }
+ }

Description

This policy identifies the S3 buckets which have Object Versioning disabled. S3 Object Versioning is an important capability in protecting your data within a bucket. Once you enable Object Versioning, you cannot remove it; you can suspend Object Versioning at any time on a bucket if you do not wish for it to persist. It is recommended to enable Object Versioning on S3.

Comment thread secrets.txt
@@ -0,0 +1,2 @@
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  AWS Access Key detected in code
    Resource: c00f1a6e4b20aa64691d50781b810756d6254b8e | Checkov ID: CKV_SECRET_2

Description

AWS Access Keys are long-term credentials for an IAM user or the AWS account root user.
You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).

Comment thread secrets.txt
@@ -0,0 +1,2 @@
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  [Secret] AWS Access Key
    Rule ID: APPSEC_SECRET_2

Description

AWS Access Keys were exposed in the source code, posing a security risk by potentially allowing unauthorized access to AWS resources. AWS Access Keys are used in conjunction with Secret Keys to authenticate API requests, enabling the creation, modification, and deletion of AWS resources. This exposure could lead to data breaches, unauthorized usage of services, or modification of infrastructure.

Comment thread s3.tf
@@ -0,0 +1,22 @@
resource "aws_s3_bucket" "data" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  [IaC] Ensure S3 buckets should have event notifications enabled
    Asset: /s3.tf:aws_s3_bucket.data | Rule ID: APPSEC2_AWS_62

Description

Ensure S3 buckets should have event notifications enabled

Comment thread s3.tf
@@ -0,0 +1,22 @@
resource "aws_s3_bucket" "data" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  [IaC] Ensure that S3 buckets are encrypted with KMS by default
    Asset: /s3.tf:aws_s3_bucket.data | Rule ID: APPSEC_AWS_145

Description

Ensure that S3 buckets are encrypted with KMS by default

Comment thread s3.tf
@@ -0,0 +1,22 @@
resource "aws_s3_bucket" "data" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  [IaC] Ensure that S3 bucket has a Public Access block
    Asset: /s3.tf:aws_s3_bucket.data | Rule ID: APPSEC2_AWS_6

Description

Ensure that S3 bucket has a Public Access block

Comment thread s3.tf
@@ -0,0 +1,22 @@
resource "aws_s3_bucket" "data" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  [IaC] Ensure that S3 bucket has cross-region replication enabled
    Asset: /s3.tf:aws_s3_bucket.data | Rule ID: APPSEC_AWS_144

Description

Ensure that S3 bucket has cross-region replication enabled

Comment thread s3.tf
@@ -0,0 +1,22 @@
resource "aws_s3_bucket" "data" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  [IaC] Ensure the S3 bucket has access logging enabled
    Asset: /s3.tf:aws_s3_bucket.data | Rule ID: APPSEC_AWS_18

Description

Checks for S3 buckets without access logging turned on. Access logging allows customers to view complete audit trail on sensitive workloads such as S3 buckets. It is recommended that Access logging is turned on for all S3 buckets to meet audit & compliance requirement

Comment thread s3.tf
@@ -0,0 +1,22 @@
resource "aws_s3_bucket" "data" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  [IaC] Ensure all data stored in the S3 bucket have versioning enabled
    Asset: /s3.tf:aws_s3_bucket.data | Rule ID: APPSEC_AWS_21

Description

This policy identifies the S3 buckets which have Object Versioning disabled. S3 Object Versioning is an important capability in protecting your data within a bucket. Once you enable Object Versioning, you cannot remove it; you can suspend Object Versioning at any time on a bucket if you do not wish for it to persist. It is recommended to enable Object Versioning on S3.

Comment thread secrets.txt
@@ -0,0 +1,2 @@
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  [Secret] AWS Access Key
    Rule ID: APPSEC_SECRET_2

Description

AWS Access Keys were exposed in the source code, posing a security risk by potentially allowing unauthorized access to AWS resources. AWS Access Keys are used in conjunction with Secret Keys to authenticate API requests, enabling the creation, modification, and deletion of AWS resources. This exposure could lead to data breaches, unauthorized usage of services, or modification of infrastructure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant