Testproduct#19
Conversation
| @@ -0,0 +1,22 @@ | |||
| resource "aws_s3_bucket" "data" { | |||
There was a problem hiding this comment.
S3 buckets are not encrypted with KMS
Resource: aws_s3_bucket.data | Checkov ID: CKV_AWS_145
How to Fix
resource "aws_s3_bucket" "bucket_name" {
bucket = "bucket_good"
}
+ resource "aws_s3_bucket_server_side_encryption_configuration" "good_sse_1" {
+ bucket = aws_s3_bucket.bucket_name.bucket
+
+ rule {
+ apply_server_side_encryption_by_default {
+ kms_master_key_id = aws_kms_key.mykey.arn
+ sse_algorithm = "aws:kms"
+ }
+ }
+ }Description
Encrypting your data and resources with KMS helps protect your data from unauthorized access or tampering.
By encrypting your data, you can ensure that only authorized users can access and decrypt the data, and that the data is protected while in storage or in transit.
Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.
| @@ -0,0 +1,22 @@ | |||
| resource "aws_s3_bucket" "data" { | |||
There was a problem hiding this comment.
S3 bucket cross-region replication disabled
Resource: aws_s3_bucket.data | Checkov ID: CKV_AWS_144
How to Fix
resource "aws_s3_bucket" "east" {
bucket = "tf-test-bucket-east-12345"
}
+ resource "aws_s3_bucket_versioning" "east" {
+ bucket = aws_s3_bucket.east.id
+ versioning_configuration {
+ status = "Enabled"
+ }
+ }
+ resource "aws_s3_bucket" "west" {
+ provider = aws.west
+ bucket = "tf-test-bucket-west-12345"
+ }
+ resource "aws_s3_bucket_versioning" "west" {
+ provider = aws.west
+ bucket = aws_s3_bucket.west.id
+ versioning_configuration {
+ status = "Enabled"
+ }
+ }
+ resource "aws_s3_bucket_replication_configuration" "east_to_west" {
+ depends_on = [aws_s3_bucket_versioning.east]
+ role = aws_iam_role.east_replication.arn
+ bucket = aws_s3_bucket.east.id
+
+ rule {
+ status = "Enabled"
+
+ destination {
+ bucket = aws_s3_bucket.west.arn
+ storage_class = "STANDARD"
+ }
+ }
+ }Description
Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets.
By default, replication supports copying new S3 objects after it is enabled. It also requires versioning for the buckets involved. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.
| @@ -0,0 +1,22 @@ | |||
| resource "aws_s3_bucket" "data" { | |||
There was a problem hiding this comment.
S3 Bucket does not have public access blocks
Resource: aws_s3_bucket.data | Checkov ID: CKV2_AWS_6
How to Fix
resource "aws_s3_bucket" "bucket_good_1" {
bucket = "bucket_good"
}
+ resource "aws_s3_bucket_public_access_block" "access_good_1" {
+ bucket = aws_s3_bucket.bucket_good_1.id
+
+ block_public_acls = true
+ block_public_policy = true
+ }Description
When you create an S3 bucket, it is good practice to set the additional resource aws_s3_bucket_public_access_block to ensure the bucket is never accidentally public.
We recommend you ensure S3 bucket has public access blocks.
If the public access block is not attached it defaults to False.
| @@ -0,0 +1,22 @@ | |||
| resource "aws_s3_bucket" "data" { | |||
There was a problem hiding this comment.
AWS Access logging not enabled on S3 buckets
Resource: aws_s3_bucket.data | Checkov ID: CKV_AWS_18
How to Fix
+ resource "aws_s3_bucket_logging" "example" {
+ bucket = aws_s3_bucket.example.id
+
+ target_bucket = aws_s3_bucket.log_bucket.id
+ target_prefix = "log/"
+ }Description
Checks for S3 buckets without access logging turned on. Access logging allows customers to view complete audit trail on sensitive workloads such as S3 buckets. It is recommended that Access logging is turned on for all S3 buckets to meet audit & compliance requirement
| @@ -0,0 +1,22 @@ | |||
| resource "aws_s3_bucket" "data" { | |||
There was a problem hiding this comment.
AWS S3 Object Versioning is disabled
Resource: aws_s3_bucket.data | Checkov ID: CKV_AWS_21
How to Fix
+ resource "aws_s3_bucket_versioning" "example" {
+ bucket = aws_s3_bucket.example.id
+
+ versioning_configuration {
+ status = "Enabled"
+ }
+ }Description
This policy identifies the S3 buckets which have Object Versioning disabled. S3 Object Versioning is an important capability in protecting your data within a bucket. Once you enable Object Versioning, you cannot remove it; you can suspend Object Versioning at any time on a bucket if you do not wish for it to persist. It is recommended to enable Object Versioning on S3.
| @@ -0,0 +1,2 @@ | |||
| export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY | |||
There was a problem hiding this comment.
AWS Access Key detected in code
Resource: c00f1a6e4b20aa64691d50781b810756d6254b8e | Checkov ID: CKV_SECRET_2
Description
AWS Access Keys are long-term credentials for an IAM user or the AWS account root user.
You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
| @@ -0,0 +1,2 @@ | |||
| export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY | |||
There was a problem hiding this comment.
[Secret] AWS Access Key
Rule ID: APPSEC_SECRET_2
Description
AWS Access Keys were exposed in the source code, posing a security risk by potentially allowing unauthorized access to AWS resources. AWS Access Keys are used in conjunction with Secret Keys to authenticate API requests, enabling the creation, modification, and deletion of AWS resources. This exposure could lead to data breaches, unauthorized usage of services, or modification of infrastructure.| @@ -0,0 +1,22 @@ | |||
| resource "aws_s3_bucket" "data" { | |||
| @@ -0,0 +1,22 @@ | |||
| resource "aws_s3_bucket" "data" { | |||
| @@ -0,0 +1,22 @@ | |||
| resource "aws_s3_bucket" "data" { | |||
| @@ -0,0 +1,22 @@ | |||
| resource "aws_s3_bucket" "data" { | |||
| @@ -0,0 +1,22 @@ | |||
| resource "aws_s3_bucket" "data" { | |||
There was a problem hiding this comment.
[IaC] Ensure the S3 bucket has access logging enabled
Asset: /s3.tf:aws_s3_bucket.data | Rule ID: APPSEC_AWS_18
Description
Checks for S3 buckets without access logging turned on. Access logging allows customers to view complete audit trail on sensitive workloads such as S3 buckets. It is recommended that Access logging is turned on for all S3 buckets to meet audit & compliance requirement| @@ -0,0 +1,22 @@ | |||
| resource "aws_s3_bucket" "data" { | |||
There was a problem hiding this comment.
[IaC] Ensure all data stored in the S3 bucket have versioning enabled
Asset: /s3.tf:aws_s3_bucket.data | Rule ID: APPSEC_AWS_21
Description
This policy identifies the S3 buckets which have Object Versioning disabled. S3 Object Versioning is an important capability in protecting your data within a bucket. Once you enable Object Versioning, you cannot remove it; you can suspend Object Versioning at any time on a bucket if you do not wish for it to persist. It is recommended to enable Object Versioning on S3.| @@ -0,0 +1,2 @@ | |||
| export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY | |||
There was a problem hiding this comment.
No description provided.