Skip to content

[Cortex Cloud] - security issue#28

Open
cas-cortex[bot] wants to merge 1 commit into
mainfrom
cortex-fix-a625aafe-1ce2-4170-bc1f-eff849b61eed
Open

[Cortex Cloud] - security issue#28
cas-cortex[bot] wants to merge 1 commit into
mainfrom
cortex-fix-a625aafe-1ce2-4170-bc1f-eff849b61eed

Conversation

@cas-cortex

@cas-cortex cas-cortex Bot commented Jun 4, 2025

Copy link
Copy Markdown

Cortex Cloud has created PR to fix vulnerable lines in the file.

@prisma-cloud-devsecops prisma-cloud-devsecops Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prisma Cloud has found errors in this PR ⬇️

Comment thread aws/s3.tf
})
}

resource "aws_s3_bucket" "logs_log_bucket" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  AWS resources that support tags do not have Tags
    Resource: aws_s3_bucket.logs_log_bucket | Checkov ID: CKV_AWS_CUSTOM_1

How to Fix

resource "aws_security_group" "sg" {
  name = "my-sg"
  ...
+ tags = {
+   Environment = "dev"
+   Owner = "apps-team"
+ }
}

Description

Many AWS resources support tags. Without tags, it is difficult to organize, manage and track resources.
Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names.

While there are many ways that tags can be used, we recommend you follow a tagging practice.
View AWS's recommended tagging best practices https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf[here].

Comment thread aws/s3.tf
})
}

resource "aws_s3_bucket" "logs_log_bucket" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  S3 buckets are not encrypted with KMS
    Resource: aws_s3_bucket.logs_log_bucket | Checkov ID: CKV_AWS_145

How to Fix

resource "aws_s3_bucket" "bucket_name" {
  bucket = "bucket_good"
}

+ resource "aws_s3_bucket_server_side_encryption_configuration" "good_sse_1" {
+   bucket = aws_s3_bucket.bucket_name.bucket
+
+   rule {
+     apply_server_side_encryption_by_default {
+       kms_master_key_id = aws_kms_key.mykey.arn
+       sse_algorithm     = "aws:kms"
+     }
+   }
+ }

Description

Encrypting your data and resources with KMS helps protect your data from unauthorized access or tampering.
By encrypting your data, you can ensure that only authorized users can access and decrypt the data, and that the data is protected while in storage or in transit.
Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.

Comment thread aws/s3.tf
})
}

resource "aws_s3_bucket" "logs_log_bucket" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  S3 bucket cross-region replication disabled
    Resource: aws_s3_bucket.logs_log_bucket | Checkov ID: CKV_AWS_144

How to Fix

resource "aws_s3_bucket" "east" {
  bucket = "tf-test-bucket-east-12345"
}

+ resource "aws_s3_bucket_versioning" "east" {
+   bucket = aws_s3_bucket.east.id
+   versioning_configuration {
+     status = "Enabled"
+   }
+ }

+ resource "aws_s3_bucket" "west" {
+   provider = aws.west
+   bucket   = "tf-test-bucket-west-12345"
+ }

+ resource "aws_s3_bucket_versioning" "west" {
+   provider = aws.west

+   bucket = aws_s3_bucket.west.id
+   versioning_configuration {
+     status = "Enabled"
+   }
+ }

+ resource "aws_s3_bucket_replication_configuration" "east_to_west" {
+   depends_on = [aws_s3_bucket_versioning.east]
+   role   = aws_iam_role.east_replication.arn
+   bucket = aws_s3_bucket.east.id
+ 
+   rule {
+     status = "Enabled"
+ 
+     destination {
+       bucket        = aws_s3_bucket.west.arn
+       storage_class = "STANDARD"
+     }
+   }
+ }

Description

Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets.
By default, replication supports copying new S3 objects after it is enabled. It also requires versioning for the buckets involved. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.

Comment thread aws/s3.tf
})
}

resource "aws_s3_bucket" "logs_log_bucket" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  S3 Bucket does not have public access blocks
    Resource: aws_s3_bucket.logs_log_bucket | Checkov ID: CKV2_AWS_6

How to Fix

resource "aws_s3_bucket" "bucket_good_1" {
  bucket = "bucket_good"
}


+ resource "aws_s3_bucket_public_access_block" "access_good_1" {
+   bucket = aws_s3_bucket.bucket_good_1.id
+ 
+   block_public_acls   = true
+   block_public_policy = true
+ }

Description

When you create an S3 bucket, it is good practice to set the additional resource aws_s3_bucket_public_access_block to ensure the bucket is never accidentally public.
We recommend you ensure S3 bucket has public access blocks.
If the public access block is not attached it defaults to False.

Comment thread aws/s3.tf
})
}

resource "aws_s3_bucket" "logs_log_bucket" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  AWS S3 Object Versioning is disabled
    Resource: aws_s3_bucket.logs_log_bucket | Checkov ID: CKV_AWS_21

How to Fix

+ resource "aws_s3_bucket_versioning" "example" {
+   bucket = aws_s3_bucket.example.id
+ 
+   versioning_configuration {
+     status = "Enabled"
+   }
+ }

Description

This policy identifies the S3 buckets which have Object Versioning disabled. S3 Object Versioning is an important capability in protecting your data within a bucket. Once you enable Object Versioning, you cannot remove it; you can suspend Object Versioning at any time on a bucket if you do not wish for it to persist. It is recommended to enable Object Versioning on S3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants