[Cortex Cloud] - security issue#32
Conversation
| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "logs_log_bucket" { |
There was a problem hiding this comment.
AWS resources that support tags do not have Tags
Resource: aws_s3_bucket.logs_log_bucket | Checkov ID: CKV_AWS_CUSTOM_1
How to Fix
resource "aws_security_group" "sg" {
name = "my-sg"
...
+ tags = {
+ Environment = "dev"
+ Owner = "apps-team"
+ }
}Description
Many AWS resources support tags. Without tags, it is difficult to organize, manage and track resources.
Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names.
While there are many ways that tags can be used, we recommend you follow a tagging practice.
View AWS's recommended tagging best practices https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf[here].
| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "logs_log_bucket" { |
There was a problem hiding this comment.
S3 buckets are not encrypted with KMS
Resource: aws_s3_bucket.logs_log_bucket | Checkov ID: CKV_AWS_145
How to Fix
resource "aws_s3_bucket" "bucket_name" {
bucket = "bucket_good"
}
+ resource "aws_s3_bucket_server_side_encryption_configuration" "good_sse_1" {
+ bucket = aws_s3_bucket.bucket_name.bucket
+
+ rule {
+ apply_server_side_encryption_by_default {
+ kms_master_key_id = aws_kms_key.mykey.arn
+ sse_algorithm = "aws:kms"
+ }
+ }
+ }Description
Encrypting your data and resources with KMS helps protect your data from unauthorized access or tampering.
By encrypting your data, you can ensure that only authorized users can access and decrypt the data, and that the data is protected while in storage or in transit.
Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.
| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "logs_log_bucket" { |
There was a problem hiding this comment.
S3 bucket cross-region replication disabled
Resource: aws_s3_bucket.logs_log_bucket | Checkov ID: CKV_AWS_144
How to Fix
resource "aws_s3_bucket" "east" {
bucket = "tf-test-bucket-east-12345"
}
+ resource "aws_s3_bucket_versioning" "east" {
+ bucket = aws_s3_bucket.east.id
+ versioning_configuration {
+ status = "Enabled"
+ }
+ }
+ resource "aws_s3_bucket" "west" {
+ provider = aws.west
+ bucket = "tf-test-bucket-west-12345"
+ }
+ resource "aws_s3_bucket_versioning" "west" {
+ provider = aws.west
+ bucket = aws_s3_bucket.west.id
+ versioning_configuration {
+ status = "Enabled"
+ }
+ }
+ resource "aws_s3_bucket_replication_configuration" "east_to_west" {
+ depends_on = [aws_s3_bucket_versioning.east]
+ role = aws_iam_role.east_replication.arn
+ bucket = aws_s3_bucket.east.id
+
+ rule {
+ status = "Enabled"
+
+ destination {
+ bucket = aws_s3_bucket.west.arn
+ storage_class = "STANDARD"
+ }
+ }
+ }Description
Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets.
By default, replication supports copying new S3 objects after it is enabled. It also requires versioning for the buckets involved. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.
| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "logs_log_bucket" { |
There was a problem hiding this comment.
S3 Bucket does not have public access blocks
Resource: aws_s3_bucket.logs_log_bucket | Checkov ID: CKV2_AWS_6
How to Fix
resource "aws_s3_bucket" "bucket_good_1" {
bucket = "bucket_good"
}
+ resource "aws_s3_bucket_public_access_block" "access_good_1" {
+ bucket = aws_s3_bucket.bucket_good_1.id
+
+ block_public_acls = true
+ block_public_policy = true
+ }Description
When you create an S3 bucket, it is good practice to set the additional resource aws_s3_bucket_public_access_block to ensure the bucket is never accidentally public.
We recommend you ensure S3 bucket has public access blocks.
If the public access block is not attached it defaults to False.
| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "logs_log_bucket" { |
There was a problem hiding this comment.
AWS S3 Object Versioning is disabled
Resource: aws_s3_bucket.logs_log_bucket | Checkov ID: CKV_AWS_21
How to Fix
+ resource "aws_s3_bucket_versioning" "example" {
+ bucket = aws_s3_bucket.example.id
+
+ versioning_configuration {
+ status = "Enabled"
+ }
+ }Description
This policy identifies the S3 buckets which have Object Versioning disabled. S3 Object Versioning is an important capability in protecting your data within a bucket. Once you enable Object Versioning, you cannot remove it; you can suspend Object Versioning at any time on a bucket if you do not wish for it to persist. It is recommended to enable Object Versioning on S3.
Cortex Cloud has created PR to fix vulnerable lines in the file.