Update cfngoat.yaml

[ankit1128]

No description provided.

[bridgecrew]

Bridgecrew has found 4 infrastructure configuration errors in this PR ⬇️

[bridgecrew]

  Ensure no hard-coded secrets exist in EC2 user data
    Resource: AWS::EC2::Instance.EC2Instance | ID: BC_AWS_SECRETS_1

How to Fix

resource "aws_instance" "web" {
    ami           = data.aws_ami.ubuntu.id
    instance_type = "t3.micro"

-    user_data = "access_key=123456ABCDEFGHIJZTLA and secret_key=AAAaa+Aa4AAaAA6aAkA0Ad+Aa8aA1aaaAAAaAaA"
    tags = {
     Name = "MyLovelyHorse"
    }
}

Description

**User Data** is a metadata field of an EC2 instance that allows custom code to run after the instance is launched. It contains code exposed to any entity which has the most basic access to EC2, even read-only configurations. This code is not encrypted.

Removing secrets from easily-accessed unencrypted places reduces the risk of passwords, private keys and more from being exposed to third parties.

[bridgecrew]

  Ensure all data stored in the RDS is securely encrypted at rest
    Resource: AWS::RDS::DBInstance.DefaultDB | ID: BC_AWS_GENERAL_4

How to Fix

resource "aws_db_instance" "default" {
  allocated_storage    = 20
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
+ storage_encrypted    = true 
}

Description

AWS RDS is a managed DB service enabling quick deployment and management of MySQL, MariaDB, PostgreSQL, Oracle, and Microsoft SQL Server DB engines. Native RDS encryption helps protect your cloud applications and fulfils compliance requirements for data-at-rest encryption.

Benchmarks

• PCI-DSS V3.2 3
• PCI-DSS V3.2.1 3.4
• FEDRAMP (MODERATE) SC-28

[bridgecrew]

  Ensure that RDS instances have Multi-AZ enabled
    Resource: AWS::RDS::DBInstance.DefaultDB | ID: BC_AWS_GENERAL_73

How to Fix

resource "aws_db_instance" "default" {
  allocated_storage    = 20
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
+ multi_az             = true 
}

Description

Amazon RDS Multi-AZ deployments provide enhanced availability for databases within a single region. In the event of a planned or unplanned outage of your DB instance, Amazon RDS automatically switches to a standby replica in another Availability Zone if you have enabled Multi-AZ.

RDS Multi-AZ deployments offer the following benefits:

1. Enhanced durability.
2. Increased availability.
3. Protection of your database performance.
4. Automatic failover.

[bridgecrew]

  Ensure all data stored in the RDS bucket is not public accessible
    Resource: AWS::RDS::DBInstance.DefaultDB | ID: BC_AWS_PUBLIC_2

How to Fix

resource "aws_rds_cluster" "default" {
  cluster_identifier = var.cluster["cluster_identifier"]
  engine_version     = var.engine_version
  engine             = var.engine
  database_name      = var.cluster["database_name"]
  master_username    = var.cluster["master_username"]
  master_password    = var.master_password
+ storage_encrypted   = true
  kms_key_id         = var.kms_key_id
  tags               = var.common_tags
}

Description

AWS RDS is a managed DB service enabling quick deployment and management of MySQL, MariaDB, PostgreSQL, Oracle, and Microsoft SQL Server DB engines. RDS native encryption helps protect your applications deployed in the cloud and easily fulfills compliance requirements for data-at-rest encryption.

We recommend encrypting RDS functions as an additional layer of data to prevent unauthorized access to its storage.