From 8c6c4e896c0bf107c4f969267c7e85857792fd9c Mon Sep 17 00:00:00 2001 From: caswalker <90857961+caswalker@users.noreply.github.com> Date: Sat, 6 Nov 2021 19:51:48 -0400 Subject: [PATCH 1/3] Create bridgecrew.yaml --- .github/workflows/bridgecrew.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/workflows/bridgecrew.yaml diff --git a/.github/workflows/bridgecrew.yaml b/.github/workflows/bridgecrew.yaml new file mode 100644 index 00000000..4b606852 --- /dev/null +++ b/.github/workflows/bridgecrew.yaml @@ -0,0 +1,18 @@ +name: Bridgecrew +on: + push: + branches: + - master +jobs: + scan: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: [3.8] + steps: + - uses: actions/checkout@v2 + - name: Run Bridgecrew + id: Bridgecrew + uses: bridgecrewio/bridgecrew-action@master + with: + api-key: ${{ secrets.BRIDGECREW_API_KEY }} From fac2336f252562962d0a2eddd546c558a839c218 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 6 Nov 2021 23:52:28 +0000 Subject: [PATCH 2/3] update resource scan result doc --- README.md | 124 +++++++++++++++++++++++++++++++++--------------------- 1 file changed, 75 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index c9ffb7f5..340ce748 100644 --- a/README.md +++ b/README.md @@ -75,55 +75,81 @@ If you need direct support you can contact us at [info@bridgecrew.io](mailto:inf ## Existing vulnerabilities (Auto-Generated) -| | check_id | file | resource | check_name | guideline | -|----|------------|---------------|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------| -| 0 | CKV_AWS_58 | /eks.yaml | AWS::EKS::Cluster.EKSCluster | Ensure EKS Cluster has Secrets Encryption Enabled | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_3 | -| 1 | CKV_AWS_3 | /cfngoat.yaml | AWS::EC2::Volume.WebHostStorage | Ensure all data stored in the EBS is securely encrypted | https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume | -| 2 | CKV_AWS_23 | /cfngoat.yaml | AWS::EC2::SecurityGroup.WebNodeSG | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 | -| 3 | CKV_AWS_24 | /cfngoat.yaml | AWS::EC2::SecurityGroup.WebNodeSG | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | https://docs.bridgecrew.io/docs/networking_1-port-security | -| 4 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning | -| 5 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | -| 6 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | -| 7 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | -| 8 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | -| 9 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | -| 10 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | -| 11 | CKV_AWS_40 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | https://docs.bridgecrew.io/docs/iam_16-iam-policy-privileges-1 | -| 12 | CKV_AWS_7 | /cfngoat.yaml | AWS::KMS::Key.LogsKey | Ensure rotation for customer created CMKs is enabled | https://docs.bridgecrew.io/docs/logging_8 | -| 13 | CKV_AWS_17 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure all data stored in the RDS bucket is not public accessible | https://docs.bridgecrew.io/docs/public_2 | -| 14 | CKV_AWS_16 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure all data stored in the RDS is securely encrypted at rest | https://docs.bridgecrew.io/docs/general_4 | -| 15 | CKV_AWS_23 | /cfngoat.yaml | AWS::EC2::SecurityGroup.DefaultSG | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 | -| 16 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning | -| 17 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | -| 18 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | -| 19 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | -| 20 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | -| 21 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | -| 22 | CKV_AWS_20 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket does not allow READ permissions to everyone | https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone | -| 23 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | -| 24 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning | -| 25 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | -| 26 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | -| 27 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | -| 28 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | -| 29 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | -| 30 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | -| 31 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | -| 32 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | -| 33 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | -| 34 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | -| 35 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | -| 36 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | -| 37 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | -| 38 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | -| 39 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | -| 40 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | -| 41 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | -| 42 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | -| 43 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | -| 44 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | -| 45 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | -| 46 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | +| | check_id | file | resource | check_name | guideline | +|----|-------------|---------------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------| +| 0 | CKV_AWS_46 | /cfngoat.yaml | AWS::EC2::Instance.EC2Instance | Ensure no hard-coded secrets exist in EC2 user data | https://docs.bridgecrew.io/docs/bc_aws_secrets_1 | +| 1 | CKV_AWS_3 | /cfngoat.yaml | AWS::EC2::Volume.WebHostStorage | Ensure all data stored in the EBS is securely encrypted | https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume | +| 2 | CKV_AWS_24 | /cfngoat.yaml | AWS::EC2::SecurityGroup.WebNodeSG | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | https://docs.bridgecrew.io/docs/networking_1-port-security | +| 3 | CKV_AWS_23 | /cfngoat.yaml | AWS::EC2::SecurityGroup.WebNodeSG | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 | +| 4 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | +| 5 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | +| 6 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | +| 7 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | +| 8 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning | +| 9 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | +| 10 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | +| 11 | CKV_AWS_110 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow privilege escalation | https://docs.bridgecrew.io/docs/ensure-iam-policies-does-not-allow-privilege-escalation | +| 12 | CKV_AWS_107 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow credentials exposure | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure | +| 13 | CKV_AWS_109 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow permissions management without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint | +| 14 | CKV_AWS_111 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint | +| 15 | CKV_AWS_40 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | https://docs.bridgecrew.io/docs/iam_16-iam-policy-privileges-1 | +| 16 | CKV_AWS_108 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow data exfiltration | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration | +| 17 | CKV_AWS_7 | /cfngoat.yaml | AWS::KMS::Key.LogsKey | Ensure rotation for customer created CMKs is enabled | https://docs.bridgecrew.io/docs/logging_8 | +| 18 | CKV_AWS_17 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure all data stored in RDS is not publicly accessible | https://docs.bridgecrew.io/docs/public_2 | +| 19 | CKV_AWS_157 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure that RDS instances have Multi-AZ enabled | https://docs.bridgecrew.io/docs/general_73 | +| 20 | CKV_AWS_16 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure all data stored in the RDS is securely encrypted at rest | https://docs.bridgecrew.io/docs/general_4 | +| 21 | CKV_AWS_23 | /cfngoat.yaml | AWS::EC2::SecurityGroup.DefaultSG | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 | +| 22 | CKV_AWS_107 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow credentials exposure | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure | +| 23 | CKV_AWS_109 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow permissions management without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint | +| 24 | CKV_AWS_111 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint | +| 25 | CKV_AWS_108 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow data exfiltration | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration | +| 26 | CKV_AWS_45 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Ensure no hard-coded secrets exist in lambda environment | https://docs.bridgecrew.io/docs/bc_aws_secrets_3 | +| 27 | CKV_AWS_173 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Check encryption settings for Lambda environmental variable | | +| 28 | CKV_AWS_116 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq | +| 29 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | +| 30 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | +| 31 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | +| 32 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | +| 33 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning | +| 34 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | +| 35 | CKV_AWS_20 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket does not allow READ permissions to everyone | https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone | +| 36 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | +| 37 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | +| 38 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | +| 39 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | +| 40 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | +| 41 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning | +| 42 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | +| 43 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | +| 44 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | +| 45 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | +| 46 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | +| 47 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | +| 48 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | +| 49 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | +| 50 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | +| 51 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | +| 52 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | +| 53 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | +| 54 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | +| 55 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | +| 56 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | +| 57 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | +| 58 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | +| 59 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | +| 60 | CKV_AWS_111 | /cfngoat.yaml | AWS::IAM::Role.CleanupRole | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint | +| 61 | CKV_AWS_108 | /cfngoat.yaml | AWS::IAM::Role.CleanupRole | Ensure IAM policies does not allow data exfiltration | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration | +| 62 | CKV_AWS_116 | /cfngoat.yaml | AWS::Lambda::Function.CleanBucketFunction | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq | +| 63 | CKV_AWS_58 | /eks.yaml | AWS::EKS::Cluster.EKSCluster | Ensure EKS Cluster has Secrets Encryption Enabled | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_3 | + + +--- + + +| | check_id | file | resource | check_name | guideline | +|----|--------------|---------------|------------------------------------------|----------------------------|-----------------------------------------------| +| 0 | CKV_SECRET_2 | /cfngoat.yaml | 25910f981e85ca04baf359199dd0bd4a3ae738b6 | AWS Access Key | https://docs.bridgecrew.io/docs/git_secrets_2 | +| 1 | CKV_SECRET_6 | /cfngoat.yaml | d70eab08607a4d05faa2d0d6647206599e9abc65 | Base64 High Entropy String | https://docs.bridgecrew.io/docs/git_secrets_6 | --- From b2e500efee932d85c8ea85dbbe6051803b14fb8a Mon Sep 17 00:00:00 2001 From: caswalker <90857961+caswalker@users.noreply.github.com> Date: Tue, 15 Feb 2022 13:45:34 -0500 Subject: [PATCH 3/3] Create rds1 --- rds1 | 143 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100644 rds1 diff --git a/rds1 b/rds1 new file mode 100644 index 00000000..ebee5d34 --- /dev/null +++ b/rds1 @@ -0,0 +1,143 @@ +resource "aws_rds_cluster" "app1-rds-cluster" { + cluster_identifier = "app1-rds-cluster" + allocated_storage = 10 + backup_retention_period = 0 + tags = { + git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5" + git_file = "terraform/aws/rds.tf" + git_last_modified_at = "2021-12-08 23:26:32" + git_last_modified_by = "tron47@gmail.com" + git_modifiers = "tron47" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "b6f2c2ec-0715-46a0-83d4-502e588826d1" + } +} + +resource "aws_rds_cluster" "app2-rds-cluster" { + cluster_identifier = "app2-rds-cluster" + allocated_storage = 10 + backup_retention_period = 1 + tags = { + git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5" + git_file = "terraform/aws/rds.tf" + git_last_modified_at = "2021-12-08 23:26:32" + git_last_modified_by = "tron47@gmail.com" + git_modifiers = "tron47" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "d33c9292-952b-4c1f-9973-b6dbad519461" + } +} + +resource "aws_rds_cluster" "app3-rds-cluster" { + cluster_identifier = "app3-rds-cluster" + allocated_storage = 10 + backup_retention_period = 15 + tags = { + git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5" + git_file = "terraform/aws/rds.tf" + git_last_modified_at = "2021-12-08 23:26:32" + git_last_modified_by = "tron47@gmail.com" + git_modifiers = "tron47" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "2a8584b1-7e9d-4739-8e37-366620c92027" + } +} + +resource "aws_rds_cluster" "app4-rds-cluster" { + cluster_identifier = "app4-rds-cluster" + allocated_storage = 10 + backup_retention_period = 15 + tags = { + git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5" + git_file = "terraform/aws/rds.tf" + git_last_modified_at = "2021-12-08 23:26:32" + git_last_modified_by = "tron47@gmail.com" + git_modifiers = "tron47" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "284aaeed-fd3f-4b7a-b5f8-61a8457f4d83" + } +} + +resource "aws_rds_cluster" "app5-rds-cluster" { + cluster_identifier = "app5-rds-cluster" + allocated_storage = 10 + backup_retention_period = 15 + tags = { + git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5" + git_file = "terraform/aws/rds.tf" + git_last_modified_at = "2021-12-08 23:26:32" + git_last_modified_by = "tron47@gmail.com" + git_modifiers = "tron47" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "0b2bea23-5ca5-4bd1-956e-b9ed978daadf" + } +} + +resource "aws_rds_cluster" "app6-rds-cluster" { + cluster_identifier = "app6-rds-cluster" + allocated_storage = 10 + backup_retention_period = 15 + tags = { + git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5" + git_file = "terraform/aws/rds.tf" + git_last_modified_at = "2021-12-08 23:26:32" + git_last_modified_by = "tron47@gmail.com" + git_modifiers = "tron47" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "fcffb961-d859-4be5-997f-d51b50665ada" + } +} + +resource "aws_rds_cluster" "app7-rds-cluster" { + cluster_identifier = "app7-rds-cluster" + allocated_storage = 10 + backup_retention_period = 25 + tags = { + git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5" + git_file = "terraform/aws/rds.tf" + git_last_modified_at = "2021-12-08 23:26:32" + git_last_modified_by = "tron47@gmail.com" + git_modifiers = "tron47" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "ebc2ac20-23a3-4518-a7ef-3a102b003ab6" + } +} + +resource "aws_rds_cluster" "app8-rds-cluster" { + cluster_identifier = "app8-rds-cluster" + allocated_storage = 10 + backup_retention_period = 25 + tags = { + git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5" + git_file = "terraform/aws/rds.tf" + git_last_modified_at = "2021-12-08 23:26:32" + git_last_modified_by = "tron47@gmail.com" + git_modifiers = "tron47" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "af643747-0967-4251-8645-3b54882c2507" + } +} + +resource "aws_rds_cluster" "app9-rds-cluster" { + cluster_identifier = "app9-rds-cluster" + allocated_storage = 10 + backup_retention_period = 25 + tags = { + git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5" + git_file = "terraform/aws/rds.tf" + git_last_modified_at = "2021-12-08 23:26:32" + git_last_modified_by = "tron47@gmail.com" + git_modifiers = "tron47" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "a0c98536-c751-4743-92f1-a106ce750249" + } +}