Open
Conversation
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| vpc_id = aws_vpc.web_vpc.id | ||
| cidr_block = "172.16.10.0/24" | ||
| availability_zone = "${var.region}a" | ||
| map_public_ip_on_launch = true |
There was a problem hiding this comment.
Suggested change
| map_public_ip_on_launch = true |
VPC subnets should not allow automatic public IP assignment
Resource: aws_subnet.web_subnet | ID: BC_AWS_NETWORKING_53
Description
TBDDependent Resources
Calculating...
| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "flowbucket" { |
There was a problem hiding this comment.
AWS access logging not enabled on S3 buckets
Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_S3_13
How to Fix
resource "aws_s3_bucket" "bucket" {
acl = var.s3_bucket_acl
bucket = var.s3_bucket_name
policy = var.s3_bucket_policy
force_destroy = var.s3_bucket_force_destroy
versioning {
enabled = var.versioning
mfa_delete = var.mfa_delete
}
+ dynamic "logging" {
+ for_each = var.logging
+ content {
+ target_bucket = logging.value["target_bucket"]
+ target_prefix = "log/${var.s3_bucket_name}"
+ }
+ }
}Description
Access logging provides detailed audit logging for all objects and folders in an S3 bucket.Benchmarks
- HIPAA 164.312(B) Audit controls
Calculating...
| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "flowbucket" { |
There was a problem hiding this comment.
Testing Bucket with encryption
Resource: aws_s3_bucket.flowbucket | ID: cb404a47-3b88-40eb-b6ad-94081e055e6a
Dependent Resources
Calculating...
| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "flowbucket" { |
There was a problem hiding this comment.
Tags must exist - Custom Policy
Resource: aws_s3_bucket.flowbucket | ID: bf9d1e74-2303-4d6c-8bd7-13f5582b94f9
Dependent Resources
Calculating...
| instance_id = "${aws_instance.web_host.id}" | ||
| } | ||
|
|
||
| resource "aws_security_group" "web-node" { |
There was a problem hiding this comment.
AWS Security Group allows all traffic on SSH port 22
Resource: aws_security_group.web-node | ID: BC_AWS_NETWORKING_1
Description
Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.Benchmarks
- SOC2 CC6.3.3
- PCI-DSS V3.2.1 1.2.1, 1.3, 2.2.2
- PCI-DSS V3.2 2
- HIPAA 164.312(E)(1)
- NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
- ISO27001 A.10.1.1
- CIS AWS V1.2 4.1
- CIS AWS V1.3 5.2
- FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)
Calculating...
| git_repo = "terragoat" | ||
| yor_trace = "f058838a-b1e0-4383-b965-7e06e987ffb1" | ||
| }) | ||
| } |
There was a problem hiding this comment.
Suggested change
| } | |
| server_side_encryption_configuration { | |
| rule { | |
| apply_server_side_encryption_by_default { | |
| sse_algorithm = "aws:kms" | |
| } | |
| } | |
| } | |
| } |
S3 buckets are not encrypted with KMS
Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_GENERAL_56
Description
TBADependent Resources
Calculating...
Owner
Author
There was a problem hiding this comment.
im not merging this because xyz
| }) | ||
| } | ||
|
|
||
| resource "aws_s3_bucket" "flowbucket" { |
There was a problem hiding this comment.
S3 bucket cross-region replication disabled
Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_GENERAL_72
How to Fix
resource "aws_s3_bucket" "test" {
...
+ replication_configuration {
+ role = aws_iam_role.replication.arn
+ rules {
+ id = "foobar"
+ prefix = "foo"
+ status = "Enabled"
+
+ destination {
+ bucket = aws_s3_bucket.destination.arn
+ storage_class = "STANDARD"
+ }
+ }
+ }
}Description
Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets. By default, replication supports copying new S3 objects after it is enabled. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.Dependent Resources
Calculating...
| instance_id = "${aws_instance.web_host.id}" | ||
| } | ||
|
|
||
| resource "aws_security_group" "web-node" { |
There was a problem hiding this comment.
Not every Security Group rule has a description
Resource: aws_security_group.web-node | ID: BC_AWS_NETWORKING_31
Description
Descriptions can be up to 255 characters long and can be set and viewed from the AWS Management Console, AWS Command Line Interface (CLI), and the AWS APIs.We recommend you add descriptive text to each of your Security Group Rules clarifying each rule's goals, this helps prevent developer errors.
Benchmarks
- SOC2 CC6.3.3
- ISO27001 A.10.1.1
Calculating...
| @@ -0,0 +1,308 @@ | |||
| resource "aws_instance" "web_host" { | |||
There was a problem hiding this comment.
Instance Metadata Service version 1 is enabled
Resource: aws_instance.web_host | ID: BC_AWS_GENERAL_31
How to Fix
resource "aws_instance" "example" {
...
instance_type = "t2.micro"
+ metadata_options {
...
+ http_endpoint = "enabled"
+ http_tokens = "required"
+ }
...
}Description
The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata. You can access instance metadata from a running instance using one of the following methods: * Instance Metadata Service Version 1 (IMDSv1) – a request/response method * Instance Metadata Service Version 2 (IMDSv2) – a session-oriented methodAs a request/response method IMDSv1 is prone to local misconfigurations:
- Open proxies, open NATs and routers, server-side reflection vulnerabilities.
- One way or another, local software might access local-only data.
Benchmarks
- FEDRAMP (MODERATE) AC-6
Calculating...
hey i recommend Co-authored-by: prisma-cloud-devsecops[bot] <89982750+prisma-cloud-devsecops[bot]@users.noreply.github.com>
There was a problem hiding this comment.
- 1 error was fixed.
Change details
-
Error ID Change Path Resource BC_AWS_GENERAL_68 Fixed /newdec11.tf aws_instance.web_host
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.