Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add bucket_policy resource and mfa_delete Argument #46

Merged
merged 5 commits into from
Sep 14, 2023
Merged

feat: add bucket_policy resource and mfa_delete Argument #46

merged 5 commits into from
Sep 14, 2023

Conversation

mamrajyadav
Copy link
Contributor

what

  • added aws_s3_bucket_policy resource and mfa_delete Argument.

@mamrajyadav mamrajyadav requested a review from a team September 12, 2023 17:25
@clouddrove-ci clouddrove-ci self-assigned this Sep 12, 2023
@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 HIGH Bucket does not have encryption enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-encryption
      Impact The bucket objects could be read if compromised
  Resolution Configure bucket encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Bucket does not encrypt data with a customer managed key. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-encryption-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Public access block does not block public ACLs 
────────────────────────────────────────────────────────────────────────────────
  main.tf:569
────────────────────────────────────────────────────────────────────────────────
  564    resource "aws_s3_bucket_public_access_block" "this" {
  565      count = var.enabled && var.attach_public_policy ? 1 : 0
  566    
  567      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  568    
  569  [   block_public_acls       = var.block_public_acls (false)
  570      block_public_policy     = var.block_public_policy
  571      ignore_public_acls      = var.ignore_public_acls
  572      restrict_public_buckets = var.restrict_public_buckets
  573    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-block-public-acls
      Impact PUT calls with public ACLs specified can make objects public
  Resolution Enable blocking any PUT calls with a public ACL specified

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
────────────────────────────────────────────────────────────────────────────────


Result #4 HIGH Public access block does not block public policies 
────────────────────────────────────────────────────────────────────────────────
  main.tf:570
────────────────────────────────────────────────────────────────────────────────
  564    resource "aws_s3_bucket_public_access_block" "this" {
  565      count = var.enabled && var.attach_public_policy ? 1 : 0
  566    
  567      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  568    
  569      block_public_acls       = var.block_public_acls
  570  [   block_public_policy     = var.block_public_policy (false)
  571      ignore_public_acls      = var.ignore_public_acls
  572      restrict_public_buckets = var.restrict_public_buckets
  573    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-block-public-policy
      Impact Users could put a policy that allows public access
  Resolution Prevent policies that allow public access being PUT

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
────────────────────────────────────────────────────────────────────────────────


Result #5 HIGH Public access block does not ignore public ACLs 
────────────────────────────────────────────────────────────────────────────────
  main.tf:571
────────────────────────────────────────────────────────────────────────────────
  564    resource "aws_s3_bucket_public_access_block" "this" {
  565      count = var.enabled && var.attach_public_policy ? 1 : 0
  566    
  567      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  568    
  569      block_public_acls       = var.block_public_acls
  570      block_public_policy     = var.block_public_policy
  571  [   ignore_public_acls      = var.ignore_public_acls (false)
  572      restrict_public_buckets = var.restrict_public_buckets
  573    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-ignore-public-acls
      Impact PUT calls with public ACLs specified can make objects public
  Resolution Enable ignoring the application of public ACLs in PUT calls

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────


Result #6 HIGH Public access block does not restrict public buckets 
────────────────────────────────────────────────────────────────────────────────
  main.tf:572
────────────────────────────────────────────────────────────────────────────────
  564    resource "aws_s3_bucket_public_access_block" "this" {
  565      count = var.enabled && var.attach_public_policy ? 1 : 0
  566    
  567      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  568    
  569      block_public_acls       = var.block_public_acls
  570      block_public_policy     = var.block_public_policy
  571      ignore_public_acls      = var.ignore_public_acls
  572  [   restrict_public_buckets = var.restrict_public_buckets (false)
  573    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-no-public-buckets
      Impact Public buckets can be accessed by anyone
  Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────


Result #7 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #8 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             259.724µs
  parsing              309.020909ms
  adaptation           911.181µs
  checks               18.183525ms
  total                328.375339ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     86
  files read           4

  results
  ──────────────────────────────────────────
  passed               2
  ignored              0
  critical             0
  high                 6
  medium               2
  low                  0

  2 passed, 8 potential problem(s) detected.

@13archit 13archit marked this pull request as draft September 12, 2023 17:57
@13archit 13archit marked this pull request as ready for review September 13, 2023 17:12
d4kverma
d4kverma approved these changes Sep 14, 2023
View reviewed changes
Copy link
Member

@d4kverma d4kverma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

13archit
13archit approved these changes Sep 14, 2023
View reviewed changes
Copy link
Member

@13archit 13archit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@13archit 13archit merged commit d6406d7 into master Sep 14, 2023
36 checks passed
@delete-merged-branch delete-merged-branch bot deleted the issue-255 branch September 14, 2023 13:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@13archit 13archit 13archit approved these changes

@d4kverma d4kverma d4kverma approved these changes

@anmolnagpal anmolnagpal Awaiting requested review from anmolnagpal anmolnagpal is a code owner

@clouddrove-ci clouddrove-ci Awaiting requested review from clouddrove-ci clouddrove-ci is a code owner

@themaniskshah themaniskshah Awaiting requested review from themaniskshah

@nikitadugar nikitadugar Awaiting requested review from nikitadugar

Assignees

@mamrajyadav mamrajyadav

@clouddrove-ci clouddrove-ci

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mamrajyadav @clouddrove-ci @13archit @d4kverma