Skip to content

Commit

Permalink
Merge pull request #20 from kunduso/fix-checkov-scan-findings
Browse files Browse the repository at this point in the history
Fix checkov scan findings
  • Loading branch information
kunduso authored Sep 13, 2024
2 parents 8d8b106 + b90a4be commit 40cc3bd
Show file tree
Hide file tree
Showing 6 changed files with 128 additions and 49 deletions.
2 changes: 1 addition & 1 deletion cloudwatch.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
resource "aws_cloudwatch_log_group" "lambda_log" {
name = "${var.log_group_prefix}${var.name}" #"/aws/lambda/${var.name}"
retention_in_days = 365
kms_key_id = aws_kms_key.encryption_rest.arn
kms_key_id = aws_kms_key.encryption.arn
}
#
#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_stream
Expand Down
10 changes: 9 additions & 1 deletion iam_role.tf
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,20 @@ resource "aws_iam_policy" "lambda_policy" {
],
Resource = [local.cloudwatch_log_group_arn]
},
{
Effect = "Allow"
Action = [
"sqs:SendMessage",
"sqs:GetQueueAttributes"
]
Resource = aws_sqs_queue.dlq.arn
},
{
Effect = "Allow",
Action = [
"kms:Decrypt"
]
Resource = [aws_kms_key.encryption_rest.arn]
Resource = [aws_kms_key.encryption.arn]
}
]
})
Expand Down
147 changes: 105 additions & 42 deletions kms.tf
Original file line number Diff line number Diff line change
@@ -1,50 +1,113 @@
#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
resource "aws_kms_key" "encryption_rest" {
resource "aws_kms_key" "encryption" {
enable_key_rotation = true
description = "Key to encrypt Amazon CloudWatch logs at rest."
description = "Key to encrypt all the cloud resources in ${var.name}."
deletion_window_in_days = 7
#checkov:skip=CKV2_AWS_64: KMS Key policy in a separate resource
}
#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias
resource "aws_kms_alias" "encryption_rest" {
name = "alias/lambda-${var.name}-at-rest"
target_key_id = aws_kms_key.encryption_rest.key_id
resource "aws_kms_alias" "encryption" {
name = "alias/${var.name}"
target_key_id = aws_kms_key.encryption.key_id
}
#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy
resource "aws_kms_key_policy" "encryption_rest_policy" {
key_id = aws_kms_key.encryption_rest.id
policy = jsonencode({
Id = "encryption-rest"
Statement = [
{
Action = "kms:*"
Effect = "Allow"
Principal = {
AWS = "${local.principal_root_arn}"
}
Resource = "*"
Sid = "Enable IAM User Permissions"
},
{
Effect : "Allow",
Principal : {
Service : "${local.principal_logs_arn}"
},
Action : [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
Resource : "*",
Condition : {
ArnEquals : {
"kms:EncryptionContext:aws:logs:arn" : [local.cloudwatch_log_group_arn]
}
}
}
#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
data "aws_iam_policy_document" "encryption_policy" {
statement {
sid = "Enable IAM User Permissions"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:Create*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
"kms:TagResource",
"kms:UntagResource"
]
resources = [aws_kms_key.encryption.arn]
}
statement {
sid = "Allow CloudWatch to use the key"
effect = "Allow"
principals {
type = "Service"
identifiers = ["logs.amazonaws.com"]
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:CreateGrant"
]
resources = [aws_kms_key.encryption.arn]
condition {
test = "ArnEquals"
variable = "kms:EncryptionContext:aws:logs:arn"
values = [local.cloudwatch_log_group_arn]
}
}
statement {
sid = "Allow Lambda to use the key"
effect = "Allow"
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:CreateGrant"
]
Version = "2012-10-17"
})
resources = [aws_kms_key.encryption.arn]
}
statement {
sid = "Allow SSM to use the key"
effect = "Allow"
principals {
type = "Service"
identifiers = ["ssm.amazonaws.com"]
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
resources = [aws_kms_key.encryption.arn]
condition {
test = "StringEquals"
variable = "kms:CallerAccount"
values = [data.aws_caller_identity.current.account_id]
}
condition {
test = "StringEquals"
variable = "kms:ViaService"
values = ["ssm.${var.region}.amazonaws.com"]
}
}
}
#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy
resource "aws_kms_key_policy" "encryption" {
key_id = aws_kms_key.encryption.id
policy = data.aws_iam_policy_document.encryption_policy.json
}
10 changes: 6 additions & 4 deletions lambda.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ resource "aws_lambda_function" "lambda_run" {
role = aws_iam_role.lambda_role.arn
handler = "handler.lambda_handler"
runtime = "python3.8"
kms_key_arn = aws_kms_key.encryption_rest.arn
kms_key_arn = aws_kms_key.encryption.arn
logging_config {
log_format = "JSON"
log_group = aws_cloudwatch_log_group.lambda_log.name
Expand All @@ -25,11 +25,13 @@ resource "aws_lambda_function" "lambda_run" {
log_stream_name = aws_cloudwatch_log_stream.log_stream.name
}
}
#https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
dead_letter_config {
target_arn = aws_sqs_queue.dlq.arn
}
reserved_concurrent_executions = 5
#checkov:skip=CKV_AWS_50: Not applicable in this use case: X-Ray tracing is enabled for Lambda
#checkov:skip=CKV_AWS_115: Not applicable in this use case: Ensure that AWS Lambda function is configured for function-level concurrent execution limit
#checkov:skip=CKV_AWS_117: This AWS Lambda function does not require access to anything inside a VPC
#checkov:skip=CKV_AWS_116: Not applicable in this use case
#checkov:skip=CKV_AWS_173: Not applicable in this use case
#checkov:skip=CKV_AWS_272: Not applicable in this use case: Ensure AWS Lambda function is configured to validate code-signing
}
#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule
Expand Down
6 changes: 6 additions & 0 deletions sqs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue
resource "aws_sqs_queue" "dlq" {
name = "${var.name}-lambda-dlq"
kms_master_key_id = aws_kms_key.encryption.arn
kms_data_key_reuse_period_seconds = 300
}
2 changes: 1 addition & 1 deletion ssm_parameter.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,6 @@
resource "aws_ssm_parameter" "parameter" {
name = "/${var.name}"
type = "SecureString"
key_id = aws_kms_key.encryption_rest.id
key_id = aws_kms_key.encryption.id
value = "1234567890"
}

0 comments on commit 40cc3bd

Please sign in to comment.