From 44eb68c45cbc92a523c45fd43dadaf1cb770bfb7 Mon Sep 17 00:00:00 2001 From: scruffyscarf Date: Wed, 8 Oct 2025 17:40:51 +0300 Subject: [PATCH 1/2] docs: add lab6 submission - IaC security scanning and comparative analysis --- labs/lab6/analysis/ansible-analysis.txt | 5 + .../analysis/checkov-terraform-report.txt | 392 + .../analysis/checkov-terraform-results.json | 17139 ++++++++++++++++ labs/lab6/analysis/kics-ansible-report.html | 44 + labs/lab6/analysis/kics-ansible-report.txt | 73 + labs/lab6/analysis/kics-ansible-results.json | 176 + labs/lab6/analysis/kics-pulumi-report.html | 44 + labs/lab6/analysis/kics-pulumi-report.txt | 54 + labs/lab6/analysis/kics-pulumi-results.json | 196 + labs/lab6/analysis/pulumi-analysis.txt | 5 + labs/lab6/analysis/terraform-comparison.txt | 4 + labs/lab6/analysis/terrascan-report.txt | 216 + labs/lab6/analysis/terrascan-results.json | 303 + labs/lab6/analysis/tfsec-report.txt | 1099 + labs/lab6/analysis/tfsec-results.json | 1225 ++ labs/lab6/analysis/tool-comparison.txt | 8 + labs/lab6/submission6.md | 380 + 17 files changed, 21363 insertions(+) create mode 100644 labs/lab6/analysis/ansible-analysis.txt create mode 100644 labs/lab6/analysis/checkov-terraform-report.txt create mode 100644 labs/lab6/analysis/checkov-terraform-results.json create mode 100755 labs/lab6/analysis/kics-ansible-report.html create mode 100644 labs/lab6/analysis/kics-ansible-report.txt create mode 100755 labs/lab6/analysis/kics-ansible-results.json create mode 100755 labs/lab6/analysis/kics-pulumi-report.html create mode 100644 labs/lab6/analysis/kics-pulumi-report.txt create mode 100755 labs/lab6/analysis/kics-pulumi-results.json create mode 100644 labs/lab6/analysis/pulumi-analysis.txt create mode 100644 labs/lab6/analysis/terraform-comparison.txt create mode 100644 labs/lab6/analysis/terrascan-report.txt create mode 100644 labs/lab6/analysis/terrascan-results.json create mode 100644 labs/lab6/analysis/tfsec-report.txt create mode 100644 labs/lab6/analysis/tfsec-results.json create mode 100644 labs/lab6/analysis/tool-comparison.txt create mode 100644 labs/lab6/submission6.md diff --git a/labs/lab6/analysis/ansible-analysis.txt b/labs/lab6/analysis/ansible-analysis.txt new file mode 100644 index 00000000..be9b67f5 --- /dev/null +++ b/labs/lab6/analysis/ansible-analysis.txt @@ -0,0 +1,5 @@ +=== Ansible Security Analysis (KICS) === +KICS Ansible findings: 9 + HIGH severity: 8 + MEDIUM severity: 0 + LOW severity: 1 diff --git a/labs/lab6/analysis/checkov-terraform-report.txt b/labs/lab6/analysis/checkov-terraform-report.txt new file mode 100644 index 00000000..ca371d30 --- /dev/null +++ b/labs/lab6/analysis/checkov-terraform-report.txt @@ -0,0 +1,392 @@ + + _ _ + ___| |__ ___ ___| | _______ __ + / __| '_ \ / _ \/ __| |/ / _ \ \ / / + | (__| | | | __/ (__| < (_) \ V / + \___|_| |_|\___|\___|_|\_\___/ \_/ + +By Prisma Cloud | version: 3.2.474 + +terraform scan results: + +Passed checks: 48, Failed checks: 78, Skipped checks: 0 + +Check: CKV_AWS_388: "Ensure AWS Aurora PostgreSQL is not exposed to local file read vulnerability" + PASSED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert" + PASSED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV_AWS_250: "Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/)" + PASSED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs" + PASSED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV_AWS_133: "Ensure that RDS instances has backup policy" + PASSED for resource: aws_db_instance.weak_db + File: /database.tf:40-69 +Check: CKV_AWS_388: "Ensure AWS Aurora PostgreSQL is not exposed to local file read vulnerability" + PASSED for resource: aws_db_instance.weak_db + File: /database.tf:40-69 +Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest" + PASSED for resource: aws_db_instance.weak_db + File: /database.tf:40-69 +Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert" + PASSED for resource: aws_db_instance.weak_db + File: /database.tf:40-69 +Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs" + PASSED for resource: aws_db_instance.weak_db + File: /database.tf:40-69 +Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible" + PASSED for resource: aws_db_instance.weak_db + File: /database.tf:40-69 +Check: CKV_AWS_60: "Ensure IAM role allows only specific services or principals to assume it" + PASSED for resource: aws_iam_role.app_role + File: /iam.tf:22-37 +Check: CKV_AWS_61: "Ensure AWS IAM policy does not allow assume role permission across all services" + PASSED for resource: aws_iam_role.app_role + File: /iam.tf:22-37 +Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy" + PASSED for resource: aws_iam_role.app_role + File: /iam.tf:22-37 +Check: CKV_AWS_63: "Ensure no IAM policies documents allow "*" as a statement's actions" + PASSED for resource: aws_iam_role_policy.s3_full_access + File: /iam.tf:39-55 +Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation" + PASSED for resource: aws_iam_role_policy.s3_full_access + File: /iam.tf:39-55 +Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure" + PASSED for resource: aws_iam_role_policy.s3_full_access + File: /iam.tf:39-55 +Check: CKV_AWS_62: "Ensure IAM policies that allow full "*-*" administrative privileges are not created" + PASSED for resource: aws_iam_role_policy.s3_full_access + File: /iam.tf:39-55 +Check: CKV_AWS_63: "Ensure no IAM policies documents allow "*" as a statement's actions" + PASSED for resource: aws_iam_user_policy.service_policy + File: /iam.tf:67-85 +Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation" + PASSED for resource: aws_iam_user_policy.service_policy + File: /iam.tf:67-85 +Check: CKV_AWS_62: "Ensure IAM policies that allow full "*-*" administrative privileges are not created" + PASSED for resource: aws_iam_user_policy.service_policy + File: /iam.tf:67-85 +Check: CKV_AWS_348: "Ensure IAM root user does not have Access keys" + PASSED for resource: aws_iam_access_key.service_key + File: /iam.tf:88-90 +Check: CKV_AWS_63: "Ensure no IAM policies documents allow "*" as a statement's actions" + PASSED for resource: aws_iam_policy.privilege_escalation + File: /iam.tf:104-125 +Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints" + PASSED for resource: aws_iam_policy.privilege_escalation + File: /iam.tf:104-125 +Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration" + PASSED for resource: aws_iam_policy.privilege_escalation + File: /iam.tf:104-125 +Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure" + PASSED for resource: aws_iam_policy.privilege_escalation + File: /iam.tf:104-125 +Check: CKV_AWS_62: "Ensure IAM policies that allow full "*-*" administrative privileges are not created" + PASSED for resource: aws_iam_policy.privilege_escalation + File: /iam.tf:104-125 +Check: CKV_AWS_93: "Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)" + PASSED for resource: aws_s3_bucket.public_data + File: /main.tf:13-21 +Check: CKV_AWS_93: "Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)" + PASSED for resource: aws_s3_bucket.unencrypted_data + File: /main.tf:24-33 +Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" + PASSED for resource: aws_security_group.ssh_open + File: /security_groups.tf:31-62 +Check: CKV_AWS_277: "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1" + PASSED for resource: aws_security_group.ssh_open + File: /security_groups.tf:31-62 +Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22" + PASSED for resource: aws_security_group.database_exposed + File: /security_groups.tf:65-92 +Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" + PASSED for resource: aws_security_group.database_exposed + File: /security_groups.tf:65-92 +Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389" + PASSED for resource: aws_security_group.database_exposed + File: /security_groups.tf:65-92 +Check: CKV_AWS_277: "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1" + PASSED for resource: aws_security_group.database_exposed + File: /security_groups.tf:65-92 +Check: CKV2_AWS_56: "Ensure AWS Managed IAMFullAccess IAM policy is not used." + PASSED for resource: aws_iam_role.app_role + File: /iam.tf:22-37 +Check: CKV2_AWS_22: "Ensure an IAM User does not have access to the console" + PASSED for resource: aws_iam_user.service_account + File: /iam.tf:58-65 +Check: CKV_AWS_20: "S3 Bucket has an ACL defined which allows public READ access." + PASSED for resource: aws_s3_bucket.unencrypted_data + File: /main.tf:24-33 +Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" + PASSED for resource: aws_security_group.database_exposed + File: /security_groups.tf:65-92 +Check: CKV2_AWS_69: "Ensure AWS RDS database instance configured with encryption in transit" + PASSED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV2_AWS_69: "Ensure AWS RDS database instance configured with encryption in transit" + PASSED for resource: aws_db_instance.weak_db + File: /database.tf:40-69 +Check: CKV2_AWS_16: "Ensure that Auto Scaling is enabled on your DynamoDB tables" + PASSED for resource: aws_dynamodb_table.unencrypted_table + File: /database.tf:72-92 +Check: CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest" + PASSED for resource: aws_s3_bucket.public_data + File: /main.tf:13-21 +Check: CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest" + PASSED for resource: aws_s3_bucket.unencrypted_data + File: /main.tf:24-33 +Check: CKV_AWS_57: "S3 Bucket has an ACL defined which allows public WRITE access." + PASSED for resource: aws_s3_bucket.public_data + File: /main.tf:13-21 +Check: CKV_AWS_57: "S3 Bucket has an ACL defined which allows public WRITE access." + PASSED for resource: aws_s3_bucket.unencrypted_data + File: /main.tf:24-33 +Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges" + PASSED for resource: aws_iam_role_policy.s3_full_access + File: /iam.tf:39-55 +Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges" + PASSED for resource: aws_iam_user_policy.service_policy + File: /iam.tf:67-85 +Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges" + PASSED for resource: aws_iam_policy.privilege_escalation + File: /iam.tf:104-125 +Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled" + FAILED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" + FAILED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV_AWS_133: "Ensure that RDS instances has backup policy" + FAILED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled" + FAILED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled" + FAILED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically" + FAILED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest" + FAILED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled" + FAILED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible" + FAILED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" + FAILED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled" + FAILED for resource: aws_db_instance.weak_db + File: /database.tf:40-69 +Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" + FAILED for resource: aws_db_instance.weak_db + File: /database.tf:40-69 +Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled" + FAILED for resource: aws_db_instance.weak_db + File: /database.tf:40-69 +Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled" + FAILED for resource: aws_db_instance.weak_db + File: /database.tf:40-69 +Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically" + FAILED for resource: aws_db_instance.weak_db + File: /database.tf:40-69 +Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" + FAILED for resource: aws_db_instance.weak_db + File: /database.tf:40-69 +Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK" + FAILED for resource: aws_dynamodb_table.unencrypted_table + File: /database.tf:72-92 +Check: CKV_AWS_28: "Ensure DynamoDB point in time recovery (backup) is enabled" + FAILED for resource: aws_dynamodb_table.unencrypted_table + File: /database.tf:72-92 +Check: CKV_AWS_63: "Ensure no IAM policies documents allow "*" as a statement's actions" + FAILED for resource: aws_iam_policy.admin_policy + File: /iam.tf:5-19 +Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints" + FAILED for resource: aws_iam_policy.admin_policy + File: /iam.tf:5-19 +Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration" + FAILED for resource: aws_iam_policy.admin_policy + File: /iam.tf:5-19 +Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation" + FAILED for resource: aws_iam_policy.admin_policy + File: /iam.tf:5-19 +Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure" + FAILED for resource: aws_iam_policy.admin_policy + File: /iam.tf:5-19 +Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" + FAILED for resource: aws_iam_policy.admin_policy + File: /iam.tf:5-19 +Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" + FAILED for resource: aws_iam_policy.admin_policy + File: /iam.tf:5-19 +Check: CKV_AWS_62: "Ensure IAM policies that allow full "*-*" administrative privileges are not created" + FAILED for resource: aws_iam_policy.admin_policy + File: /iam.tf:5-19 +Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints" + FAILED for resource: aws_iam_role_policy.s3_full_access + File: /iam.tf:39-55 +Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration" + FAILED for resource: aws_iam_role_policy.s3_full_access + File: /iam.tf:39-55 +Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" + FAILED for resource: aws_iam_role_policy.s3_full_access + File: /iam.tf:39-55 +Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" + FAILED for resource: aws_iam_role_policy.s3_full_access + File: /iam.tf:39-55 +Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" + FAILED for resource: aws_iam_user.service_account + File: /iam.tf:58-65 +Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints" + FAILED for resource: aws_iam_user_policy.service_policy + File: /iam.tf:67-85 +Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration" + FAILED for resource: aws_iam_user_policy.service_policy + File: /iam.tf:67-85 +Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure" + FAILED for resource: aws_iam_user_policy.service_policy + File: /iam.tf:67-85 +Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" + FAILED for resource: aws_iam_user_policy.service_policy + File: /iam.tf:67-85 +Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" + FAILED for resource: aws_iam_user_policy.service_policy + File: /iam.tf:67-85 +Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)" + FAILED for resource: aws_iam_user_policy.service_policy + File: /iam.tf:67-85 +Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation" + FAILED for resource: aws_iam_policy.privilege_escalation + File: /iam.tf:104-125 +Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" + FAILED for resource: aws_iam_policy.privilege_escalation + File: /iam.tf:104-125 +Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" + FAILED for resource: aws_iam_policy.privilege_escalation + File: /iam.tf:104-125 +Check: CKV_AWS_56: "Ensure S3 bucket has 'restrict_public_buckets' enabled" + FAILED for resource: aws_s3_bucket_public_access_block.bad_config + File: /main.tf:36-43 +Check: CKV_AWS_54: "Ensure S3 bucket has block public policy enabled" + FAILED for resource: aws_s3_bucket_public_access_block.bad_config + File: /main.tf:36-43 +Check: CKV_AWS_53: "Ensure S3 bucket has block public ACLS enabled" + FAILED for resource: aws_s3_bucket_public_access_block.bad_config + File: /main.tf:36-43 +Check: CKV_AWS_55: "Ensure S3 bucket has ignore public ACLs enabled" + FAILED for resource: aws_s3_bucket_public_access_block.bad_config + File: /main.tf:36-43 +Check: CKV_AWS_41: "Ensure no hard coded AWS access key and secret key exists in provider" + FAILED for resource: aws.default + File: /main.tf:5-10 +Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22" + FAILED for resource: aws_security_group.allow_all + File: /security_groups.tf:5-28 +Check: CKV_AWS_23: "Ensure every security group and rule has a description" + FAILED for resource: aws_security_group.allow_all + File: /security_groups.tf:5-28 +Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" + FAILED for resource: aws_security_group.allow_all + File: /security_groups.tf:5-28 +Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389" + FAILED for resource: aws_security_group.allow_all + File: /security_groups.tf:5-28 +Check: CKV_AWS_277: "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1" + FAILED for resource: aws_security_group.allow_all + File: /security_groups.tf:5-28 +Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1" + FAILED for resource: aws_security_group.allow_all + File: /security_groups.tf:5-28 +Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22" + FAILED for resource: aws_security_group.ssh_open + File: /security_groups.tf:31-62 +Check: CKV_AWS_23: "Ensure every security group and rule has a description" + FAILED for resource: aws_security_group.ssh_open + File: /security_groups.tf:31-62 +Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389" + FAILED for resource: aws_security_group.ssh_open + File: /security_groups.tf:31-62 +Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1" + FAILED for resource: aws_security_group.ssh_open + File: /security_groups.tf:31-62 +Check: CKV_AWS_23: "Ensure every security group and rule has a description" + FAILED for resource: aws_security_group.database_exposed + File: /security_groups.tf:65-92 +Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1" + FAILED for resource: aws_security_group.database_exposed + File: /security_groups.tf:65-92 +Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled" + FAILED for resource: aws_s3_bucket.public_data + File: /main.tf:13-21 +Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled" + FAILED for resource: aws_s3_bucket.unencrypted_data + File: /main.tf:24-33 +Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled" + FAILED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled" + FAILED for resource: aws_db_instance.weak_db + File: /database.tf:40-69 +Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled" + FAILED for resource: aws_db_instance.unencrypted_db + File: /database.tf:5-37 +Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration" + FAILED for resource: aws_s3_bucket.public_data + File: /main.tf:13-21 +Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration" + FAILED for resource: aws_s3_bucket.unencrypted_data + File: /main.tf:24-33 +Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled" + FAILED for resource: aws_s3_bucket.public_data + File: /main.tf:13-21 +Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled" + FAILED for resource: aws_s3_bucket.unencrypted_data + File: /main.tf:24-33 +Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block" + FAILED for resource: aws_s3_bucket.public_data + File: /main.tf:13-21 +Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block" + FAILED for resource: aws_s3_bucket.unencrypted_data + File: /main.tf:24-33 +Check: CKV_AWS_20: "S3 Bucket has an ACL defined which allows public READ access." + FAILED for resource: aws_s3_bucket.public_data + File: /main.tf:13-21 +Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default" + FAILED for resource: aws_s3_bucket.public_data + File: /main.tf:13-21 +Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default" + FAILED for resource: aws_s3_bucket.unencrypted_data + File: /main.tf:24-33 +Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" + FAILED for resource: aws_security_group.allow_all + File: /security_groups.tf:5-28 +Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" + FAILED for resource: aws_security_group.ssh_open + File: /security_groups.tf:31-62 +Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled" + FAILED for resource: aws_s3_bucket.public_data + File: /main.tf:13-21 +Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled" + FAILED for resource: aws_s3_bucket.unencrypted_data + File: /main.tf:24-33 +Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled" + FAILED for resource: aws_s3_bucket.public_data + File: /main.tf:13-21 +Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled" + FAILED for resource: aws_s3_bucket.unencrypted_data + File: /main.tf:24-33 +Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges" + FAILED for resource: aws_iam_policy.admin_policy + File: /iam.tf:5-19 + diff --git a/labs/lab6/analysis/checkov-terraform-results.json b/labs/lab6/analysis/checkov-terraform-results.json new file mode 100644 index 00000000..cf7dcca6 --- /dev/null +++ b/labs/lab6/analysis/checkov-terraform-results.json @@ -0,0 +1,17139 @@ +{ + "check_type": "terraform", + "results": { + "passed_checks": [ + { + "check_id": "CKV_AWS_388", + "bc_check_id": null, + "check_name": "Ensure AWS Aurora PostgreSQL is not exposed to local file read vulnerability", + "check_result": { + "result": "PASSED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.UnpatchedAuroraPostgresDB", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_211", + "bc_check_id": null, + "check_name": "Ensure RDS uses a modern CaCert", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "ca_cert_identifier" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSCACertIsRecent", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_250", + "bc_check_id": null, + "check_name": "Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/)", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "engine", + "engine_version" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSPostgreSQLLogFDWExtension", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_354", + "bc_check_id": null, + "check_name": "Ensure RDS Performance Insights are encrypted using KMS CMKs", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "performance_insights_kms_key_id" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSInstancePerfInsightsEncryptionWithCMK", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_133", + "bc_check_id": null, + "check_name": "Ensure that RDS instances has backup policy", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "backup_retention_period" + ] + }, + "code_block": [ + [ + 40, + "resource \"aws_db_instance\" \"weak_db\" {\n" + ], + [ + 41, + " identifier = \"mydb-weak\"\n" + ], + [ + 42, + " engine = \"mysql\"\n" + ], + [ + 43, + " engine_version = \"5.7.38\" # Old version with known vulnerabilities\n" + ], + [ + 44, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 45, + " allocated_storage = 20\n" + ], + [ + 46, + " \n" + ], + [ + 47, + " username = \"root\" # Using default admin username\n" + ], + [ + 48, + " password = \"password123\" # Weak password!\n" + ], + [ + 49, + " \n" + ], + [ + 50, + " storage_encrypted = true\n" + ], + [ + 51, + " kms_key_id = \"\" # Empty KMS key - using default key\n" + ], + [ + 52, + " \n" + ], + [ + 53, + " publicly_accessible = false\n" + ], + [ + 54, + " \n" + ], + [ + 55, + " # Multi-AZ disabled\n" + ], + [ + 56, + " multi_az = false # SECURITY ISSUE #14 - No high availability\n" + ], + [ + 57, + " \n" + ], + [ + 58, + " # Auto minor version upgrade disabled\n" + ], + [ + 59, + " auto_minor_version_upgrade = false # SECURITY ISSUE #15\n" + ], + [ + 60, + " \n" + ], + [ + 61, + " # No performance insights\n" + ], + [ + 62, + " performance_insights_enabled = false\n" + ], + [ + 63, + " \n" + ], + [ + 64, + " skip_final_snapshot = true\n" + ], + [ + 65, + " \n" + ], + [ + 66, + " tags = {\n" + ], + [ + 67, + " Name = \"Weak Database\"\n" + ], + [ + 68, + " }\n" + ], + [ + 69, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 40, + 69 + ], + "resource": "aws_db_instance.weak_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.DBInstanceBackupRetentionPeriod", + "fixed_definition": null, + "entity_tags": { + "Name": "Weak Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_388", + "bc_check_id": null, + "check_name": "Ensure AWS Aurora PostgreSQL is not exposed to local file read vulnerability", + "check_result": { + "result": "PASSED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 40, + "resource \"aws_db_instance\" \"weak_db\" {\n" + ], + [ + 41, + " identifier = \"mydb-weak\"\n" + ], + [ + 42, + " engine = \"mysql\"\n" + ], + [ + 43, + " engine_version = \"5.7.38\" # Old version with known vulnerabilities\n" + ], + [ + 44, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 45, + " allocated_storage = 20\n" + ], + [ + 46, + " \n" + ], + [ + 47, + " username = \"root\" # Using default admin username\n" + ], + [ + 48, + " password = \"password123\" # Weak password!\n" + ], + [ + 49, + " \n" + ], + [ + 50, + " storage_encrypted = true\n" + ], + [ + 51, + " kms_key_id = \"\" # Empty KMS key - using default key\n" + ], + [ + 52, + " \n" + ], + [ + 53, + " publicly_accessible = false\n" + ], + [ + 54, + " \n" + ], + [ + 55, + " # Multi-AZ disabled\n" + ], + [ + 56, + " multi_az = false # SECURITY ISSUE #14 - No high availability\n" + ], + [ + 57, + " \n" + ], + [ + 58, + " # Auto minor version upgrade disabled\n" + ], + [ + 59, + " auto_minor_version_upgrade = false # SECURITY ISSUE #15\n" + ], + [ + 60, + " \n" + ], + [ + 61, + " # No performance insights\n" + ], + [ + 62, + " performance_insights_enabled = false\n" + ], + [ + 63, + " \n" + ], + [ + 64, + " skip_final_snapshot = true\n" + ], + [ + 65, + " \n" + ], + [ + 66, + " tags = {\n" + ], + [ + 67, + " Name = \"Weak Database\"\n" + ], + [ + 68, + " }\n" + ], + [ + 69, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 40, + 69 + ], + "resource": "aws_db_instance.weak_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.UnpatchedAuroraPostgresDB", + "fixed_definition": null, + "entity_tags": { + "Name": "Weak Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_16", + "bc_check_id": null, + "check_name": "Ensure all data stored in the RDS is securely encrypted at rest", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "storage_encrypted" + ] + }, + "code_block": [ + [ + 40, + "resource \"aws_db_instance\" \"weak_db\" {\n" + ], + [ + 41, + " identifier = \"mydb-weak\"\n" + ], + [ + 42, + " engine = \"mysql\"\n" + ], + [ + 43, + " engine_version = \"5.7.38\" # Old version with known vulnerabilities\n" + ], + [ + 44, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 45, + " allocated_storage = 20\n" + ], + [ + 46, + " \n" + ], + [ + 47, + " username = \"root\" # Using default admin username\n" + ], + [ + 48, + " password = \"password123\" # Weak password!\n" + ], + [ + 49, + " \n" + ], + [ + 50, + " storage_encrypted = true\n" + ], + [ + 51, + " kms_key_id = \"\" # Empty KMS key - using default key\n" + ], + [ + 52, + " \n" + ], + [ + 53, + " publicly_accessible = false\n" + ], + [ + 54, + " \n" + ], + [ + 55, + " # Multi-AZ disabled\n" + ], + [ + 56, + " multi_az = false # SECURITY ISSUE #14 - No high availability\n" + ], + [ + 57, + " \n" + ], + [ + 58, + " # Auto minor version upgrade disabled\n" + ], + [ + 59, + " auto_minor_version_upgrade = false # SECURITY ISSUE #15\n" + ], + [ + 60, + " \n" + ], + [ + 61, + " # No performance insights\n" + ], + [ + 62, + " performance_insights_enabled = false\n" + ], + [ + 63, + " \n" + ], + [ + 64, + " skip_final_snapshot = true\n" + ], + [ + 65, + " \n" + ], + [ + 66, + " tags = {\n" + ], + [ + 67, + " Name = \"Weak Database\"\n" + ], + [ + 68, + " }\n" + ], + [ + 69, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 40, + 69 + ], + "resource": "aws_db_instance.weak_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSEncryption", + "fixed_definition": null, + "entity_tags": { + "Name": "Weak Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_211", + "bc_check_id": null, + "check_name": "Ensure RDS uses a modern CaCert", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "ca_cert_identifier" + ] + }, + "code_block": [ + [ + 40, + "resource \"aws_db_instance\" \"weak_db\" {\n" + ], + [ + 41, + " identifier = \"mydb-weak\"\n" + ], + [ + 42, + " engine = \"mysql\"\n" + ], + [ + 43, + " engine_version = \"5.7.38\" # Old version with known vulnerabilities\n" + ], + [ + 44, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 45, + " allocated_storage = 20\n" + ], + [ + 46, + " \n" + ], + [ + 47, + " username = \"root\" # Using default admin username\n" + ], + [ + 48, + " password = \"password123\" # Weak password!\n" + ], + [ + 49, + " \n" + ], + [ + 50, + " storage_encrypted = true\n" + ], + [ + 51, + " kms_key_id = \"\" # Empty KMS key - using default key\n" + ], + [ + 52, + " \n" + ], + [ + 53, + " publicly_accessible = false\n" + ], + [ + 54, + " \n" + ], + [ + 55, + " # Multi-AZ disabled\n" + ], + [ + 56, + " multi_az = false # SECURITY ISSUE #14 - No high availability\n" + ], + [ + 57, + " \n" + ], + [ + 58, + " # Auto minor version upgrade disabled\n" + ], + [ + 59, + " auto_minor_version_upgrade = false # SECURITY ISSUE #15\n" + ], + [ + 60, + " \n" + ], + [ + 61, + " # No performance insights\n" + ], + [ + 62, + " performance_insights_enabled = false\n" + ], + [ + 63, + " \n" + ], + [ + 64, + " skip_final_snapshot = true\n" + ], + [ + 65, + " \n" + ], + [ + 66, + " tags = {\n" + ], + [ + 67, + " Name = \"Weak Database\"\n" + ], + [ + 68, + " }\n" + ], + [ + 69, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 40, + 69 + ], + "resource": "aws_db_instance.weak_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSCACertIsRecent", + "fixed_definition": null, + "entity_tags": { + "Name": "Weak Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_354", + "bc_check_id": null, + "check_name": "Ensure RDS Performance Insights are encrypted using KMS CMKs", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "performance_insights_kms_key_id" + ] + }, + "code_block": [ + [ + 40, + "resource \"aws_db_instance\" \"weak_db\" {\n" + ], + [ + 41, + " identifier = \"mydb-weak\"\n" + ], + [ + 42, + " engine = \"mysql\"\n" + ], + [ + 43, + " engine_version = \"5.7.38\" # Old version with known vulnerabilities\n" + ], + [ + 44, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 45, + " allocated_storage = 20\n" + ], + [ + 46, + " \n" + ], + [ + 47, + " username = \"root\" # Using default admin username\n" + ], + [ + 48, + " password = \"password123\" # Weak password!\n" + ], + [ + 49, + " \n" + ], + [ + 50, + " storage_encrypted = true\n" + ], + [ + 51, + " kms_key_id = \"\" # Empty KMS key - using default key\n" + ], + [ + 52, + " \n" + ], + [ + 53, + " publicly_accessible = false\n" + ], + [ + 54, + " \n" + ], + [ + 55, + " # Multi-AZ disabled\n" + ], + [ + 56, + " multi_az = false # SECURITY ISSUE #14 - No high availability\n" + ], + [ + 57, + " \n" + ], + [ + 58, + " # Auto minor version upgrade disabled\n" + ], + [ + 59, + " auto_minor_version_upgrade = false # SECURITY ISSUE #15\n" + ], + [ + 60, + " \n" + ], + [ + 61, + " # No performance insights\n" + ], + [ + 62, + " performance_insights_enabled = false\n" + ], + [ + 63, + " \n" + ], + [ + 64, + " skip_final_snapshot = true\n" + ], + [ + 65, + " \n" + ], + [ + 66, + " tags = {\n" + ], + [ + 67, + " Name = \"Weak Database\"\n" + ], + [ + 68, + " }\n" + ], + [ + 69, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 40, + 69 + ], + "resource": "aws_db_instance.weak_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSInstancePerfInsightsEncryptionWithCMK", + "fixed_definition": null, + "entity_tags": { + "Name": "Weak Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_17", + "bc_check_id": null, + "check_name": "Ensure all data stored in RDS is not publicly accessible", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "publicly_accessible" + ] + }, + "code_block": [ + [ + 40, + "resource \"aws_db_instance\" \"weak_db\" {\n" + ], + [ + 41, + " identifier = \"mydb-weak\"\n" + ], + [ + 42, + " engine = \"mysql\"\n" + ], + [ + 43, + " engine_version = \"5.7.38\" # Old version with known vulnerabilities\n" + ], + [ + 44, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 45, + " allocated_storage = 20\n" + ], + [ + 46, + " \n" + ], + [ + 47, + " username = \"root\" # Using default admin username\n" + ], + [ + 48, + " password = \"password123\" # Weak password!\n" + ], + [ + 49, + " \n" + ], + [ + 50, + " storage_encrypted = true\n" + ], + [ + 51, + " kms_key_id = \"\" # Empty KMS key - using default key\n" + ], + [ + 52, + " \n" + ], + [ + 53, + " publicly_accessible = false\n" + ], + [ + 54, + " \n" + ], + [ + 55, + " # Multi-AZ disabled\n" + ], + [ + 56, + " multi_az = false # SECURITY ISSUE #14 - No high availability\n" + ], + [ + 57, + " \n" + ], + [ + 58, + " # Auto minor version upgrade disabled\n" + ], + [ + 59, + " auto_minor_version_upgrade = false # SECURITY ISSUE #15\n" + ], + [ + 60, + " \n" + ], + [ + 61, + " # No performance insights\n" + ], + [ + 62, + " performance_insights_enabled = false\n" + ], + [ + 63, + " \n" + ], + [ + 64, + " skip_final_snapshot = true\n" + ], + [ + 65, + " \n" + ], + [ + 66, + " tags = {\n" + ], + [ + 67, + " Name = \"Weak Database\"\n" + ], + [ + 68, + " }\n" + ], + [ + 69, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 40, + 69 + ], + "resource": "aws_db_instance.weak_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSPubliclyAccessible", + "fixed_definition": null, + "entity_tags": { + "Name": "Weak Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_60", + "bc_check_id": null, + "check_name": "Ensure IAM role allows only specific services or principals to assume it", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "assume_role_policy" + ] + }, + "code_block": [ + [ + 22, + "resource \"aws_iam_role\" \"app_role\" {\n" + ], + [ + 23, + " name = \"application-role\"\n" + ], + [ + 24, + "\n" + ], + [ + 25, + " assume_role_policy = jsonencode({\n" + ], + [ + 26, + " Version = \"2012-10-17\"\n" + ], + [ + 27, + " Statement = [\n" + ], + [ + 28, + " {\n" + ], + [ + 29, + " Action = \"sts:AssumeRole\"\n" + ], + [ + 30, + " Effect = \"Allow\"\n" + ], + [ + 31, + " Principal = {\n" + ], + [ + 32, + " Service = \"ec2.amazonaws.com\"\n" + ], + [ + 33, + " }\n" + ], + [ + 34, + " }\n" + ], + [ + 35, + " ]\n" + ], + [ + 36, + " })\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 22, + 37 + ], + "resource": "aws_iam_role.app_role", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMRoleAllowsPublicAssume", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_61", + "bc_check_id": null, + "check_name": "Ensure AWS IAM policy does not allow assume role permission across all services", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "assume_role_policy" + ] + }, + "code_block": [ + [ + 22, + "resource \"aws_iam_role\" \"app_role\" {\n" + ], + [ + 23, + " name = \"application-role\"\n" + ], + [ + 24, + "\n" + ], + [ + 25, + " assume_role_policy = jsonencode({\n" + ], + [ + 26, + " Version = \"2012-10-17\"\n" + ], + [ + 27, + " Statement = [\n" + ], + [ + 28, + " {\n" + ], + [ + 29, + " Action = \"sts:AssumeRole\"\n" + ], + [ + 30, + " Effect = \"Allow\"\n" + ], + [ + 31, + " Principal = {\n" + ], + [ + 32, + " Service = \"ec2.amazonaws.com\"\n" + ], + [ + 33, + " }\n" + ], + [ + 34, + " }\n" + ], + [ + 35, + " ]\n" + ], + [ + 36, + " })\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 22, + 37 + ], + "resource": "aws_iam_role.app_role", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMRoleAllowAssumeFromAccount", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_274", + "bc_check_id": null, + "check_name": "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy", + "check_result": { + "result": "PASSED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 22, + "resource \"aws_iam_role\" \"app_role\" {\n" + ], + [ + 23, + " name = \"application-role\"\n" + ], + [ + 24, + "\n" + ], + [ + 25, + " assume_role_policy = jsonencode({\n" + ], + [ + 26, + " Version = \"2012-10-17\"\n" + ], + [ + 27, + " Statement = [\n" + ], + [ + 28, + " {\n" + ], + [ + 29, + " Action = \"sts:AssumeRole\"\n" + ], + [ + 30, + " Effect = \"Allow\"\n" + ], + [ + 31, + " Principal = {\n" + ], + [ + 32, + " Service = \"ec2.amazonaws.com\"\n" + ], + [ + 33, + " }\n" + ], + [ + 34, + " }\n" + ], + [ + 35, + " ]\n" + ], + [ + 36, + " })\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 22, + 37 + ], + "resource": "aws_iam_role.app_role", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMManagedAdminPolicy", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_63", + "bc_check_id": null, + "check_name": "Ensure no IAM policies documents allow \"*\" as a statement's actions", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "policy", + "inline_policy" + ] + }, + "code_block": [ + [ + 39, + "resource \"aws_iam_role_policy\" \"s3_full_access\" {\n" + ], + [ + 40, + " name = \"s3-full-access\"\n" + ], + [ + 41, + " role = aws_iam_role.app_role.id\n" + ], + [ + 42, + "\n" + ], + [ + 43, + " policy = jsonencode({\n" + ], + [ + 44, + " Version = \"2012-10-17\"\n" + ], + [ + 45, + " Statement = [\n" + ], + [ + 46, + " {\n" + ], + [ + 47, + " Effect = \"Allow\"\n" + ], + [ + 48, + " Action = [\n" + ], + [ + 49, + " \"s3:*\" # All S3 actions!\n" + ], + [ + 50, + " ]\n" + ], + [ + 51, + " Resource = \"*\" # On all buckets!\n" + ], + [ + 52, + " }\n" + ], + [ + 53, + " ]\n" + ], + [ + 54, + " })\n" + ], + [ + 55, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 39, + 55 + ], + "resource": "aws_iam_role_policy.s3_full_access", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMStarActionPolicyDocument", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_286", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow privilege escalation", + "check_result": { + "result": "PASSED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 39, + "resource \"aws_iam_role_policy\" \"s3_full_access\" {\n" + ], + [ + 40, + " name = \"s3-full-access\"\n" + ], + [ + 41, + " role = aws_iam_role.app_role.id\n" + ], + [ + 42, + "\n" + ], + [ + 43, + " policy = jsonencode({\n" + ], + [ + 44, + " Version = \"2012-10-17\"\n" + ], + [ + 45, + " Statement = [\n" + ], + [ + 46, + " {\n" + ], + [ + 47, + " Effect = \"Allow\"\n" + ], + [ + 48, + " Action = [\n" + ], + [ + 49, + " \"s3:*\" # All S3 actions!\n" + ], + [ + 50, + " ]\n" + ], + [ + 51, + " Resource = \"*\" # On all buckets!\n" + ], + [ + 52, + " }\n" + ], + [ + 53, + " ]\n" + ], + [ + 54, + " })\n" + ], + [ + 55, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 39, + 55 + ], + "resource": "aws_iam_role_policy.s3_full_access", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMPrivilegeEscalation", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_287", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow credentials exposure", + "check_result": { + "result": "PASSED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 39, + "resource \"aws_iam_role_policy\" \"s3_full_access\" {\n" + ], + [ + 40, + " name = \"s3-full-access\"\n" + ], + [ + 41, + " role = aws_iam_role.app_role.id\n" + ], + [ + 42, + "\n" + ], + [ + 43, + " policy = jsonencode({\n" + ], + [ + 44, + " Version = \"2012-10-17\"\n" + ], + [ + 45, + " Statement = [\n" + ], + [ + 46, + " {\n" + ], + [ + 47, + " Effect = \"Allow\"\n" + ], + [ + 48, + " Action = [\n" + ], + [ + 49, + " \"s3:*\" # All S3 actions!\n" + ], + [ + 50, + " ]\n" + ], + [ + 51, + " Resource = \"*\" # On all buckets!\n" + ], + [ + 52, + " }\n" + ], + [ + 53, + " ]\n" + ], + [ + 54, + " })\n" + ], + [ + 55, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 39, + 55 + ], + "resource": "aws_iam_role_policy.s3_full_access", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMCredentialsExposure", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_62", + "bc_check_id": null, + "check_name": "Ensure IAM policies that allow full \"*-*\" administrative privileges are not created", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "policy", + "inline_policy" + ] + }, + "code_block": [ + [ + 39, + "resource \"aws_iam_role_policy\" \"s3_full_access\" {\n" + ], + [ + 40, + " name = \"s3-full-access\"\n" + ], + [ + 41, + " role = aws_iam_role.app_role.id\n" + ], + [ + 42, + "\n" + ], + [ + 43, + " policy = jsonencode({\n" + ], + [ + 44, + " Version = \"2012-10-17\"\n" + ], + [ + 45, + " Statement = [\n" + ], + [ + 46, + " {\n" + ], + [ + 47, + " Effect = \"Allow\"\n" + ], + [ + 48, + " Action = [\n" + ], + [ + 49, + " \"s3:*\" # All S3 actions!\n" + ], + [ + 50, + " ]\n" + ], + [ + 51, + " Resource = \"*\" # On all buckets!\n" + ], + [ + 52, + " }\n" + ], + [ + 53, + " ]\n" + ], + [ + 54, + " })\n" + ], + [ + 55, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 39, + 55 + ], + "resource": "aws_iam_role_policy.s3_full_access", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMAdminPolicyDocument", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_63", + "bc_check_id": null, + "check_name": "Ensure no IAM policies documents allow \"*\" as a statement's actions", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "policy", + "inline_policy" + ] + }, + "code_block": [ + [ + 67, + "resource \"aws_iam_user_policy\" \"service_policy\" {\n" + ], + [ + 68, + " name = \"service-inline-policy\"\n" + ], + [ + 69, + " user = aws_iam_user.service_account.name\n" + ], + [ + 70, + "\n" + ], + [ + 71, + " policy = jsonencode({\n" + ], + [ + 72, + " Version = \"2012-10-17\"\n" + ], + [ + 73, + " Statement = [\n" + ], + [ + 74, + " {\n" + ], + [ + 75, + " Effect = \"Allow\"\n" + ], + [ + 76, + " Action = [\n" + ], + [ + 77, + " \"ec2:*\", # Full EC2 access\n" + ], + [ + 78, + " \"s3:*\", # Full S3 access\n" + ], + [ + 79, + " \"rds:*\" # Full RDS access\n" + ], + [ + 80, + " ]\n" + ], + [ + 81, + " Resource = \"*\"\n" + ], + [ + 82, + " }\n" + ], + [ + 83, + " ]\n" + ], + [ + 84, + " })\n" + ], + [ + 85, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 67, + 85 + ], + "resource": "aws_iam_user_policy.service_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMStarActionPolicyDocument", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf", + "breadcrumbs": { + "user": [ + { + "type": "resource", + "name": "aws_iam_user.service_account", + "path": "/tf/iam.tf", + "module_connection": false + } + ] + } + }, + { + "check_id": "CKV_AWS_286", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow privilege escalation", + "check_result": { + "result": "PASSED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 67, + "resource \"aws_iam_user_policy\" \"service_policy\" {\n" + ], + [ + 68, + " name = \"service-inline-policy\"\n" + ], + [ + 69, + " user = aws_iam_user.service_account.name\n" + ], + [ + 70, + "\n" + ], + [ + 71, + " policy = jsonencode({\n" + ], + [ + 72, + " Version = \"2012-10-17\"\n" + ], + [ + 73, + " Statement = [\n" + ], + [ + 74, + " {\n" + ], + [ + 75, + " Effect = \"Allow\"\n" + ], + [ + 76, + " Action = [\n" + ], + [ + 77, + " \"ec2:*\", # Full EC2 access\n" + ], + [ + 78, + " \"s3:*\", # Full S3 access\n" + ], + [ + 79, + " \"rds:*\" # Full RDS access\n" + ], + [ + 80, + " ]\n" + ], + [ + 81, + " Resource = \"*\"\n" + ], + [ + 82, + " }\n" + ], + [ + 83, + " ]\n" + ], + [ + 84, + " })\n" + ], + [ + 85, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 67, + 85 + ], + "resource": "aws_iam_user_policy.service_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMPrivilegeEscalation", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf", + "breadcrumbs": { + "user": [ + { + "type": "resource", + "name": "aws_iam_user.service_account", + "path": "/tf/iam.tf", + "module_connection": false + } + ] + } + }, + { + "check_id": "CKV_AWS_62", + "bc_check_id": null, + "check_name": "Ensure IAM policies that allow full \"*-*\" administrative privileges are not created", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "policy", + "inline_policy" + ] + }, + "code_block": [ + [ + 67, + "resource \"aws_iam_user_policy\" \"service_policy\" {\n" + ], + [ + 68, + " name = \"service-inline-policy\"\n" + ], + [ + 69, + " user = aws_iam_user.service_account.name\n" + ], + [ + 70, + "\n" + ], + [ + 71, + " policy = jsonencode({\n" + ], + [ + 72, + " Version = \"2012-10-17\"\n" + ], + [ + 73, + " Statement = [\n" + ], + [ + 74, + " {\n" + ], + [ + 75, + " Effect = \"Allow\"\n" + ], + [ + 76, + " Action = [\n" + ], + [ + 77, + " \"ec2:*\", # Full EC2 access\n" + ], + [ + 78, + " \"s3:*\", # Full S3 access\n" + ], + [ + 79, + " \"rds:*\" # Full RDS access\n" + ], + [ + 80, + " ]\n" + ], + [ + 81, + " Resource = \"*\"\n" + ], + [ + 82, + " }\n" + ], + [ + 83, + " ]\n" + ], + [ + 84, + " })\n" + ], + [ + 85, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 67, + 85 + ], + "resource": "aws_iam_user_policy.service_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMAdminPolicyDocument", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf", + "breadcrumbs": { + "user": [ + { + "type": "resource", + "name": "aws_iam_user.service_account", + "path": "/tf/iam.tf", + "module_connection": false + } + ] + } + }, + { + "check_id": "CKV_AWS_348", + "bc_check_id": null, + "check_name": "Ensure IAM root user does not have Access keys", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "user" + ] + }, + "code_block": [ + [ + 88, + "resource \"aws_iam_access_key\" \"service_key\" {\n" + ], + [ + 89, + " user = aws_iam_user.service_account.name\n" + ], + [ + 90, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 88, + 90 + ], + "resource": "aws_iam_access_key.service_key", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMUserRootAccessKeys", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf", + "breadcrumbs": { + "user": [ + { + "type": "resource", + "name": "aws_iam_user.service_account", + "path": "/tf/iam.tf", + "module_connection": false + } + ] + } + }, + { + "check_id": "CKV_AWS_63", + "bc_check_id": null, + "check_name": "Ensure no IAM policies documents allow \"*\" as a statement's actions", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "policy", + "inline_policy" + ] + }, + "code_block": [ + [ + 104, + "resource \"aws_iam_policy\" \"privilege_escalation\" {\n" + ], + [ + 105, + " name = \"potential-privilege-escalation\"\n" + ], + [ + 106, + " description = \"Policy that allows privilege escalation\"\n" + ], + [ + 107, + "\n" + ], + [ + 108, + " policy = jsonencode({\n" + ], + [ + 109, + " Version = \"2012-10-17\"\n" + ], + [ + 110, + " Statement = [\n" + ], + [ + 111, + " {\n" + ], + [ + 112, + " Effect = \"Allow\"\n" + ], + [ + 113, + " Action = [\n" + ], + [ + 114, + " \"iam:CreatePolicy\",\n" + ], + [ + 115, + " \"iam:CreateUser\",\n" + ], + [ + 116, + " \"iam:AttachUserPolicy\",\n" + ], + [ + 117, + " \"iam:AttachRolePolicy\",\n" + ], + [ + 118, + " \"iam:PutUserPolicy\",\n" + ], + [ + 119, + " \"iam:PutRolePolicy\"\n" + ], + [ + 120, + " ]\n" + ], + [ + 121, + " Resource = \"*\"\n" + ], + [ + 122, + " }\n" + ], + [ + 123, + " ]\n" + ], + [ + 124, + " })\n" + ], + [ + 125, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 104, + 125 + ], + "resource": "aws_iam_policy.privilege_escalation", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMStarActionPolicyDocument", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_290", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow write access without constraints", + "check_result": { + "result": "PASSED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 104, + "resource \"aws_iam_policy\" \"privilege_escalation\" {\n" + ], + [ + 105, + " name = \"potential-privilege-escalation\"\n" + ], + [ + 106, + " description = \"Policy that allows privilege escalation\"\n" + ], + [ + 107, + "\n" + ], + [ + 108, + " policy = jsonencode({\n" + ], + [ + 109, + " Version = \"2012-10-17\"\n" + ], + [ + 110, + " Statement = [\n" + ], + [ + 111, + " {\n" + ], + [ + 112, + " Effect = \"Allow\"\n" + ], + [ + 113, + " Action = [\n" + ], + [ + 114, + " \"iam:CreatePolicy\",\n" + ], + [ + 115, + " \"iam:CreateUser\",\n" + ], + [ + 116, + " \"iam:AttachUserPolicy\",\n" + ], + [ + 117, + " \"iam:AttachRolePolicy\",\n" + ], + [ + 118, + " \"iam:PutUserPolicy\",\n" + ], + [ + 119, + " \"iam:PutRolePolicy\"\n" + ], + [ + 120, + " ]\n" + ], + [ + 121, + " Resource = \"*\"\n" + ], + [ + 122, + " }\n" + ], + [ + 123, + " ]\n" + ], + [ + 124, + " })\n" + ], + [ + 125, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 104, + 125 + ], + "resource": "aws_iam_policy.privilege_escalation", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMWriteAccess", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_288", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow data exfiltration", + "check_result": { + "result": "PASSED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 104, + "resource \"aws_iam_policy\" \"privilege_escalation\" {\n" + ], + [ + 105, + " name = \"potential-privilege-escalation\"\n" + ], + [ + 106, + " description = \"Policy that allows privilege escalation\"\n" + ], + [ + 107, + "\n" + ], + [ + 108, + " policy = jsonencode({\n" + ], + [ + 109, + " Version = \"2012-10-17\"\n" + ], + [ + 110, + " Statement = [\n" + ], + [ + 111, + " {\n" + ], + [ + 112, + " Effect = \"Allow\"\n" + ], + [ + 113, + " Action = [\n" + ], + [ + 114, + " \"iam:CreatePolicy\",\n" + ], + [ + 115, + " \"iam:CreateUser\",\n" + ], + [ + 116, + " \"iam:AttachUserPolicy\",\n" + ], + [ + 117, + " \"iam:AttachRolePolicy\",\n" + ], + [ + 118, + " \"iam:PutUserPolicy\",\n" + ], + [ + 119, + " \"iam:PutRolePolicy\"\n" + ], + [ + 120, + " ]\n" + ], + [ + 121, + " Resource = \"*\"\n" + ], + [ + 122, + " }\n" + ], + [ + 123, + " ]\n" + ], + [ + 124, + " })\n" + ], + [ + 125, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 104, + 125 + ], + "resource": "aws_iam_policy.privilege_escalation", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMDataExfiltration", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_287", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow credentials exposure", + "check_result": { + "result": "PASSED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 104, + "resource \"aws_iam_policy\" \"privilege_escalation\" {\n" + ], + [ + 105, + " name = \"potential-privilege-escalation\"\n" + ], + [ + 106, + " description = \"Policy that allows privilege escalation\"\n" + ], + [ + 107, + "\n" + ], + [ + 108, + " policy = jsonencode({\n" + ], + [ + 109, + " Version = \"2012-10-17\"\n" + ], + [ + 110, + " Statement = [\n" + ], + [ + 111, + " {\n" + ], + [ + 112, + " Effect = \"Allow\"\n" + ], + [ + 113, + " Action = [\n" + ], + [ + 114, + " \"iam:CreatePolicy\",\n" + ], + [ + 115, + " \"iam:CreateUser\",\n" + ], + [ + 116, + " \"iam:AttachUserPolicy\",\n" + ], + [ + 117, + " \"iam:AttachRolePolicy\",\n" + ], + [ + 118, + " \"iam:PutUserPolicy\",\n" + ], + [ + 119, + " \"iam:PutRolePolicy\"\n" + ], + [ + 120, + " ]\n" + ], + [ + 121, + " Resource = \"*\"\n" + ], + [ + 122, + " }\n" + ], + [ + 123, + " ]\n" + ], + [ + 124, + " })\n" + ], + [ + 125, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 104, + 125 + ], + "resource": "aws_iam_policy.privilege_escalation", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMCredentialsExposure", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_62", + "bc_check_id": null, + "check_name": "Ensure IAM policies that allow full \"*-*\" administrative privileges are not created", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "policy", + "inline_policy" + ] + }, + "code_block": [ + [ + 104, + "resource \"aws_iam_policy\" \"privilege_escalation\" {\n" + ], + [ + 105, + " name = \"potential-privilege-escalation\"\n" + ], + [ + 106, + " description = \"Policy that allows privilege escalation\"\n" + ], + [ + 107, + "\n" + ], + [ + 108, + " policy = jsonencode({\n" + ], + [ + 109, + " Version = \"2012-10-17\"\n" + ], + [ + 110, + " Statement = [\n" + ], + [ + 111, + " {\n" + ], + [ + 112, + " Effect = \"Allow\"\n" + ], + [ + 113, + " Action = [\n" + ], + [ + 114, + " \"iam:CreatePolicy\",\n" + ], + [ + 115, + " \"iam:CreateUser\",\n" + ], + [ + 116, + " \"iam:AttachUserPolicy\",\n" + ], + [ + 117, + " \"iam:AttachRolePolicy\",\n" + ], + [ + 118, + " \"iam:PutUserPolicy\",\n" + ], + [ + 119, + " \"iam:PutRolePolicy\"\n" + ], + [ + 120, + " ]\n" + ], + [ + 121, + " Resource = \"*\"\n" + ], + [ + 122, + " }\n" + ], + [ + 123, + " ]\n" + ], + [ + 124, + " })\n" + ], + [ + 125, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 104, + 125 + ], + "resource": "aws_iam_policy.privilege_escalation", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMAdminPolicyDocument", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_93", + "bc_check_id": null, + "check_name": "Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "policy" + ] + }, + "code_block": [ + [ + 13, + "resource \"aws_s3_bucket\" \"public_data\" {\n" + ], + [ + 14, + " bucket = \"my-public-bucket-lab6\"\n" + ], + [ + 15, + " acl = \"public-read\" # Public access enabled!\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " tags = {\n" + ], + [ + 18, + " Name = \"Public Data Bucket\"\n" + ], + [ + 19, + " # Missing required tags: Environment, Owner, CostCenter\n" + ], + [ + 20, + " }\n" + ], + [ + 21, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 13, + 21 + ], + "resource": "aws_s3_bucket.public_data", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.S3ProtectAgainstPolicyLockout", + "fixed_definition": null, + "entity_tags": { + "Name": "Public Data Bucket" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_93", + "bc_check_id": null, + "check_name": "Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)", + "check_result": { + "result": "PASSED", + "evaluated_keys": [ + "policy" + ] + }, + "code_block": [ + [ + 24, + "resource \"aws_s3_bucket\" \"unencrypted_data\" {\n" + ], + [ + 25, + " bucket = \"my-unencrypted-bucket-lab6\"\n" + ], + [ + 26, + " acl = \"private\"\n" + ], + [ + 27, + " \n" + ], + [ + 28, + " # No server_side_encryption_configuration!\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " versioning {\n" + ], + [ + 31, + " enabled = false # Versioning disabled\n" + ], + [ + 32, + " }\n" + ], + [ + 33, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 24, + 33 + ], + "resource": "aws_s3_bucket.unencrypted_data", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.S3ProtectAgainstPolicyLockout", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_260", + "bc_check_id": null, + "check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80", + "check_result": { + "result": "PASSED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 31, + "resource \"aws_security_group\" \"ssh_open\" {\n" + ], + [ + 32, + " name = \"ssh-from-anywhere\"\n" + ], + [ + 33, + " description = \"SSH access from anywhere\"\n" + ], + [ + 34, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " ingress {\n" + ], + [ + 37, + " description = \"SSH from anywhere\"\n" + ], + [ + 38, + " from_port = 22\n" + ], + [ + 39, + " to_port = 22\n" + ], + [ + 40, + " protocol = \"tcp\"\n" + ], + [ + 41, + " cidr_blocks = [\"0.0.0.0/0\"] # SSH from anywhere!\n" + ], + [ + 42, + " }\n" + ], + [ + 43, + "\n" + ], + [ + 44, + " ingress {\n" + ], + [ + 45, + " description = \"RDP from anywhere\"\n" + ], + [ + 46, + " from_port = 3389\n" + ], + [ + 47, + " to_port = 3389\n" + ], + [ + 48, + " protocol = \"tcp\"\n" + ], + [ + 49, + " cidr_blocks = [\"0.0.0.0/0\"] # RDP from anywhere!\n" + ], + [ + 50, + " }\n" + ], + [ + 51, + "\n" + ], + [ + 52, + " egress {\n" + ], + [ + 53, + " from_port = 0\n" + ], + [ + 54, + " to_port = 0\n" + ], + [ + 55, + " protocol = \"-1\"\n" + ], + [ + 56, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 57, + " }\n" + ], + [ + 58, + "\n" + ], + [ + 59, + " tags = {\n" + ], + [ + 60, + " Name = \"SSH Open Security Group\"\n" + ], + [ + 61, + " }\n" + ], + [ + 62, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 31, + 62 + ], + "resource": "aws_security_group.ssh_open", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedIngress80", + "fixed_definition": null, + "entity_tags": { + "Name": "SSH Open Security Group" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_277", + "bc_check_id": null, + "check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1", + "check_result": { + "result": "PASSED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 31, + "resource \"aws_security_group\" \"ssh_open\" {\n" + ], + [ + 32, + " name = \"ssh-from-anywhere\"\n" + ], + [ + 33, + " description = \"SSH access from anywhere\"\n" + ], + [ + 34, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " ingress {\n" + ], + [ + 37, + " description = \"SSH from anywhere\"\n" + ], + [ + 38, + " from_port = 22\n" + ], + [ + 39, + " to_port = 22\n" + ], + [ + 40, + " protocol = \"tcp\"\n" + ], + [ + 41, + " cidr_blocks = [\"0.0.0.0/0\"] # SSH from anywhere!\n" + ], + [ + 42, + " }\n" + ], + [ + 43, + "\n" + ], + [ + 44, + " ingress {\n" + ], + [ + 45, + " description = \"RDP from anywhere\"\n" + ], + [ + 46, + " from_port = 3389\n" + ], + [ + 47, + " to_port = 3389\n" + ], + [ + 48, + " protocol = \"tcp\"\n" + ], + [ + 49, + " cidr_blocks = [\"0.0.0.0/0\"] # RDP from anywhere!\n" + ], + [ + 50, + " }\n" + ], + [ + 51, + "\n" + ], + [ + 52, + " egress {\n" + ], + [ + 53, + " from_port = 0\n" + ], + [ + 54, + " to_port = 0\n" + ], + [ + 55, + " protocol = \"-1\"\n" + ], + [ + 56, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 57, + " }\n" + ], + [ + 58, + "\n" + ], + [ + 59, + " tags = {\n" + ], + [ + 60, + " Name = \"SSH Open Security Group\"\n" + ], + [ + 61, + " }\n" + ], + [ + 62, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 31, + 62 + ], + "resource": "aws_security_group.ssh_open", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedIngressAny", + "fixed_definition": null, + "entity_tags": { + "Name": "SSH Open Security Group" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_24", + "bc_check_id": null, + "check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22", + "check_result": { + "result": "PASSED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 65, + "resource \"aws_security_group\" \"database_exposed\" {\n" + ], + [ + 66, + " name = \"database-public\"\n" + ], + [ + 67, + " description = \"Database accessible from internet\"\n" + ], + [ + 68, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " ingress {\n" + ], + [ + 71, + " description = \"MySQL from anywhere\"\n" + ], + [ + 72, + " from_port = 3306\n" + ], + [ + 73, + " to_port = 3306\n" + ], + [ + 74, + " protocol = \"tcp\"\n" + ], + [ + 75, + " cidr_blocks = [\"0.0.0.0/0\"] # Database exposed!\n" + ], + [ + 76, + " }\n" + ], + [ + 77, + "\n" + ], + [ + 78, + " ingress {\n" + ], + [ + 79, + " description = \"PostgreSQL from anywhere\"\n" + ], + [ + 80, + " from_port = 5432\n" + ], + [ + 81, + " to_port = 5432\n" + ], + [ + 82, + " protocol = \"tcp\"\n" + ], + [ + 83, + " cidr_blocks = [\"0.0.0.0/0\"] # Database exposed!\n" + ], + [ + 84, + " }\n" + ], + [ + 85, + "\n" + ], + [ + 86, + " egress {\n" + ], + [ + 87, + " from_port = 0\n" + ], + [ + 88, + " to_port = 0\n" + ], + [ + 89, + " protocol = \"-1\"\n" + ], + [ + 90, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 91, + " }\n" + ], + [ + 92, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 65, + 92 + ], + "resource": "aws_security_group.database_exposed", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedIngress22", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_260", + "bc_check_id": null, + "check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80", + "check_result": { + "result": "PASSED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 65, + "resource \"aws_security_group\" \"database_exposed\" {\n" + ], + [ + 66, + " name = \"database-public\"\n" + ], + [ + 67, + " description = \"Database accessible from internet\"\n" + ], + [ + 68, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " ingress {\n" + ], + [ + 71, + " description = \"MySQL from anywhere\"\n" + ], + [ + 72, + " from_port = 3306\n" + ], + [ + 73, + " to_port = 3306\n" + ], + [ + 74, + " protocol = \"tcp\"\n" + ], + [ + 75, + " cidr_blocks = [\"0.0.0.0/0\"] # Database exposed!\n" + ], + [ + 76, + " }\n" + ], + [ + 77, + "\n" + ], + [ + 78, + " ingress {\n" + ], + [ + 79, + " description = \"PostgreSQL from anywhere\"\n" + ], + [ + 80, + " from_port = 5432\n" + ], + [ + 81, + " to_port = 5432\n" + ], + [ + 82, + " protocol = \"tcp\"\n" + ], + [ + 83, + " cidr_blocks = [\"0.0.0.0/0\"] # Database exposed!\n" + ], + [ + 84, + " }\n" + ], + [ + 85, + "\n" + ], + [ + 86, + " egress {\n" + ], + [ + 87, + " from_port = 0\n" + ], + [ + 88, + " to_port = 0\n" + ], + [ + 89, + " protocol = \"-1\"\n" + ], + [ + 90, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 91, + " }\n" + ], + [ + 92, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 65, + 92 + ], + "resource": "aws_security_group.database_exposed", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedIngress80", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_25", + "bc_check_id": null, + "check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389", + "check_result": { + "result": "PASSED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 65, + "resource \"aws_security_group\" \"database_exposed\" {\n" + ], + [ + 66, + " name = \"database-public\"\n" + ], + [ + 67, + " description = \"Database accessible from internet\"\n" + ], + [ + 68, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " ingress {\n" + ], + [ + 71, + " description = \"MySQL from anywhere\"\n" + ], + [ + 72, + " from_port = 3306\n" + ], + [ + 73, + " to_port = 3306\n" + ], + [ + 74, + " protocol = \"tcp\"\n" + ], + [ + 75, + " cidr_blocks = [\"0.0.0.0/0\"] # Database exposed!\n" + ], + [ + 76, + " }\n" + ], + [ + 77, + "\n" + ], + [ + 78, + " ingress {\n" + ], + [ + 79, + " description = \"PostgreSQL from anywhere\"\n" + ], + [ + 80, + " from_port = 5432\n" + ], + [ + 81, + " to_port = 5432\n" + ], + [ + 82, + " protocol = \"tcp\"\n" + ], + [ + 83, + " cidr_blocks = [\"0.0.0.0/0\"] # Database exposed!\n" + ], + [ + 84, + " }\n" + ], + [ + 85, + "\n" + ], + [ + 86, + " egress {\n" + ], + [ + 87, + " from_port = 0\n" + ], + [ + 88, + " to_port = 0\n" + ], + [ + 89, + " protocol = \"-1\"\n" + ], + [ + 90, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 91, + " }\n" + ], + [ + 92, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 65, + 92 + ], + "resource": "aws_security_group.database_exposed", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedIngress3389", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_277", + "bc_check_id": null, + "check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1", + "check_result": { + "result": "PASSED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 65, + "resource \"aws_security_group\" \"database_exposed\" {\n" + ], + [ + 66, + " name = \"database-public\"\n" + ], + [ + 67, + " description = \"Database accessible from internet\"\n" + ], + [ + 68, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " ingress {\n" + ], + [ + 71, + " description = \"MySQL from anywhere\"\n" + ], + [ + 72, + " from_port = 3306\n" + ], + [ + 73, + " to_port = 3306\n" + ], + [ + 74, + " protocol = \"tcp\"\n" + ], + [ + 75, + " cidr_blocks = [\"0.0.0.0/0\"] # Database exposed!\n" + ], + [ + 76, + " }\n" + ], + [ + 77, + "\n" + ], + [ + 78, + " ingress {\n" + ], + [ + 79, + " description = \"PostgreSQL from anywhere\"\n" + ], + [ + 80, + " from_port = 5432\n" + ], + [ + 81, + " to_port = 5432\n" + ], + [ + 82, + " protocol = \"tcp\"\n" + ], + [ + 83, + " cidr_blocks = [\"0.0.0.0/0\"] # Database exposed!\n" + ], + [ + 84, + " }\n" + ], + [ + 85, + "\n" + ], + [ + 86, + " egress {\n" + ], + [ + 87, + " from_port = 0\n" + ], + [ + 88, + " to_port = 0\n" + ], + [ + 89, + " protocol = \"-1\"\n" + ], + [ + 90, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 91, + " }\n" + ], + [ + 92, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 65, + 92 + ], + "resource": "aws_security_group.database_exposed", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedIngressAny", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV2_AWS_56", + "bc_check_id": null, + "check_name": "Ensure AWS Managed IAMFullAccess IAM policy is not used.", + "check_result": { + "result": "PASSED", + "entity": { + "aws_iam_role": { + "app_role": { + "__end_line__": 37, + "__start_line__": 22, + "assume_role_policy": [ + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + } + } + ] + } + ], + "name": [ + "application-role" + ], + "__address__": "aws_iam_role.app_role" + } + } + }, + "evaluated_keys": [ + "name", + "arn", + "managed_policy_arn", + "policy_arn", + "managed_policy_arns/*" + ] + }, + "code_block": [ + [ + 22, + "resource \"aws_iam_role\" \"app_role\" {\n" + ], + [ + 23, + " name = \"application-role\"\n" + ], + [ + 24, + "\n" + ], + [ + 25, + " assume_role_policy = jsonencode({\n" + ], + [ + 26, + " Version = \"2012-10-17\"\n" + ], + [ + 27, + " Statement = [\n" + ], + [ + 28, + " {\n" + ], + [ + 29, + " Action = \"sts:AssumeRole\"\n" + ], + [ + 30, + " Effect = \"Allow\"\n" + ], + [ + 31, + " Principal = {\n" + ], + [ + 32, + " Service = \"ec2.amazonaws.com\"\n" + ], + [ + 33, + " }\n" + ], + [ + 34, + " }\n" + ], + [ + 35, + " ]\n" + ], + [ + 36, + " })\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 22, + 37 + ], + "resource": "aws_iam_role.app_role", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV2_AWS_22", + "bc_check_id": null, + "check_name": "Ensure an IAM User does not have access to the console", + "check_result": { + "result": "PASSED", + "entity": { + "aws_iam_user": { + "service_account": { + "__end_line__": 65, + "__start_line__": 58, + "name": [ + "service-account" + ], + "path": [ + "/system/" + ], + "tags": [ + { + "Name": "Service Account" + } + ], + "__address__": "aws_iam_user.service_account" + } + } + }, + "evaluated_keys": [ + "resource_type" + ] + }, + "code_block": [ + [ + 58, + "resource \"aws_iam_user\" \"service_account\" {\n" + ], + [ + 59, + " name = \"service-account\"\n" + ], + [ + 60, + " path = \"/system/\"\n" + ], + [ + 61, + "\n" + ], + [ + 62, + " tags = {\n" + ], + [ + 63, + " Name = \"Service Account\"\n" + ], + [ + 64, + " }\n" + ], + [ + 65, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 58, + 65 + ], + "resource": "aws_iam_user.service_account", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Service Account" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_20", + "bc_check_id": null, + "check_name": "S3 Bucket has an ACL defined which allows public READ access.", + "check_result": { + "result": "PASSED", + "entity": { + "aws_s3_bucket": { + "unencrypted_data": { + "__end_line__": 33, + "__start_line__": 24, + "acl": [ + "private" + ], + "bucket": [ + "my-unencrypted-bucket-lab6" + ], + "versioning": [ + { + "enabled": [ + false + ] + } + ], + "__address__": "aws_s3_bucket.unencrypted_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "access_control_policy", + "access_control_policy/grant/*/grantee/uri", + "acl", + "access_control_policy/grant" + ] + }, + "code_block": [ + [ + 24, + "resource \"aws_s3_bucket\" \"unencrypted_data\" {\n" + ], + [ + 25, + " bucket = \"my-unencrypted-bucket-lab6\"\n" + ], + [ + 26, + " acl = \"private\"\n" + ], + [ + 27, + " \n" + ], + [ + 28, + " # No server_side_encryption_configuration!\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " versioning {\n" + ], + [ + 31, + " enabled = false # Versioning disabled\n" + ], + [ + 32, + " }\n" + ], + [ + 33, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 24, + 33 + ], + "resource": "aws_s3_bucket.unencrypted_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV2_AWS_5", + "bc_check_id": null, + "check_name": "Ensure that Security Groups are attached to another resource", + "check_result": { + "result": "PASSED", + "entity": { + "aws_security_group": { + "database_exposed": { + "__end_line__": 92, + "__start_line__": 65, + "description": [ + "Database accessible from internet" + ], + "egress": [ + { + "cidr_blocks": [ + [ + "0.0.0.0/0" + ] + ], + "from_port": [ + 0 + ], + "protocol": [ + "-1" + ], + "to_port": [ + 0 + ] + } + ], + "ingress": [ + { + "cidr_blocks": [ + [ + "0.0.0.0/0" + ] + ], + "description": [ + "MySQL from anywhere" + ], + "from_port": [ + 3306 + ], + "protocol": [ + "tcp" + ], + "to_port": [ + 3306 + ] + }, + { + "cidr_blocks": [ + [ + "0.0.0.0/0" + ] + ], + "description": [ + "PostgreSQL from anywhere" + ], + "from_port": [ + 5432 + ], + "protocol": [ + "tcp" + ], + "to_port": [ + 5432 + ] + } + ], + "name": [ + "database-public" + ], + "vpc_id": [ + "vpc-12345678" + ], + "__address__": "aws_security_group.database_exposed" + } + } + }, + "evaluated_keys": [ + "resource_type", + "networking" + ] + }, + "code_block": [ + [ + 65, + "resource \"aws_security_group\" \"database_exposed\" {\n" + ], + [ + 66, + " name = \"database-public\"\n" + ], + [ + 67, + " description = \"Database accessible from internet\"\n" + ], + [ + 68, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " ingress {\n" + ], + [ + 71, + " description = \"MySQL from anywhere\"\n" + ], + [ + 72, + " from_port = 3306\n" + ], + [ + 73, + " to_port = 3306\n" + ], + [ + 74, + " protocol = \"tcp\"\n" + ], + [ + 75, + " cidr_blocks = [\"0.0.0.0/0\"] # Database exposed!\n" + ], + [ + 76, + " }\n" + ], + [ + 77, + "\n" + ], + [ + 78, + " ingress {\n" + ], + [ + 79, + " description = \"PostgreSQL from anywhere\"\n" + ], + [ + 80, + " from_port = 5432\n" + ], + [ + 81, + " to_port = 5432\n" + ], + [ + 82, + " protocol = \"tcp\"\n" + ], + [ + 83, + " cidr_blocks = [\"0.0.0.0/0\"] # Database exposed!\n" + ], + [ + 84, + " }\n" + ], + [ + 85, + "\n" + ], + [ + 86, + " egress {\n" + ], + [ + 87, + " from_port = 0\n" + ], + [ + 88, + " to_port = 0\n" + ], + [ + 89, + " protocol = \"-1\"\n" + ], + [ + 90, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 91, + " }\n" + ], + [ + 92, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 65, + 92 + ], + "resource": "aws_security_group.database_exposed", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": { + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "entity_tags": { + "Name": "Unencrypted Database" + }, + "evaluations": null, + "file_abs_path": "/tf/database.tf", + "resource_address": null + }, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV2_AWS_16", + "bc_check_id": null, + "check_name": "Ensure that Auto Scaling is enabled on your DynamoDB tables", + "check_result": { + "result": "PASSED", + "entity": { + "aws_dynamodb_table": { + "unencrypted_table": { + "__end_line__": 92, + "__start_line__": 72, + "attribute": [ + { + "name": [ + "id" + ], + "type": [ + "S" + ] + } + ], + "billing_mode": [ + "PAY_PER_REQUEST" + ], + "hash_key": [ + "id" + ], + "name": [ + "my-table" + ], + "point_in_time_recovery": [ + { + "enabled": [ + false + ] + } + ], + "tags": [ + { + "Name": "Unencrypted DynamoDB Table" + } + ], + "__address__": "aws_dynamodb_table.unencrypted_table" + } + } + }, + "evaluated_keys": [ + "resource_type", + "service_namespace", + "billing_mode" + ] + }, + "code_block": [ + [ + 72, + "resource \"aws_dynamodb_table\" \"unencrypted_table\" {\n" + ], + [ + 73, + " name = \"my-table\"\n" + ], + [ + 74, + " billing_mode = \"PAY_PER_REQUEST\"\n" + ], + [ + 75, + " hash_key = \"id\"\n" + ], + [ + 76, + "\n" + ], + [ + 77, + " attribute {\n" + ], + [ + 78, + " name = \"id\"\n" + ], + [ + 79, + " type = \"S\"\n" + ], + [ + 80, + " }\n" + ], + [ + 81, + "\n" + ], + [ + 82, + " # No server_side_encryption configuration!\n" + ], + [ + 83, + " \n" + ], + [ + 84, + " # No point-in-time recovery\n" + ], + [ + 85, + " point_in_time_recovery {\n" + ], + [ + 86, + " enabled = false # SECURITY ISSUE #17\n" + ], + [ + 87, + " }\n" + ], + [ + 88, + "\n" + ], + [ + 89, + " tags = {\n" + ], + [ + 90, + " Name = \"Unencrypted DynamoDB Table\"\n" + ], + [ + 91, + " }\n" + ], + [ + 92, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 72, + 92 + ], + "resource": "aws_dynamodb_table.unencrypted_table", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted DynamoDB Table" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_57", + "bc_check_id": null, + "check_name": "S3 Bucket has an ACL defined which allows public WRITE access.", + "check_result": { + "result": "PASSED", + "entity": { + "aws_s3_bucket": { + "public_data": { + "__end_line__": 21, + "__start_line__": 13, + "acl": [ + "public-read" + ], + "bucket": [ + "my-public-bucket-lab6" + ], + "tags": [ + { + "Name": "Public Data Bucket" + } + ], + "__address__": "aws_s3_bucket.public_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "access_control_policy", + "access_control_policy/grant/*/grantee/uri", + "access_control_policy/grant/*/permission", + "acl", + "access_control_policy/grant" + ] + }, + "code_block": [ + [ + 13, + "resource \"aws_s3_bucket\" \"public_data\" {\n" + ], + [ + 14, + " bucket = \"my-public-bucket-lab6\"\n" + ], + [ + 15, + " acl = \"public-read\" # Public access enabled!\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " tags = {\n" + ], + [ + 18, + " Name = \"Public Data Bucket\"\n" + ], + [ + 19, + " # Missing required tags: Environment, Owner, CostCenter\n" + ], + [ + 20, + " }\n" + ], + [ + 21, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 13, + 21 + ], + "resource": "aws_s3_bucket.public_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Public Data Bucket" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_57", + "bc_check_id": null, + "check_name": "S3 Bucket has an ACL defined which allows public WRITE access.", + "check_result": { + "result": "PASSED", + "entity": { + "aws_s3_bucket": { + "unencrypted_data": { + "__end_line__": 33, + "__start_line__": 24, + "acl": [ + "private" + ], + "bucket": [ + "my-unencrypted-bucket-lab6" + ], + "versioning": [ + { + "enabled": [ + false + ] + } + ], + "__address__": "aws_s3_bucket.unencrypted_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "access_control_policy", + "access_control_policy/grant/*/grantee/uri", + "access_control_policy/grant/*/permission", + "acl", + "access_control_policy/grant" + ] + }, + "code_block": [ + [ + 24, + "resource \"aws_s3_bucket\" \"unencrypted_data\" {\n" + ], + [ + 25, + " bucket = \"my-unencrypted-bucket-lab6\"\n" + ], + [ + 26, + " acl = \"private\"\n" + ], + [ + 27, + " \n" + ], + [ + 28, + " # No server_side_encryption_configuration!\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " versioning {\n" + ], + [ + 31, + " enabled = false # Versioning disabled\n" + ], + [ + 32, + " }\n" + ], + [ + 33, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 24, + 33 + ], + "resource": "aws_s3_bucket.unencrypted_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV2_AWS_69", + "bc_check_id": null, + "check_name": "Ensure AWS RDS database instance configured with encryption in transit", + "check_result": { + "result": "PASSED", + "entity": { + "aws_db_instance": { + "unencrypted_db": { + "__end_line__": 37, + "__start_line__": 5, + "allocated_storage": [ + 20 + ], + "backup_retention_period": [ + 0 + ], + "deletion_protection": [ + false + ], + "enabled_cloudwatch_logs_exports": [ + [] + ], + "engine": [ + "postgres" + ], + "engine_version": [ + "13.7" + ], + "identifier": [ + "mydb-unencrypted" + ], + "instance_class": [ + "db.t3.micro" + ], + "password": [ + "SuperSecretPassword123!" + ], + "publicly_accessible": [ + true + ], + "skip_final_snapshot": [ + true + ], + "storage_encrypted": [ + false + ], + "tags": [ + { + "Name": "Unencrypted Database" + } + ], + "username": [ + "admin" + ], + "vpc_security_group_ids": [ + [ + "aws_security_group.database_exposed.id" + ] + ], + "__address__": "aws_db_instance.unencrypted_db" + } + } + }, + "evaluated_keys": [ + "parameter[?(@/name=='db2comm')]/value", + "resource_type", + "parameter[?(@/name=='rds/force_ssl')]/value", + "family", + "parameter[?(@/name=='require_secure_transport')]/value" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV2_AWS_69", + "bc_check_id": null, + "check_name": "Ensure AWS RDS database instance configured with encryption in transit", + "check_result": { + "result": "PASSED", + "entity": { + "aws_db_instance": { + "weak_db": { + "__end_line__": 69, + "__start_line__": 40, + "allocated_storage": [ + 20 + ], + "auto_minor_version_upgrade": [ + false + ], + "engine": [ + "mysql" + ], + "engine_version": [ + "5.7.38" + ], + "identifier": [ + "mydb-weak" + ], + "instance_class": [ + "db.t3.micro" + ], + "kms_key_id": [ + "" + ], + "multi_az": [ + false + ], + "password": [ + "password123" + ], + "performance_insights_enabled": [ + false + ], + "publicly_accessible": [ + false + ], + "skip_final_snapshot": [ + true + ], + "storage_encrypted": [ + true + ], + "tags": [ + { + "Name": "Weak Database" + } + ], + "username": [ + "root" + ], + "__address__": "aws_db_instance.weak_db" + } + } + }, + "evaluated_keys": [ + "parameter[?(@/name=='db2comm')]/value", + "resource_type", + "parameter[?(@/name=='rds/force_ssl')]/value", + "family", + "parameter[?(@/name=='require_secure_transport')]/value" + ] + }, + "code_block": [ + [ + 40, + "resource \"aws_db_instance\" \"weak_db\" {\n" + ], + [ + 41, + " identifier = \"mydb-weak\"\n" + ], + [ + 42, + " engine = \"mysql\"\n" + ], + [ + 43, + " engine_version = \"5.7.38\" # Old version with known vulnerabilities\n" + ], + [ + 44, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 45, + " allocated_storage = 20\n" + ], + [ + 46, + " \n" + ], + [ + 47, + " username = \"root\" # Using default admin username\n" + ], + [ + 48, + " password = \"password123\" # Weak password!\n" + ], + [ + 49, + " \n" + ], + [ + 50, + " storage_encrypted = true\n" + ], + [ + 51, + " kms_key_id = \"\" # Empty KMS key - using default key\n" + ], + [ + 52, + " \n" + ], + [ + 53, + " publicly_accessible = false\n" + ], + [ + 54, + " \n" + ], + [ + 55, + " # Multi-AZ disabled\n" + ], + [ + 56, + " multi_az = false # SECURITY ISSUE #14 - No high availability\n" + ], + [ + 57, + " \n" + ], + [ + 58, + " # Auto minor version upgrade disabled\n" + ], + [ + 59, + " auto_minor_version_upgrade = false # SECURITY ISSUE #15\n" + ], + [ + 60, + " \n" + ], + [ + 61, + " # No performance insights\n" + ], + [ + 62, + " performance_insights_enabled = false\n" + ], + [ + 63, + " \n" + ], + [ + 64, + " skip_final_snapshot = true\n" + ], + [ + 65, + " \n" + ], + [ + 66, + " tags = {\n" + ], + [ + 67, + " Name = \"Weak Database\"\n" + ], + [ + 68, + " }\n" + ], + [ + 69, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 40, + 69 + ], + "resource": "aws_db_instance.weak_db", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Weak Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_19", + "bc_check_id": null, + "check_name": "Ensure all data stored in the S3 bucket is securely encrypted at rest", + "check_result": { + "result": "PASSED", + "entity": { + "aws_s3_bucket": { + "public_data": { + "__end_line__": 21, + "__start_line__": 13, + "acl": [ + "public-read" + ], + "bucket": [ + "my-public-bucket-lab6" + ], + "tags": [ + { + "Name": "Public Data Bucket" + } + ], + "__address__": "aws_s3_bucket.public_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "server_side_encryption_configuration/rule/apply_server_side_encryption_by_default/sse_algorithm", + "rule/apply_server_side_encryption_by_default/sse_algorithm" + ] + }, + "code_block": [ + [ + 13, + "resource \"aws_s3_bucket\" \"public_data\" {\n" + ], + [ + 14, + " bucket = \"my-public-bucket-lab6\"\n" + ], + [ + 15, + " acl = \"public-read\" # Public access enabled!\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " tags = {\n" + ], + [ + 18, + " Name = \"Public Data Bucket\"\n" + ], + [ + 19, + " # Missing required tags: Environment, Owner, CostCenter\n" + ], + [ + 20, + " }\n" + ], + [ + 21, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 13, + 21 + ], + "resource": "aws_s3_bucket.public_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Public Data Bucket" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_19", + "bc_check_id": null, + "check_name": "Ensure all data stored in the S3 bucket is securely encrypted at rest", + "check_result": { + "result": "PASSED", + "entity": { + "aws_s3_bucket": { + "unencrypted_data": { + "__end_line__": 33, + "__start_line__": 24, + "acl": [ + "private" + ], + "bucket": [ + "my-unencrypted-bucket-lab6" + ], + "versioning": [ + { + "enabled": [ + false + ] + } + ], + "__address__": "aws_s3_bucket.unencrypted_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "server_side_encryption_configuration/rule/apply_server_side_encryption_by_default/sse_algorithm", + "rule/apply_server_side_encryption_by_default/sse_algorithm" + ] + }, + "code_block": [ + [ + 24, + "resource \"aws_s3_bucket\" \"unencrypted_data\" {\n" + ], + [ + 25, + " bucket = \"my-unencrypted-bucket-lab6\"\n" + ], + [ + 26, + " acl = \"private\"\n" + ], + [ + 27, + " \n" + ], + [ + 28, + " # No server_side_encryption_configuration!\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " versioning {\n" + ], + [ + 31, + " enabled = false # Versioning disabled\n" + ], + [ + 32, + " }\n" + ], + [ + 33, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 24, + 33 + ], + "resource": "aws_s3_bucket.unencrypted_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV2_AWS_40", + "bc_check_id": null, + "check_name": "Ensure AWS IAM policy does not allow full IAM privileges", + "check_result": { + "result": "PASSED", + "entity": { + "aws_iam_role_policy": { + "s3_full_access": { + "__end_line__": 55, + "__start_line__": 39, + "name": [ + "s3-full-access" + ], + "policy": [ + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": "*" + } + ] + } + ], + "role": [ + "aws_iam_role.app_role.id" + ], + "__address__": "aws_iam_role_policy.s3_full_access" + } + } + }, + "evaluated_keys": [ + "inline_policy/Statement[?(@/Effect == Allow)]/Action[*]", + "policy/Statement[?(@/Effect == Allow)]/Action[*]", + "statement[?(@/effect == Allow)]/actions[*]" + ] + }, + "code_block": [ + [ + 39, + "resource \"aws_iam_role_policy\" \"s3_full_access\" {\n" + ], + [ + 40, + " name = \"s3-full-access\"\n" + ], + [ + 41, + " role = aws_iam_role.app_role.id\n" + ], + [ + 42, + "\n" + ], + [ + 43, + " policy = jsonencode({\n" + ], + [ + 44, + " Version = \"2012-10-17\"\n" + ], + [ + 45, + " Statement = [\n" + ], + [ + 46, + " {\n" + ], + [ + 47, + " Effect = \"Allow\"\n" + ], + [ + 48, + " Action = [\n" + ], + [ + 49, + " \"s3:*\" # All S3 actions!\n" + ], + [ + 50, + " ]\n" + ], + [ + 51, + " Resource = \"*\" # On all buckets!\n" + ], + [ + 52, + " }\n" + ], + [ + 53, + " ]\n" + ], + [ + 54, + " })\n" + ], + [ + 55, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 39, + 55 + ], + "resource": "aws_iam_role_policy.s3_full_access", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV2_AWS_40", + "bc_check_id": null, + "check_name": "Ensure AWS IAM policy does not allow full IAM privileges", + "check_result": { + "result": "PASSED", + "entity": { + "aws_iam_user_policy": { + "service_policy": { + "__end_line__": 85, + "__start_line__": 67, + "name": [ + "service-inline-policy" + ], + "policy": [ + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:*", + "s3:*", + "rds:*" + ], + "Resource": "*" + } + ] + } + ], + "user": [ + "service-account" + ], + "__address__": "aws_iam_user_policy.service_policy" + } + } + }, + "evaluated_keys": [ + "inline_policy/Statement[?(@/Effect == Allow)]/Action[*]", + "policy/Statement[?(@/Effect == Allow)]/Action[*]", + "statement[?(@/effect == Allow)]/actions[*]" + ] + }, + "code_block": [ + [ + 67, + "resource \"aws_iam_user_policy\" \"service_policy\" {\n" + ], + [ + 68, + " name = \"service-inline-policy\"\n" + ], + [ + 69, + " user = aws_iam_user.service_account.name\n" + ], + [ + 70, + "\n" + ], + [ + 71, + " policy = jsonencode({\n" + ], + [ + 72, + " Version = \"2012-10-17\"\n" + ], + [ + 73, + " Statement = [\n" + ], + [ + 74, + " {\n" + ], + [ + 75, + " Effect = \"Allow\"\n" + ], + [ + 76, + " Action = [\n" + ], + [ + 77, + " \"ec2:*\", # Full EC2 access\n" + ], + [ + 78, + " \"s3:*\", # Full S3 access\n" + ], + [ + 79, + " \"rds:*\" # Full RDS access\n" + ], + [ + 80, + " ]\n" + ], + [ + 81, + " Resource = \"*\"\n" + ], + [ + 82, + " }\n" + ], + [ + 83, + " ]\n" + ], + [ + 84, + " })\n" + ], + [ + 85, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 67, + 85 + ], + "resource": "aws_iam_user_policy.service_policy", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf", + "breadcrumbs": { + "user": [ + { + "type": "resource", + "name": "aws_iam_user.service_account", + "path": "/tf/iam.tf", + "module_connection": false + } + ] + } + }, + { + "check_id": "CKV2_AWS_40", + "bc_check_id": null, + "check_name": "Ensure AWS IAM policy does not allow full IAM privileges", + "check_result": { + "result": "PASSED", + "entity": { + "aws_iam_policy": { + "privilege_escalation": { + "__end_line__": 125, + "__start_line__": 104, + "description": [ + "Policy that allows privilege escalation" + ], + "name": [ + "potential-privilege-escalation" + ], + "policy": [ + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:CreatePolicy", + "iam:CreateUser", + "iam:AttachUserPolicy", + "iam:AttachRolePolicy", + "iam:PutUserPolicy", + "iam:PutRolePolicy" + ], + "Resource": "*" + } + ] + } + ], + "__address__": "aws_iam_policy.privilege_escalation" + } + } + }, + "evaluated_keys": [ + "inline_policy/Statement[?(@/Effect == Allow)]/Action[*]", + "policy/Statement[?(@/Effect == Allow)]/Action[*]", + "statement[?(@/effect == Allow)]/actions[*]" + ] + }, + "code_block": [ + [ + 104, + "resource \"aws_iam_policy\" \"privilege_escalation\" {\n" + ], + [ + 105, + " name = \"potential-privilege-escalation\"\n" + ], + [ + 106, + " description = \"Policy that allows privilege escalation\"\n" + ], + [ + 107, + "\n" + ], + [ + 108, + " policy = jsonencode({\n" + ], + [ + 109, + " Version = \"2012-10-17\"\n" + ], + [ + 110, + " Statement = [\n" + ], + [ + 111, + " {\n" + ], + [ + 112, + " Effect = \"Allow\"\n" + ], + [ + 113, + " Action = [\n" + ], + [ + 114, + " \"iam:CreatePolicy\",\n" + ], + [ + 115, + " \"iam:CreateUser\",\n" + ], + [ + 116, + " \"iam:AttachUserPolicy\",\n" + ], + [ + 117, + " \"iam:AttachRolePolicy\",\n" + ], + [ + 118, + " \"iam:PutUserPolicy\",\n" + ], + [ + 119, + " \"iam:PutRolePolicy\"\n" + ], + [ + 120, + " ]\n" + ], + [ + 121, + " Resource = \"*\"\n" + ], + [ + 122, + " }\n" + ], + [ + 123, + " ]\n" + ], + [ + 124, + " })\n" + ], + [ + 125, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 104, + 125 + ], + "resource": "aws_iam_policy.privilege_escalation", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + } + ], + "failed_checks": [ + { + "check_id": "CKV_AWS_161", + "bc_check_id": null, + "check_name": "Ensure RDS database has IAM authentication enabled", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "iam_database_authentication_enabled" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSIAMAuthentication", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_293", + "bc_check_id": null, + "check_name": "Ensure that AWS database instances have deletion protection enabled", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "deletion_protection" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSInstanceDeletionProtection", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_133", + "bc_check_id": null, + "check_name": "Ensure that RDS instances has backup policy", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "backup_retention_period" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.DBInstanceBackupRetentionPeriod", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_157", + "bc_check_id": null, + "check_name": "Ensure that RDS instances have Multi-AZ enabled", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "multi_az" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSMultiAZEnabled", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_129", + "bc_check_id": null, + "check_name": "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "enabled_cloudwatch_logs_exports/[0]" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.DBInstanceLogging", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_226", + "bc_check_id": null, + "check_name": "Ensure DB instance gets all minor upgrades automatically", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "auto_minor_version_upgrade" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.DBInstanceMinorUpgrade", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_16", + "bc_check_id": null, + "check_name": "Ensure all data stored in the RDS is securely encrypted at rest", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "storage_encrypted" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSEncryption", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_353", + "bc_check_id": null, + "check_name": "Ensure that RDS instances have performance insights enabled", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "performance_insights_enabled" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSInstancePerformanceInsights", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_17", + "bc_check_id": null, + "check_name": "Ensure all data stored in RDS is not publicly accessible", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "publicly_accessible" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSPubliclyAccessible", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_118", + "bc_check_id": null, + "check_name": "Ensure that enhanced monitoring is enabled for Amazon RDS instances", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "monitoring_interval" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSEnhancedMonitorEnabled", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_161", + "bc_check_id": null, + "check_name": "Ensure RDS database has IAM authentication enabled", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "iam_database_authentication_enabled" + ] + }, + "code_block": [ + [ + 40, + "resource \"aws_db_instance\" \"weak_db\" {\n" + ], + [ + 41, + " identifier = \"mydb-weak\"\n" + ], + [ + 42, + " engine = \"mysql\"\n" + ], + [ + 43, + " engine_version = \"5.7.38\" # Old version with known vulnerabilities\n" + ], + [ + 44, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 45, + " allocated_storage = 20\n" + ], + [ + 46, + " \n" + ], + [ + 47, + " username = \"root\" # Using default admin username\n" + ], + [ + 48, + " password = \"password123\" # Weak password!\n" + ], + [ + 49, + " \n" + ], + [ + 50, + " storage_encrypted = true\n" + ], + [ + 51, + " kms_key_id = \"\" # Empty KMS key - using default key\n" + ], + [ + 52, + " \n" + ], + [ + 53, + " publicly_accessible = false\n" + ], + [ + 54, + " \n" + ], + [ + 55, + " # Multi-AZ disabled\n" + ], + [ + 56, + " multi_az = false # SECURITY ISSUE #14 - No high availability\n" + ], + [ + 57, + " \n" + ], + [ + 58, + " # Auto minor version upgrade disabled\n" + ], + [ + 59, + " auto_minor_version_upgrade = false # SECURITY ISSUE #15\n" + ], + [ + 60, + " \n" + ], + [ + 61, + " # No performance insights\n" + ], + [ + 62, + " performance_insights_enabled = false\n" + ], + [ + 63, + " \n" + ], + [ + 64, + " skip_final_snapshot = true\n" + ], + [ + 65, + " \n" + ], + [ + 66, + " tags = {\n" + ], + [ + 67, + " Name = \"Weak Database\"\n" + ], + [ + 68, + " }\n" + ], + [ + 69, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 40, + 69 + ], + "resource": "aws_db_instance.weak_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSIAMAuthentication", + "fixed_definition": null, + "entity_tags": { + "Name": "Weak Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_293", + "bc_check_id": null, + "check_name": "Ensure that AWS database instances have deletion protection enabled", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "deletion_protection" + ] + }, + "code_block": [ + [ + 40, + "resource \"aws_db_instance\" \"weak_db\" {\n" + ], + [ + 41, + " identifier = \"mydb-weak\"\n" + ], + [ + 42, + " engine = \"mysql\"\n" + ], + [ + 43, + " engine_version = \"5.7.38\" # Old version with known vulnerabilities\n" + ], + [ + 44, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 45, + " allocated_storage = 20\n" + ], + [ + 46, + " \n" + ], + [ + 47, + " username = \"root\" # Using default admin username\n" + ], + [ + 48, + " password = \"password123\" # Weak password!\n" + ], + [ + 49, + " \n" + ], + [ + 50, + " storage_encrypted = true\n" + ], + [ + 51, + " kms_key_id = \"\" # Empty KMS key - using default key\n" + ], + [ + 52, + " \n" + ], + [ + 53, + " publicly_accessible = false\n" + ], + [ + 54, + " \n" + ], + [ + 55, + " # Multi-AZ disabled\n" + ], + [ + 56, + " multi_az = false # SECURITY ISSUE #14 - No high availability\n" + ], + [ + 57, + " \n" + ], + [ + 58, + " # Auto minor version upgrade disabled\n" + ], + [ + 59, + " auto_minor_version_upgrade = false # SECURITY ISSUE #15\n" + ], + [ + 60, + " \n" + ], + [ + 61, + " # No performance insights\n" + ], + [ + 62, + " performance_insights_enabled = false\n" + ], + [ + 63, + " \n" + ], + [ + 64, + " skip_final_snapshot = true\n" + ], + [ + 65, + " \n" + ], + [ + 66, + " tags = {\n" + ], + [ + 67, + " Name = \"Weak Database\"\n" + ], + [ + 68, + " }\n" + ], + [ + 69, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 40, + 69 + ], + "resource": "aws_db_instance.weak_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSInstanceDeletionProtection", + "fixed_definition": null, + "entity_tags": { + "Name": "Weak Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_157", + "bc_check_id": null, + "check_name": "Ensure that RDS instances have Multi-AZ enabled", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "multi_az" + ] + }, + "code_block": [ + [ + 40, + "resource \"aws_db_instance\" \"weak_db\" {\n" + ], + [ + 41, + " identifier = \"mydb-weak\"\n" + ], + [ + 42, + " engine = \"mysql\"\n" + ], + [ + 43, + " engine_version = \"5.7.38\" # Old version with known vulnerabilities\n" + ], + [ + 44, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 45, + " allocated_storage = 20\n" + ], + [ + 46, + " \n" + ], + [ + 47, + " username = \"root\" # Using default admin username\n" + ], + [ + 48, + " password = \"password123\" # Weak password!\n" + ], + [ + 49, + " \n" + ], + [ + 50, + " storage_encrypted = true\n" + ], + [ + 51, + " kms_key_id = \"\" # Empty KMS key - using default key\n" + ], + [ + 52, + " \n" + ], + [ + 53, + " publicly_accessible = false\n" + ], + [ + 54, + " \n" + ], + [ + 55, + " # Multi-AZ disabled\n" + ], + [ + 56, + " multi_az = false # SECURITY ISSUE #14 - No high availability\n" + ], + [ + 57, + " \n" + ], + [ + 58, + " # Auto minor version upgrade disabled\n" + ], + [ + 59, + " auto_minor_version_upgrade = false # SECURITY ISSUE #15\n" + ], + [ + 60, + " \n" + ], + [ + 61, + " # No performance insights\n" + ], + [ + 62, + " performance_insights_enabled = false\n" + ], + [ + 63, + " \n" + ], + [ + 64, + " skip_final_snapshot = true\n" + ], + [ + 65, + " \n" + ], + [ + 66, + " tags = {\n" + ], + [ + 67, + " Name = \"Weak Database\"\n" + ], + [ + 68, + " }\n" + ], + [ + 69, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 40, + 69 + ], + "resource": "aws_db_instance.weak_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSMultiAZEnabled", + "fixed_definition": null, + "entity_tags": { + "Name": "Weak Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_129", + "bc_check_id": null, + "check_name": "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "enabled_cloudwatch_logs_exports/[0]" + ] + }, + "code_block": [ + [ + 40, + "resource \"aws_db_instance\" \"weak_db\" {\n" + ], + [ + 41, + " identifier = \"mydb-weak\"\n" + ], + [ + 42, + " engine = \"mysql\"\n" + ], + [ + 43, + " engine_version = \"5.7.38\" # Old version with known vulnerabilities\n" + ], + [ + 44, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 45, + " allocated_storage = 20\n" + ], + [ + 46, + " \n" + ], + [ + 47, + " username = \"root\" # Using default admin username\n" + ], + [ + 48, + " password = \"password123\" # Weak password!\n" + ], + [ + 49, + " \n" + ], + [ + 50, + " storage_encrypted = true\n" + ], + [ + 51, + " kms_key_id = \"\" # Empty KMS key - using default key\n" + ], + [ + 52, + " \n" + ], + [ + 53, + " publicly_accessible = false\n" + ], + [ + 54, + " \n" + ], + [ + 55, + " # Multi-AZ disabled\n" + ], + [ + 56, + " multi_az = false # SECURITY ISSUE #14 - No high availability\n" + ], + [ + 57, + " \n" + ], + [ + 58, + " # Auto minor version upgrade disabled\n" + ], + [ + 59, + " auto_minor_version_upgrade = false # SECURITY ISSUE #15\n" + ], + [ + 60, + " \n" + ], + [ + 61, + " # No performance insights\n" + ], + [ + 62, + " performance_insights_enabled = false\n" + ], + [ + 63, + " \n" + ], + [ + 64, + " skip_final_snapshot = true\n" + ], + [ + 65, + " \n" + ], + [ + 66, + " tags = {\n" + ], + [ + 67, + " Name = \"Weak Database\"\n" + ], + [ + 68, + " }\n" + ], + [ + 69, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 40, + 69 + ], + "resource": "aws_db_instance.weak_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.DBInstanceLogging", + "fixed_definition": null, + "entity_tags": { + "Name": "Weak Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_226", + "bc_check_id": null, + "check_name": "Ensure DB instance gets all minor upgrades automatically", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "auto_minor_version_upgrade" + ] + }, + "code_block": [ + [ + 40, + "resource \"aws_db_instance\" \"weak_db\" {\n" + ], + [ + 41, + " identifier = \"mydb-weak\"\n" + ], + [ + 42, + " engine = \"mysql\"\n" + ], + [ + 43, + " engine_version = \"5.7.38\" # Old version with known vulnerabilities\n" + ], + [ + 44, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 45, + " allocated_storage = 20\n" + ], + [ + 46, + " \n" + ], + [ + 47, + " username = \"root\" # Using default admin username\n" + ], + [ + 48, + " password = \"password123\" # Weak password!\n" + ], + [ + 49, + " \n" + ], + [ + 50, + " storage_encrypted = true\n" + ], + [ + 51, + " kms_key_id = \"\" # Empty KMS key - using default key\n" + ], + [ + 52, + " \n" + ], + [ + 53, + " publicly_accessible = false\n" + ], + [ + 54, + " \n" + ], + [ + 55, + " # Multi-AZ disabled\n" + ], + [ + 56, + " multi_az = false # SECURITY ISSUE #14 - No high availability\n" + ], + [ + 57, + " \n" + ], + [ + 58, + " # Auto minor version upgrade disabled\n" + ], + [ + 59, + " auto_minor_version_upgrade = false # SECURITY ISSUE #15\n" + ], + [ + 60, + " \n" + ], + [ + 61, + " # No performance insights\n" + ], + [ + 62, + " performance_insights_enabled = false\n" + ], + [ + 63, + " \n" + ], + [ + 64, + " skip_final_snapshot = true\n" + ], + [ + 65, + " \n" + ], + [ + 66, + " tags = {\n" + ], + [ + 67, + " Name = \"Weak Database\"\n" + ], + [ + 68, + " }\n" + ], + [ + 69, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 40, + 69 + ], + "resource": "aws_db_instance.weak_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.DBInstanceMinorUpgrade", + "fixed_definition": null, + "entity_tags": { + "Name": "Weak Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_118", + "bc_check_id": null, + "check_name": "Ensure that enhanced monitoring is enabled for Amazon RDS instances", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "monitoring_interval" + ] + }, + "code_block": [ + [ + 40, + "resource \"aws_db_instance\" \"weak_db\" {\n" + ], + [ + 41, + " identifier = \"mydb-weak\"\n" + ], + [ + 42, + " engine = \"mysql\"\n" + ], + [ + 43, + " engine_version = \"5.7.38\" # Old version with known vulnerabilities\n" + ], + [ + 44, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 45, + " allocated_storage = 20\n" + ], + [ + 46, + " \n" + ], + [ + 47, + " username = \"root\" # Using default admin username\n" + ], + [ + 48, + " password = \"password123\" # Weak password!\n" + ], + [ + 49, + " \n" + ], + [ + 50, + " storage_encrypted = true\n" + ], + [ + 51, + " kms_key_id = \"\" # Empty KMS key - using default key\n" + ], + [ + 52, + " \n" + ], + [ + 53, + " publicly_accessible = false\n" + ], + [ + 54, + " \n" + ], + [ + 55, + " # Multi-AZ disabled\n" + ], + [ + 56, + " multi_az = false # SECURITY ISSUE #14 - No high availability\n" + ], + [ + 57, + " \n" + ], + [ + 58, + " # Auto minor version upgrade disabled\n" + ], + [ + 59, + " auto_minor_version_upgrade = false # SECURITY ISSUE #15\n" + ], + [ + 60, + " \n" + ], + [ + 61, + " # No performance insights\n" + ], + [ + 62, + " performance_insights_enabled = false\n" + ], + [ + 63, + " \n" + ], + [ + 64, + " skip_final_snapshot = true\n" + ], + [ + 65, + " \n" + ], + [ + 66, + " tags = {\n" + ], + [ + 67, + " Name = \"Weak Database\"\n" + ], + [ + 68, + " }\n" + ], + [ + 69, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 40, + 69 + ], + "resource": "aws_db_instance.weak_db", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.RDSEnhancedMonitorEnabled", + "fixed_definition": null, + "entity_tags": { + "Name": "Weak Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_119", + "bc_check_id": null, + "check_name": "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "server_side_encryption/[0]/enabled", + "server_side_encryption/[0]/kms_key_arn" + ] + }, + "code_block": [ + [ + 72, + "resource \"aws_dynamodb_table\" \"unencrypted_table\" {\n" + ], + [ + 73, + " name = \"my-table\"\n" + ], + [ + 74, + " billing_mode = \"PAY_PER_REQUEST\"\n" + ], + [ + 75, + " hash_key = \"id\"\n" + ], + [ + 76, + "\n" + ], + [ + 77, + " attribute {\n" + ], + [ + 78, + " name = \"id\"\n" + ], + [ + 79, + " type = \"S\"\n" + ], + [ + 80, + " }\n" + ], + [ + 81, + "\n" + ], + [ + 82, + " # No server_side_encryption configuration!\n" + ], + [ + 83, + " \n" + ], + [ + 84, + " # No point-in-time recovery\n" + ], + [ + 85, + " point_in_time_recovery {\n" + ], + [ + 86, + " enabled = false # SECURITY ISSUE #17\n" + ], + [ + 87, + " }\n" + ], + [ + 88, + "\n" + ], + [ + 89, + " tags = {\n" + ], + [ + 90, + " Name = \"Unencrypted DynamoDB Table\"\n" + ], + [ + 91, + " }\n" + ], + [ + 92, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 72, + 92 + ], + "resource": "aws_dynamodb_table.unencrypted_table", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.DynamoDBTablesEncrypted", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted DynamoDB Table" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_28", + "bc_check_id": null, + "check_name": "Ensure DynamoDB point in time recovery (backup) is enabled", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "point_in_time_recovery/[0]/enabled" + ] + }, + "code_block": [ + [ + 72, + "resource \"aws_dynamodb_table\" \"unencrypted_table\" {\n" + ], + [ + 73, + " name = \"my-table\"\n" + ], + [ + 74, + " billing_mode = \"PAY_PER_REQUEST\"\n" + ], + [ + 75, + " hash_key = \"id\"\n" + ], + [ + 76, + "\n" + ], + [ + 77, + " attribute {\n" + ], + [ + 78, + " name = \"id\"\n" + ], + [ + 79, + " type = \"S\"\n" + ], + [ + 80, + " }\n" + ], + [ + 81, + "\n" + ], + [ + 82, + " # No server_side_encryption configuration!\n" + ], + [ + 83, + " \n" + ], + [ + 84, + " # No point-in-time recovery\n" + ], + [ + 85, + " point_in_time_recovery {\n" + ], + [ + 86, + " enabled = false # SECURITY ISSUE #17\n" + ], + [ + 87, + " }\n" + ], + [ + 88, + "\n" + ], + [ + 89, + " tags = {\n" + ], + [ + 90, + " Name = \"Unencrypted DynamoDB Table\"\n" + ], + [ + 91, + " }\n" + ], + [ + 92, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 72, + 92 + ], + "resource": "aws_dynamodb_table.unencrypted_table", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.DynamodbRecovery", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted DynamoDB Table" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_63", + "bc_check_id": null, + "check_name": "Ensure no IAM policies documents allow \"*\" as a statement's actions", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy", + "inline_policy" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_iam_policy\" \"admin_policy\" {\n" + ], + [ + 6, + " name = \"overly-permissive-policy\"\n" + ], + [ + 7, + " description = \"Policy with wildcard permissions\"\n" + ], + [ + 8, + "\n" + ], + [ + 9, + " policy = jsonencode({\n" + ], + [ + 10, + " Version = \"2012-10-17\"\n" + ], + [ + 11, + " Statement = [\n" + ], + [ + 12, + " {\n" + ], + [ + 13, + " Effect = \"Allow\"\n" + ], + [ + 14, + " Action = \"*\" # All actions allowed!\n" + ], + [ + 15, + " Resource = \"*\" # On all resources!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + " ]\n" + ], + [ + 18, + " })\n" + ], + [ + 19, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 5, + 19 + ], + "resource": "aws_iam_policy.admin_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMStarActionPolicyDocument", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_290", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow write access without constraints", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_iam_policy\" \"admin_policy\" {\n" + ], + [ + 6, + " name = \"overly-permissive-policy\"\n" + ], + [ + 7, + " description = \"Policy with wildcard permissions\"\n" + ], + [ + 8, + "\n" + ], + [ + 9, + " policy = jsonencode({\n" + ], + [ + 10, + " Version = \"2012-10-17\"\n" + ], + [ + 11, + " Statement = [\n" + ], + [ + 12, + " {\n" + ], + [ + 13, + " Effect = \"Allow\"\n" + ], + [ + 14, + " Action = \"*\" # All actions allowed!\n" + ], + [ + 15, + " Resource = \"*\" # On all resources!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + " ]\n" + ], + [ + 18, + " })\n" + ], + [ + 19, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 5, + 19 + ], + "resource": "aws_iam_policy.admin_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMWriteAccess", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_288", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow data exfiltration", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_iam_policy\" \"admin_policy\" {\n" + ], + [ + 6, + " name = \"overly-permissive-policy\"\n" + ], + [ + 7, + " description = \"Policy with wildcard permissions\"\n" + ], + [ + 8, + "\n" + ], + [ + 9, + " policy = jsonencode({\n" + ], + [ + 10, + " Version = \"2012-10-17\"\n" + ], + [ + 11, + " Statement = [\n" + ], + [ + 12, + " {\n" + ], + [ + 13, + " Effect = \"Allow\"\n" + ], + [ + 14, + " Action = \"*\" # All actions allowed!\n" + ], + [ + 15, + " Resource = \"*\" # On all resources!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + " ]\n" + ], + [ + 18, + " })\n" + ], + [ + 19, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 5, + 19 + ], + "resource": "aws_iam_policy.admin_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMDataExfiltration", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_286", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow privilege escalation", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_iam_policy\" \"admin_policy\" {\n" + ], + [ + 6, + " name = \"overly-permissive-policy\"\n" + ], + [ + 7, + " description = \"Policy with wildcard permissions\"\n" + ], + [ + 8, + "\n" + ], + [ + 9, + " policy = jsonencode({\n" + ], + [ + 10, + " Version = \"2012-10-17\"\n" + ], + [ + 11, + " Statement = [\n" + ], + [ + 12, + " {\n" + ], + [ + 13, + " Effect = \"Allow\"\n" + ], + [ + 14, + " Action = \"*\" # All actions allowed!\n" + ], + [ + 15, + " Resource = \"*\" # On all resources!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + " ]\n" + ], + [ + 18, + " })\n" + ], + [ + 19, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 5, + 19 + ], + "resource": "aws_iam_policy.admin_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMPrivilegeEscalation", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_287", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow credentials exposure", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_iam_policy\" \"admin_policy\" {\n" + ], + [ + 6, + " name = \"overly-permissive-policy\"\n" + ], + [ + 7, + " description = \"Policy with wildcard permissions\"\n" + ], + [ + 8, + "\n" + ], + [ + 9, + " policy = jsonencode({\n" + ], + [ + 10, + " Version = \"2012-10-17\"\n" + ], + [ + 11, + " Statement = [\n" + ], + [ + 12, + " {\n" + ], + [ + 13, + " Effect = \"Allow\"\n" + ], + [ + 14, + " Action = \"*\" # All actions allowed!\n" + ], + [ + 15, + " Resource = \"*\" # On all resources!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + " ]\n" + ], + [ + 18, + " })\n" + ], + [ + 19, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 5, + 19 + ], + "resource": "aws_iam_policy.admin_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMCredentialsExposure", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_355", + "bc_check_id": null, + "check_name": "Ensure no IAM policies documents allow \"*\" as a statement's resource for restrictable actions", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_iam_policy\" \"admin_policy\" {\n" + ], + [ + 6, + " name = \"overly-permissive-policy\"\n" + ], + [ + 7, + " description = \"Policy with wildcard permissions\"\n" + ], + [ + 8, + "\n" + ], + [ + 9, + " policy = jsonencode({\n" + ], + [ + 10, + " Version = \"2012-10-17\"\n" + ], + [ + 11, + " Statement = [\n" + ], + [ + 12, + " {\n" + ], + [ + 13, + " Effect = \"Allow\"\n" + ], + [ + 14, + " Action = \"*\" # All actions allowed!\n" + ], + [ + 15, + " Resource = \"*\" # On all resources!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + " ]\n" + ], + [ + 18, + " })\n" + ], + [ + 19, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 5, + 19 + ], + "resource": "aws_iam_policy.admin_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMStarResourcePolicyDocument", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_289", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow permissions management / resource exposure without constraints", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_iam_policy\" \"admin_policy\" {\n" + ], + [ + 6, + " name = \"overly-permissive-policy\"\n" + ], + [ + 7, + " description = \"Policy with wildcard permissions\"\n" + ], + [ + 8, + "\n" + ], + [ + 9, + " policy = jsonencode({\n" + ], + [ + 10, + " Version = \"2012-10-17\"\n" + ], + [ + 11, + " Statement = [\n" + ], + [ + 12, + " {\n" + ], + [ + 13, + " Effect = \"Allow\"\n" + ], + [ + 14, + " Action = \"*\" # All actions allowed!\n" + ], + [ + 15, + " Resource = \"*\" # On all resources!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + " ]\n" + ], + [ + 18, + " })\n" + ], + [ + 19, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 5, + 19 + ], + "resource": "aws_iam_policy.admin_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMPermissionsManagement", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_62", + "bc_check_id": null, + "check_name": "Ensure IAM policies that allow full \"*-*\" administrative privileges are not created", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy", + "inline_policy" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_iam_policy\" \"admin_policy\" {\n" + ], + [ + 6, + " name = \"overly-permissive-policy\"\n" + ], + [ + 7, + " description = \"Policy with wildcard permissions\"\n" + ], + [ + 8, + "\n" + ], + [ + 9, + " policy = jsonencode({\n" + ], + [ + 10, + " Version = \"2012-10-17\"\n" + ], + [ + 11, + " Statement = [\n" + ], + [ + 12, + " {\n" + ], + [ + 13, + " Effect = \"Allow\"\n" + ], + [ + 14, + " Action = \"*\" # All actions allowed!\n" + ], + [ + 15, + " Resource = \"*\" # On all resources!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + " ]\n" + ], + [ + 18, + " })\n" + ], + [ + 19, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 5, + 19 + ], + "resource": "aws_iam_policy.admin_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMAdminPolicyDocument", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_290", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow write access without constraints", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 39, + "resource \"aws_iam_role_policy\" \"s3_full_access\" {\n" + ], + [ + 40, + " name = \"s3-full-access\"\n" + ], + [ + 41, + " role = aws_iam_role.app_role.id\n" + ], + [ + 42, + "\n" + ], + [ + 43, + " policy = jsonencode({\n" + ], + [ + 44, + " Version = \"2012-10-17\"\n" + ], + [ + 45, + " Statement = [\n" + ], + [ + 46, + " {\n" + ], + [ + 47, + " Effect = \"Allow\"\n" + ], + [ + 48, + " Action = [\n" + ], + [ + 49, + " \"s3:*\" # All S3 actions!\n" + ], + [ + 50, + " ]\n" + ], + [ + 51, + " Resource = \"*\" # On all buckets!\n" + ], + [ + 52, + " }\n" + ], + [ + 53, + " ]\n" + ], + [ + 54, + " })\n" + ], + [ + 55, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 39, + 55 + ], + "resource": "aws_iam_role_policy.s3_full_access", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMWriteAccess", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_288", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow data exfiltration", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 39, + "resource \"aws_iam_role_policy\" \"s3_full_access\" {\n" + ], + [ + 40, + " name = \"s3-full-access\"\n" + ], + [ + 41, + " role = aws_iam_role.app_role.id\n" + ], + [ + 42, + "\n" + ], + [ + 43, + " policy = jsonencode({\n" + ], + [ + 44, + " Version = \"2012-10-17\"\n" + ], + [ + 45, + " Statement = [\n" + ], + [ + 46, + " {\n" + ], + [ + 47, + " Effect = \"Allow\"\n" + ], + [ + 48, + " Action = [\n" + ], + [ + 49, + " \"s3:*\" # All S3 actions!\n" + ], + [ + 50, + " ]\n" + ], + [ + 51, + " Resource = \"*\" # On all buckets!\n" + ], + [ + 52, + " }\n" + ], + [ + 53, + " ]\n" + ], + [ + 54, + " })\n" + ], + [ + 55, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 39, + 55 + ], + "resource": "aws_iam_role_policy.s3_full_access", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMDataExfiltration", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_355", + "bc_check_id": null, + "check_name": "Ensure no IAM policies documents allow \"*\" as a statement's resource for restrictable actions", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 39, + "resource \"aws_iam_role_policy\" \"s3_full_access\" {\n" + ], + [ + 40, + " name = \"s3-full-access\"\n" + ], + [ + 41, + " role = aws_iam_role.app_role.id\n" + ], + [ + 42, + "\n" + ], + [ + 43, + " policy = jsonencode({\n" + ], + [ + 44, + " Version = \"2012-10-17\"\n" + ], + [ + 45, + " Statement = [\n" + ], + [ + 46, + " {\n" + ], + [ + 47, + " Effect = \"Allow\"\n" + ], + [ + 48, + " Action = [\n" + ], + [ + 49, + " \"s3:*\" # All S3 actions!\n" + ], + [ + 50, + " ]\n" + ], + [ + 51, + " Resource = \"*\" # On all buckets!\n" + ], + [ + 52, + " }\n" + ], + [ + 53, + " ]\n" + ], + [ + 54, + " })\n" + ], + [ + 55, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 39, + 55 + ], + "resource": "aws_iam_role_policy.s3_full_access", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMStarResourcePolicyDocument", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_289", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow permissions management / resource exposure without constraints", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 39, + "resource \"aws_iam_role_policy\" \"s3_full_access\" {\n" + ], + [ + 40, + " name = \"s3-full-access\"\n" + ], + [ + 41, + " role = aws_iam_role.app_role.id\n" + ], + [ + 42, + "\n" + ], + [ + 43, + " policy = jsonencode({\n" + ], + [ + 44, + " Version = \"2012-10-17\"\n" + ], + [ + 45, + " Statement = [\n" + ], + [ + 46, + " {\n" + ], + [ + 47, + " Effect = \"Allow\"\n" + ], + [ + 48, + " Action = [\n" + ], + [ + 49, + " \"s3:*\" # All S3 actions!\n" + ], + [ + 50, + " ]\n" + ], + [ + 51, + " Resource = \"*\" # On all buckets!\n" + ], + [ + 52, + " }\n" + ], + [ + 53, + " ]\n" + ], + [ + 54, + " })\n" + ], + [ + 55, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 39, + 55 + ], + "resource": "aws_iam_role_policy.s3_full_access", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMPermissionsManagement", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_273", + "bc_check_id": null, + "check_name": "Ensure access is controlled through SSO and not AWS IAM defined users", + "check_result": { + "result": "FAILED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 58, + "resource \"aws_iam_user\" \"service_account\" {\n" + ], + [ + 59, + " name = \"service-account\"\n" + ], + [ + 60, + " path = \"/system/\"\n" + ], + [ + 61, + "\n" + ], + [ + 62, + " tags = {\n" + ], + [ + 63, + " Name = \"Service Account\"\n" + ], + [ + 64, + " }\n" + ], + [ + 65, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 58, + 65 + ], + "resource": "aws_iam_user.service_account", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMUserNotUsedForAccess", + "fixed_definition": null, + "entity_tags": { + "Name": "Service Account" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_290", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow write access without constraints", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 67, + "resource \"aws_iam_user_policy\" \"service_policy\" {\n" + ], + [ + 68, + " name = \"service-inline-policy\"\n" + ], + [ + 69, + " user = aws_iam_user.service_account.name\n" + ], + [ + 70, + "\n" + ], + [ + 71, + " policy = jsonencode({\n" + ], + [ + 72, + " Version = \"2012-10-17\"\n" + ], + [ + 73, + " Statement = [\n" + ], + [ + 74, + " {\n" + ], + [ + 75, + " Effect = \"Allow\"\n" + ], + [ + 76, + " Action = [\n" + ], + [ + 77, + " \"ec2:*\", # Full EC2 access\n" + ], + [ + 78, + " \"s3:*\", # Full S3 access\n" + ], + [ + 79, + " \"rds:*\" # Full RDS access\n" + ], + [ + 80, + " ]\n" + ], + [ + 81, + " Resource = \"*\"\n" + ], + [ + 82, + " }\n" + ], + [ + 83, + " ]\n" + ], + [ + 84, + " })\n" + ], + [ + 85, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 67, + 85 + ], + "resource": "aws_iam_user_policy.service_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMWriteAccess", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf", + "breadcrumbs": { + "user": [ + { + "type": "resource", + "name": "aws_iam_user.service_account", + "path": "/tf/iam.tf", + "module_connection": false + } + ] + } + }, + { + "check_id": "CKV_AWS_288", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow data exfiltration", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 67, + "resource \"aws_iam_user_policy\" \"service_policy\" {\n" + ], + [ + 68, + " name = \"service-inline-policy\"\n" + ], + [ + 69, + " user = aws_iam_user.service_account.name\n" + ], + [ + 70, + "\n" + ], + [ + 71, + " policy = jsonencode({\n" + ], + [ + 72, + " Version = \"2012-10-17\"\n" + ], + [ + 73, + " Statement = [\n" + ], + [ + 74, + " {\n" + ], + [ + 75, + " Effect = \"Allow\"\n" + ], + [ + 76, + " Action = [\n" + ], + [ + 77, + " \"ec2:*\", # Full EC2 access\n" + ], + [ + 78, + " \"s3:*\", # Full S3 access\n" + ], + [ + 79, + " \"rds:*\" # Full RDS access\n" + ], + [ + 80, + " ]\n" + ], + [ + 81, + " Resource = \"*\"\n" + ], + [ + 82, + " }\n" + ], + [ + 83, + " ]\n" + ], + [ + 84, + " })\n" + ], + [ + 85, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 67, + 85 + ], + "resource": "aws_iam_user_policy.service_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMDataExfiltration", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf", + "breadcrumbs": { + "user": [ + { + "type": "resource", + "name": "aws_iam_user.service_account", + "path": "/tf/iam.tf", + "module_connection": false + } + ] + } + }, + { + "check_id": "CKV_AWS_287", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow credentials exposure", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 67, + "resource \"aws_iam_user_policy\" \"service_policy\" {\n" + ], + [ + 68, + " name = \"service-inline-policy\"\n" + ], + [ + 69, + " user = aws_iam_user.service_account.name\n" + ], + [ + 70, + "\n" + ], + [ + 71, + " policy = jsonencode({\n" + ], + [ + 72, + " Version = \"2012-10-17\"\n" + ], + [ + 73, + " Statement = [\n" + ], + [ + 74, + " {\n" + ], + [ + 75, + " Effect = \"Allow\"\n" + ], + [ + 76, + " Action = [\n" + ], + [ + 77, + " \"ec2:*\", # Full EC2 access\n" + ], + [ + 78, + " \"s3:*\", # Full S3 access\n" + ], + [ + 79, + " \"rds:*\" # Full RDS access\n" + ], + [ + 80, + " ]\n" + ], + [ + 81, + " Resource = \"*\"\n" + ], + [ + 82, + " }\n" + ], + [ + 83, + " ]\n" + ], + [ + 84, + " })\n" + ], + [ + 85, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 67, + 85 + ], + "resource": "aws_iam_user_policy.service_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMCredentialsExposure", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf", + "breadcrumbs": { + "user": [ + { + "type": "resource", + "name": "aws_iam_user.service_account", + "path": "/tf/iam.tf", + "module_connection": false + } + ] + } + }, + { + "check_id": "CKV_AWS_355", + "bc_check_id": null, + "check_name": "Ensure no IAM policies documents allow \"*\" as a statement's resource for restrictable actions", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 67, + "resource \"aws_iam_user_policy\" \"service_policy\" {\n" + ], + [ + 68, + " name = \"service-inline-policy\"\n" + ], + [ + 69, + " user = aws_iam_user.service_account.name\n" + ], + [ + 70, + "\n" + ], + [ + 71, + " policy = jsonencode({\n" + ], + [ + 72, + " Version = \"2012-10-17\"\n" + ], + [ + 73, + " Statement = [\n" + ], + [ + 74, + " {\n" + ], + [ + 75, + " Effect = \"Allow\"\n" + ], + [ + 76, + " Action = [\n" + ], + [ + 77, + " \"ec2:*\", # Full EC2 access\n" + ], + [ + 78, + " \"s3:*\", # Full S3 access\n" + ], + [ + 79, + " \"rds:*\" # Full RDS access\n" + ], + [ + 80, + " ]\n" + ], + [ + 81, + " Resource = \"*\"\n" + ], + [ + 82, + " }\n" + ], + [ + 83, + " ]\n" + ], + [ + 84, + " })\n" + ], + [ + 85, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 67, + 85 + ], + "resource": "aws_iam_user_policy.service_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMStarResourcePolicyDocument", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf", + "breadcrumbs": { + "user": [ + { + "type": "resource", + "name": "aws_iam_user.service_account", + "path": "/tf/iam.tf", + "module_connection": false + } + ] + } + }, + { + "check_id": "CKV_AWS_289", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow permissions management / resource exposure without constraints", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 67, + "resource \"aws_iam_user_policy\" \"service_policy\" {\n" + ], + [ + 68, + " name = \"service-inline-policy\"\n" + ], + [ + 69, + " user = aws_iam_user.service_account.name\n" + ], + [ + 70, + "\n" + ], + [ + 71, + " policy = jsonencode({\n" + ], + [ + 72, + " Version = \"2012-10-17\"\n" + ], + [ + 73, + " Statement = [\n" + ], + [ + 74, + " {\n" + ], + [ + 75, + " Effect = \"Allow\"\n" + ], + [ + 76, + " Action = [\n" + ], + [ + 77, + " \"ec2:*\", # Full EC2 access\n" + ], + [ + 78, + " \"s3:*\", # Full S3 access\n" + ], + [ + 79, + " \"rds:*\" # Full RDS access\n" + ], + [ + 80, + " ]\n" + ], + [ + 81, + " Resource = \"*\"\n" + ], + [ + 82, + " }\n" + ], + [ + 83, + " ]\n" + ], + [ + 84, + " })\n" + ], + [ + 85, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 67, + 85 + ], + "resource": "aws_iam_user_policy.service_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMPermissionsManagement", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf", + "breadcrumbs": { + "user": [ + { + "type": "resource", + "name": "aws_iam_user.service_account", + "path": "/tf/iam.tf", + "module_connection": false + } + ] + } + }, + { + "check_id": "CKV_AWS_40", + "bc_check_id": null, + "check_name": "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "user" + ] + }, + "code_block": [ + [ + 67, + "resource \"aws_iam_user_policy\" \"service_policy\" {\n" + ], + [ + 68, + " name = \"service-inline-policy\"\n" + ], + [ + 69, + " user = aws_iam_user.service_account.name\n" + ], + [ + 70, + "\n" + ], + [ + 71, + " policy = jsonencode({\n" + ], + [ + 72, + " Version = \"2012-10-17\"\n" + ], + [ + 73, + " Statement = [\n" + ], + [ + 74, + " {\n" + ], + [ + 75, + " Effect = \"Allow\"\n" + ], + [ + 76, + " Action = [\n" + ], + [ + 77, + " \"ec2:*\", # Full EC2 access\n" + ], + [ + 78, + " \"s3:*\", # Full S3 access\n" + ], + [ + 79, + " \"rds:*\" # Full RDS access\n" + ], + [ + 80, + " ]\n" + ], + [ + 81, + " Resource = \"*\"\n" + ], + [ + 82, + " }\n" + ], + [ + 83, + " ]\n" + ], + [ + 84, + " })\n" + ], + [ + 85, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 67, + 85 + ], + "resource": "aws_iam_user_policy.service_policy", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMPolicyAttachedToGroupOrRoles", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf", + "breadcrumbs": { + "user": [ + { + "type": "resource", + "name": "aws_iam_user.service_account", + "path": "/tf/iam.tf", + "module_connection": false + } + ] + } + }, + { + "check_id": "CKV_AWS_286", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow privilege escalation", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 104, + "resource \"aws_iam_policy\" \"privilege_escalation\" {\n" + ], + [ + 105, + " name = \"potential-privilege-escalation\"\n" + ], + [ + 106, + " description = \"Policy that allows privilege escalation\"\n" + ], + [ + 107, + "\n" + ], + [ + 108, + " policy = jsonencode({\n" + ], + [ + 109, + " Version = \"2012-10-17\"\n" + ], + [ + 110, + " Statement = [\n" + ], + [ + 111, + " {\n" + ], + [ + 112, + " Effect = \"Allow\"\n" + ], + [ + 113, + " Action = [\n" + ], + [ + 114, + " \"iam:CreatePolicy\",\n" + ], + [ + 115, + " \"iam:CreateUser\",\n" + ], + [ + 116, + " \"iam:AttachUserPolicy\",\n" + ], + [ + 117, + " \"iam:AttachRolePolicy\",\n" + ], + [ + 118, + " \"iam:PutUserPolicy\",\n" + ], + [ + 119, + " \"iam:PutRolePolicy\"\n" + ], + [ + 120, + " ]\n" + ], + [ + 121, + " Resource = \"*\"\n" + ], + [ + 122, + " }\n" + ], + [ + 123, + " ]\n" + ], + [ + 124, + " })\n" + ], + [ + 125, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 104, + 125 + ], + "resource": "aws_iam_policy.privilege_escalation", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMPrivilegeEscalation", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_355", + "bc_check_id": null, + "check_name": "Ensure no IAM policies documents allow \"*\" as a statement's resource for restrictable actions", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 104, + "resource \"aws_iam_policy\" \"privilege_escalation\" {\n" + ], + [ + 105, + " name = \"potential-privilege-escalation\"\n" + ], + [ + 106, + " description = \"Policy that allows privilege escalation\"\n" + ], + [ + 107, + "\n" + ], + [ + 108, + " policy = jsonencode({\n" + ], + [ + 109, + " Version = \"2012-10-17\"\n" + ], + [ + 110, + " Statement = [\n" + ], + [ + 111, + " {\n" + ], + [ + 112, + " Effect = \"Allow\"\n" + ], + [ + 113, + " Action = [\n" + ], + [ + 114, + " \"iam:CreatePolicy\",\n" + ], + [ + 115, + " \"iam:CreateUser\",\n" + ], + [ + 116, + " \"iam:AttachUserPolicy\",\n" + ], + [ + 117, + " \"iam:AttachRolePolicy\",\n" + ], + [ + 118, + " \"iam:PutUserPolicy\",\n" + ], + [ + 119, + " \"iam:PutRolePolicy\"\n" + ], + [ + 120, + " ]\n" + ], + [ + 121, + " Resource = \"*\"\n" + ], + [ + 122, + " }\n" + ], + [ + 123, + " ]\n" + ], + [ + 124, + " })\n" + ], + [ + 125, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 104, + 125 + ], + "resource": "aws_iam_policy.privilege_escalation", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMStarResourcePolicyDocument", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_289", + "bc_check_id": null, + "check_name": "Ensure IAM policies does not allow permissions management / resource exposure without constraints", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "policy/Statement/[0]/Action" + ] + }, + "code_block": [ + [ + 104, + "resource \"aws_iam_policy\" \"privilege_escalation\" {\n" + ], + [ + 105, + " name = \"potential-privilege-escalation\"\n" + ], + [ + 106, + " description = \"Policy that allows privilege escalation\"\n" + ], + [ + 107, + "\n" + ], + [ + 108, + " policy = jsonencode({\n" + ], + [ + 109, + " Version = \"2012-10-17\"\n" + ], + [ + 110, + " Statement = [\n" + ], + [ + 111, + " {\n" + ], + [ + 112, + " Effect = \"Allow\"\n" + ], + [ + 113, + " Action = [\n" + ], + [ + 114, + " \"iam:CreatePolicy\",\n" + ], + [ + 115, + " \"iam:CreateUser\",\n" + ], + [ + 116, + " \"iam:AttachUserPolicy\",\n" + ], + [ + 117, + " \"iam:AttachRolePolicy\",\n" + ], + [ + 118, + " \"iam:PutUserPolicy\",\n" + ], + [ + 119, + " \"iam:PutRolePolicy\"\n" + ], + [ + 120, + " ]\n" + ], + [ + 121, + " Resource = \"*\"\n" + ], + [ + 122, + " }\n" + ], + [ + 123, + " ]\n" + ], + [ + 124, + " })\n" + ], + [ + 125, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 104, + 125 + ], + "resource": "aws_iam_policy.privilege_escalation", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.IAMPermissionsManagement", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + }, + { + "check_id": "CKV_AWS_41", + "bc_check_id": null, + "check_name": "Ensure no hard coded AWS access key and secret key exists in provider", + "check_result": { + "result": "FAILED", + "evaluated_keys": [] + }, + "code_block": [ + [ + 5, + "provider \"aws\" {\n" + ], + [ + 6, + " region = \"us-east-1\"\n" + ], + [ + 7, + " # Hardcoded credentials - SECURITY ISSUE #1\n" + ], + [ + 8, + " access_key = \"AKIAI**********\"\n" + ], + [ + 9, + " secret_key = \"wJalrX**********\"\n" + ], + [ + 10, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 5, + 10 + ], + "resource": "aws.default", + "evaluations": null, + "check_class": "checkov.terraform.checks.provider.aws.credentials", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_56", + "bc_check_id": null, + "check_name": "Ensure S3 bucket has 'restrict_public_buckets' enabled", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "restrict_public_buckets" + ] + }, + "code_block": [ + [ + 36, + "resource \"aws_s3_bucket_public_access_block\" \"bad_config\" {\n" + ], + [ + 37, + " bucket = aws_s3_bucket.public_data.id\n" + ], + [ + 38, + "\n" + ], + [ + 39, + " block_public_acls = false # Should be true\n" + ], + [ + 40, + " block_public_policy = false # Should be true\n" + ], + [ + 41, + " ignore_public_acls = false # Should be true\n" + ], + [ + 42, + " restrict_public_buckets = false # Should be true\n" + ], + [ + 43, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 36, + 43 + ], + "resource": "aws_s3_bucket_public_access_block.bad_config", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.S3RestrictPublicBuckets", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_54", + "bc_check_id": null, + "check_name": "Ensure S3 bucket has block public policy enabled", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "block_public_policy" + ] + }, + "code_block": [ + [ + 36, + "resource \"aws_s3_bucket_public_access_block\" \"bad_config\" {\n" + ], + [ + 37, + " bucket = aws_s3_bucket.public_data.id\n" + ], + [ + 38, + "\n" + ], + [ + 39, + " block_public_acls = false # Should be true\n" + ], + [ + 40, + " block_public_policy = false # Should be true\n" + ], + [ + 41, + " ignore_public_acls = false # Should be true\n" + ], + [ + 42, + " restrict_public_buckets = false # Should be true\n" + ], + [ + 43, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 36, + 43 + ], + "resource": "aws_s3_bucket_public_access_block.bad_config", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.S3BlockPublicPolicy", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_53", + "bc_check_id": null, + "check_name": "Ensure S3 bucket has block public ACLS enabled", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "block_public_acls" + ] + }, + "code_block": [ + [ + 36, + "resource \"aws_s3_bucket_public_access_block\" \"bad_config\" {\n" + ], + [ + 37, + " bucket = aws_s3_bucket.public_data.id\n" + ], + [ + 38, + "\n" + ], + [ + 39, + " block_public_acls = false # Should be true\n" + ], + [ + 40, + " block_public_policy = false # Should be true\n" + ], + [ + 41, + " ignore_public_acls = false # Should be true\n" + ], + [ + 42, + " restrict_public_buckets = false # Should be true\n" + ], + [ + 43, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 36, + 43 + ], + "resource": "aws_s3_bucket_public_access_block.bad_config", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.S3BlockPublicACLs", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_55", + "bc_check_id": null, + "check_name": "Ensure S3 bucket has ignore public ACLs enabled", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "ignore_public_acls" + ] + }, + "code_block": [ + [ + 36, + "resource \"aws_s3_bucket_public_access_block\" \"bad_config\" {\n" + ], + [ + 37, + " bucket = aws_s3_bucket.public_data.id\n" + ], + [ + 38, + "\n" + ], + [ + 39, + " block_public_acls = false # Should be true\n" + ], + [ + 40, + " block_public_policy = false # Should be true\n" + ], + [ + 41, + " ignore_public_acls = false # Should be true\n" + ], + [ + 42, + " restrict_public_buckets = false # Should be true\n" + ], + [ + 43, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 36, + 43 + ], + "resource": "aws_s3_bucket_public_access_block.bad_config", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.S3IgnorePublicACLs", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_24", + "bc_check_id": null, + "check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "ingress/[0]/from_port", + "ingress/[0]/to_port", + "ingress/[0]/cidr_blocks", + "ingress/[0]/ipv6_cidr_blocks" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_security_group\" \"allow_all\" {\n" + ], + [ + 6, + " name = \"allow-all-traffic\"\n" + ], + [ + 7, + " description = \"Allow all inbound traffic from anywhere\"\n" + ], + [ + 8, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 9, + "\n" + ], + [ + 10, + " ingress {\n" + ], + [ + 11, + " description = \"Allow all traffic\"\n" + ], + [ + 12, + " from_port = 0\n" + ], + [ + 13, + " to_port = 65535\n" + ], + [ + 14, + " protocol = \"-1\" # All protocols\n" + ], + [ + 15, + " cidr_blocks = [\"0.0.0.0/0\"] # From anywhere!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + "\n" + ], + [ + 18, + " egress {\n" + ], + [ + 19, + " from_port = 0\n" + ], + [ + 20, + " to_port = 0\n" + ], + [ + 21, + " protocol = \"-1\"\n" + ], + [ + 22, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 23, + " }\n" + ], + [ + 24, + "\n" + ], + [ + 25, + " tags = {\n" + ], + [ + 26, + " Name = \"Allow All Security Group\"\n" + ], + [ + 27, + " }\n" + ], + [ + 28, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 5, + 28 + ], + "resource": "aws_security_group.allow_all", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedIngress22", + "fixed_definition": null, + "entity_tags": { + "Name": "Allow All Security Group" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_23", + "bc_check_id": null, + "check_name": "Ensure every security group and rule has a description", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "description", + "egress/[0]" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_security_group\" \"allow_all\" {\n" + ], + [ + 6, + " name = \"allow-all-traffic\"\n" + ], + [ + 7, + " description = \"Allow all inbound traffic from anywhere\"\n" + ], + [ + 8, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 9, + "\n" + ], + [ + 10, + " ingress {\n" + ], + [ + 11, + " description = \"Allow all traffic\"\n" + ], + [ + 12, + " from_port = 0\n" + ], + [ + 13, + " to_port = 65535\n" + ], + [ + 14, + " protocol = \"-1\" # All protocols\n" + ], + [ + 15, + " cidr_blocks = [\"0.0.0.0/0\"] # From anywhere!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + "\n" + ], + [ + 18, + " egress {\n" + ], + [ + 19, + " from_port = 0\n" + ], + [ + 20, + " to_port = 0\n" + ], + [ + 21, + " protocol = \"-1\"\n" + ], + [ + 22, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 23, + " }\n" + ], + [ + 24, + "\n" + ], + [ + 25, + " tags = {\n" + ], + [ + 26, + " Name = \"Allow All Security Group\"\n" + ], + [ + 27, + " }\n" + ], + [ + 28, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 5, + 28 + ], + "resource": "aws_security_group.allow_all", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupRuleDescription", + "fixed_definition": null, + "entity_tags": { + "Name": "Allow All Security Group" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_260", + "bc_check_id": null, + "check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "ingress/[0]/from_port", + "ingress/[0]/to_port", + "ingress/[0]/cidr_blocks", + "ingress/[0]/ipv6_cidr_blocks" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_security_group\" \"allow_all\" {\n" + ], + [ + 6, + " name = \"allow-all-traffic\"\n" + ], + [ + 7, + " description = \"Allow all inbound traffic from anywhere\"\n" + ], + [ + 8, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 9, + "\n" + ], + [ + 10, + " ingress {\n" + ], + [ + 11, + " description = \"Allow all traffic\"\n" + ], + [ + 12, + " from_port = 0\n" + ], + [ + 13, + " to_port = 65535\n" + ], + [ + 14, + " protocol = \"-1\" # All protocols\n" + ], + [ + 15, + " cidr_blocks = [\"0.0.0.0/0\"] # From anywhere!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + "\n" + ], + [ + 18, + " egress {\n" + ], + [ + 19, + " from_port = 0\n" + ], + [ + 20, + " to_port = 0\n" + ], + [ + 21, + " protocol = \"-1\"\n" + ], + [ + 22, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 23, + " }\n" + ], + [ + 24, + "\n" + ], + [ + 25, + " tags = {\n" + ], + [ + 26, + " Name = \"Allow All Security Group\"\n" + ], + [ + 27, + " }\n" + ], + [ + 28, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 5, + 28 + ], + "resource": "aws_security_group.allow_all", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedIngress80", + "fixed_definition": null, + "entity_tags": { + "Name": "Allow All Security Group" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_25", + "bc_check_id": null, + "check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "ingress/[0]/from_port", + "ingress/[0]/to_port", + "ingress/[0]/cidr_blocks", + "ingress/[0]/ipv6_cidr_blocks" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_security_group\" \"allow_all\" {\n" + ], + [ + 6, + " name = \"allow-all-traffic\"\n" + ], + [ + 7, + " description = \"Allow all inbound traffic from anywhere\"\n" + ], + [ + 8, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 9, + "\n" + ], + [ + 10, + " ingress {\n" + ], + [ + 11, + " description = \"Allow all traffic\"\n" + ], + [ + 12, + " from_port = 0\n" + ], + [ + 13, + " to_port = 65535\n" + ], + [ + 14, + " protocol = \"-1\" # All protocols\n" + ], + [ + 15, + " cidr_blocks = [\"0.0.0.0/0\"] # From anywhere!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + "\n" + ], + [ + 18, + " egress {\n" + ], + [ + 19, + " from_port = 0\n" + ], + [ + 20, + " to_port = 0\n" + ], + [ + 21, + " protocol = \"-1\"\n" + ], + [ + 22, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 23, + " }\n" + ], + [ + 24, + "\n" + ], + [ + 25, + " tags = {\n" + ], + [ + 26, + " Name = \"Allow All Security Group\"\n" + ], + [ + 27, + " }\n" + ], + [ + 28, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 5, + 28 + ], + "resource": "aws_security_group.allow_all", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedIngress3389", + "fixed_definition": null, + "entity_tags": { + "Name": "Allow All Security Group" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_277", + "bc_check_id": null, + "check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "ingress/[0]/from_port", + "ingress/[0]/to_port", + "ingress/[0]/cidr_blocks", + "ingress/[0]/ipv6_cidr_blocks" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_security_group\" \"allow_all\" {\n" + ], + [ + 6, + " name = \"allow-all-traffic\"\n" + ], + [ + 7, + " description = \"Allow all inbound traffic from anywhere\"\n" + ], + [ + 8, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 9, + "\n" + ], + [ + 10, + " ingress {\n" + ], + [ + 11, + " description = \"Allow all traffic\"\n" + ], + [ + 12, + " from_port = 0\n" + ], + [ + 13, + " to_port = 65535\n" + ], + [ + 14, + " protocol = \"-1\" # All protocols\n" + ], + [ + 15, + " cidr_blocks = [\"0.0.0.0/0\"] # From anywhere!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + "\n" + ], + [ + 18, + " egress {\n" + ], + [ + 19, + " from_port = 0\n" + ], + [ + 20, + " to_port = 0\n" + ], + [ + 21, + " protocol = \"-1\"\n" + ], + [ + 22, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 23, + " }\n" + ], + [ + 24, + "\n" + ], + [ + 25, + " tags = {\n" + ], + [ + 26, + " Name = \"Allow All Security Group\"\n" + ], + [ + 27, + " }\n" + ], + [ + 28, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 5, + 28 + ], + "resource": "aws_security_group.allow_all", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedIngressAny", + "fixed_definition": null, + "entity_tags": { + "Name": "Allow All Security Group" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_382", + "bc_check_id": null, + "check_name": "Ensure no security groups allow egress from 0.0.0.0:0 to port -1", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "egress/[0]/from_port", + "egress/[0]/to_port", + "egress/[0]/cidr_blocks", + "egress/[0]/ipv6_cidr_blocks" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_security_group\" \"allow_all\" {\n" + ], + [ + 6, + " name = \"allow-all-traffic\"\n" + ], + [ + 7, + " description = \"Allow all inbound traffic from anywhere\"\n" + ], + [ + 8, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 9, + "\n" + ], + [ + 10, + " ingress {\n" + ], + [ + 11, + " description = \"Allow all traffic\"\n" + ], + [ + 12, + " from_port = 0\n" + ], + [ + 13, + " to_port = 65535\n" + ], + [ + 14, + " protocol = \"-1\" # All protocols\n" + ], + [ + 15, + " cidr_blocks = [\"0.0.0.0/0\"] # From anywhere!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + "\n" + ], + [ + 18, + " egress {\n" + ], + [ + 19, + " from_port = 0\n" + ], + [ + 20, + " to_port = 0\n" + ], + [ + 21, + " protocol = \"-1\"\n" + ], + [ + 22, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 23, + " }\n" + ], + [ + 24, + "\n" + ], + [ + 25, + " tags = {\n" + ], + [ + 26, + " Name = \"Allow All Security Group\"\n" + ], + [ + 27, + " }\n" + ], + [ + 28, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 5, + 28 + ], + "resource": "aws_security_group.allow_all", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedEgressAny", + "fixed_definition": null, + "entity_tags": { + "Name": "Allow All Security Group" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_24", + "bc_check_id": null, + "check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "ingress/[0]/from_port", + "ingress/[0]/to_port", + "ingress/[0]/cidr_blocks", + "ingress/[0]/ipv6_cidr_blocks" + ] + }, + "code_block": [ + [ + 31, + "resource \"aws_security_group\" \"ssh_open\" {\n" + ], + [ + 32, + " name = \"ssh-from-anywhere\"\n" + ], + [ + 33, + " description = \"SSH access from anywhere\"\n" + ], + [ + 34, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " ingress {\n" + ], + [ + 37, + " description = \"SSH from anywhere\"\n" + ], + [ + 38, + " from_port = 22\n" + ], + [ + 39, + " to_port = 22\n" + ], + [ + 40, + " protocol = \"tcp\"\n" + ], + [ + 41, + " cidr_blocks = [\"0.0.0.0/0\"] # SSH from anywhere!\n" + ], + [ + 42, + " }\n" + ], + [ + 43, + "\n" + ], + [ + 44, + " ingress {\n" + ], + [ + 45, + " description = \"RDP from anywhere\"\n" + ], + [ + 46, + " from_port = 3389\n" + ], + [ + 47, + " to_port = 3389\n" + ], + [ + 48, + " protocol = \"tcp\"\n" + ], + [ + 49, + " cidr_blocks = [\"0.0.0.0/0\"] # RDP from anywhere!\n" + ], + [ + 50, + " }\n" + ], + [ + 51, + "\n" + ], + [ + 52, + " egress {\n" + ], + [ + 53, + " from_port = 0\n" + ], + [ + 54, + " to_port = 0\n" + ], + [ + 55, + " protocol = \"-1\"\n" + ], + [ + 56, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 57, + " }\n" + ], + [ + 58, + "\n" + ], + [ + 59, + " tags = {\n" + ], + [ + 60, + " Name = \"SSH Open Security Group\"\n" + ], + [ + 61, + " }\n" + ], + [ + 62, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 31, + 62 + ], + "resource": "aws_security_group.ssh_open", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedIngress22", + "fixed_definition": null, + "entity_tags": { + "Name": "SSH Open Security Group" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_23", + "bc_check_id": null, + "check_name": "Ensure every security group and rule has a description", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "description", + "egress/[0]" + ] + }, + "code_block": [ + [ + 31, + "resource \"aws_security_group\" \"ssh_open\" {\n" + ], + [ + 32, + " name = \"ssh-from-anywhere\"\n" + ], + [ + 33, + " description = \"SSH access from anywhere\"\n" + ], + [ + 34, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " ingress {\n" + ], + [ + 37, + " description = \"SSH from anywhere\"\n" + ], + [ + 38, + " from_port = 22\n" + ], + [ + 39, + " to_port = 22\n" + ], + [ + 40, + " protocol = \"tcp\"\n" + ], + [ + 41, + " cidr_blocks = [\"0.0.0.0/0\"] # SSH from anywhere!\n" + ], + [ + 42, + " }\n" + ], + [ + 43, + "\n" + ], + [ + 44, + " ingress {\n" + ], + [ + 45, + " description = \"RDP from anywhere\"\n" + ], + [ + 46, + " from_port = 3389\n" + ], + [ + 47, + " to_port = 3389\n" + ], + [ + 48, + " protocol = \"tcp\"\n" + ], + [ + 49, + " cidr_blocks = [\"0.0.0.0/0\"] # RDP from anywhere!\n" + ], + [ + 50, + " }\n" + ], + [ + 51, + "\n" + ], + [ + 52, + " egress {\n" + ], + [ + 53, + " from_port = 0\n" + ], + [ + 54, + " to_port = 0\n" + ], + [ + 55, + " protocol = \"-1\"\n" + ], + [ + 56, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 57, + " }\n" + ], + [ + 58, + "\n" + ], + [ + 59, + " tags = {\n" + ], + [ + 60, + " Name = \"SSH Open Security Group\"\n" + ], + [ + 61, + " }\n" + ], + [ + 62, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 31, + 62 + ], + "resource": "aws_security_group.ssh_open", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupRuleDescription", + "fixed_definition": null, + "entity_tags": { + "Name": "SSH Open Security Group" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_25", + "bc_check_id": null, + "check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "ingress/[1]/from_port", + "ingress/[1]/to_port", + "ingress/[1]/cidr_blocks", + "ingress/[1]/ipv6_cidr_blocks" + ] + }, + "code_block": [ + [ + 31, + "resource \"aws_security_group\" \"ssh_open\" {\n" + ], + [ + 32, + " name = \"ssh-from-anywhere\"\n" + ], + [ + 33, + " description = \"SSH access from anywhere\"\n" + ], + [ + 34, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " ingress {\n" + ], + [ + 37, + " description = \"SSH from anywhere\"\n" + ], + [ + 38, + " from_port = 22\n" + ], + [ + 39, + " to_port = 22\n" + ], + [ + 40, + " protocol = \"tcp\"\n" + ], + [ + 41, + " cidr_blocks = [\"0.0.0.0/0\"] # SSH from anywhere!\n" + ], + [ + 42, + " }\n" + ], + [ + 43, + "\n" + ], + [ + 44, + " ingress {\n" + ], + [ + 45, + " description = \"RDP from anywhere\"\n" + ], + [ + 46, + " from_port = 3389\n" + ], + [ + 47, + " to_port = 3389\n" + ], + [ + 48, + " protocol = \"tcp\"\n" + ], + [ + 49, + " cidr_blocks = [\"0.0.0.0/0\"] # RDP from anywhere!\n" + ], + [ + 50, + " }\n" + ], + [ + 51, + "\n" + ], + [ + 52, + " egress {\n" + ], + [ + 53, + " from_port = 0\n" + ], + [ + 54, + " to_port = 0\n" + ], + [ + 55, + " protocol = \"-1\"\n" + ], + [ + 56, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 57, + " }\n" + ], + [ + 58, + "\n" + ], + [ + 59, + " tags = {\n" + ], + [ + 60, + " Name = \"SSH Open Security Group\"\n" + ], + [ + 61, + " }\n" + ], + [ + 62, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 31, + 62 + ], + "resource": "aws_security_group.ssh_open", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedIngress3389", + "fixed_definition": null, + "entity_tags": { + "Name": "SSH Open Security Group" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_382", + "bc_check_id": null, + "check_name": "Ensure no security groups allow egress from 0.0.0.0:0 to port -1", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "egress/[0]/from_port", + "egress/[0]/to_port", + "egress/[0]/cidr_blocks", + "egress/[0]/ipv6_cidr_blocks" + ] + }, + "code_block": [ + [ + 31, + "resource \"aws_security_group\" \"ssh_open\" {\n" + ], + [ + 32, + " name = \"ssh-from-anywhere\"\n" + ], + [ + 33, + " description = \"SSH access from anywhere\"\n" + ], + [ + 34, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " ingress {\n" + ], + [ + 37, + " description = \"SSH from anywhere\"\n" + ], + [ + 38, + " from_port = 22\n" + ], + [ + 39, + " to_port = 22\n" + ], + [ + 40, + " protocol = \"tcp\"\n" + ], + [ + 41, + " cidr_blocks = [\"0.0.0.0/0\"] # SSH from anywhere!\n" + ], + [ + 42, + " }\n" + ], + [ + 43, + "\n" + ], + [ + 44, + " ingress {\n" + ], + [ + 45, + " description = \"RDP from anywhere\"\n" + ], + [ + 46, + " from_port = 3389\n" + ], + [ + 47, + " to_port = 3389\n" + ], + [ + 48, + " protocol = \"tcp\"\n" + ], + [ + 49, + " cidr_blocks = [\"0.0.0.0/0\"] # RDP from anywhere!\n" + ], + [ + 50, + " }\n" + ], + [ + 51, + "\n" + ], + [ + 52, + " egress {\n" + ], + [ + 53, + " from_port = 0\n" + ], + [ + 54, + " to_port = 0\n" + ], + [ + 55, + " protocol = \"-1\"\n" + ], + [ + 56, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 57, + " }\n" + ], + [ + 58, + "\n" + ], + [ + 59, + " tags = {\n" + ], + [ + 60, + " Name = \"SSH Open Security Group\"\n" + ], + [ + 61, + " }\n" + ], + [ + 62, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 31, + 62 + ], + "resource": "aws_security_group.ssh_open", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedEgressAny", + "fixed_definition": null, + "entity_tags": { + "Name": "SSH Open Security Group" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_23", + "bc_check_id": null, + "check_name": "Ensure every security group and rule has a description", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "description", + "egress/[0]" + ] + }, + "code_block": [ + [ + 65, + "resource \"aws_security_group\" \"database_exposed\" {\n" + ], + [ + 66, + " name = \"database-public\"\n" + ], + [ + 67, + " description = \"Database accessible from internet\"\n" + ], + [ + 68, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " ingress {\n" + ], + [ + 71, + " description = \"MySQL from anywhere\"\n" + ], + [ + 72, + " from_port = 3306\n" + ], + [ + 73, + " to_port = 3306\n" + ], + [ + 74, + " protocol = \"tcp\"\n" + ], + [ + 75, + " cidr_blocks = [\"0.0.0.0/0\"] # Database exposed!\n" + ], + [ + 76, + " }\n" + ], + [ + 77, + "\n" + ], + [ + 78, + " ingress {\n" + ], + [ + 79, + " description = \"PostgreSQL from anywhere\"\n" + ], + [ + 80, + " from_port = 5432\n" + ], + [ + 81, + " to_port = 5432\n" + ], + [ + 82, + " protocol = \"tcp\"\n" + ], + [ + 83, + " cidr_blocks = [\"0.0.0.0/0\"] # Database exposed!\n" + ], + [ + 84, + " }\n" + ], + [ + 85, + "\n" + ], + [ + 86, + " egress {\n" + ], + [ + 87, + " from_port = 0\n" + ], + [ + 88, + " to_port = 0\n" + ], + [ + 89, + " protocol = \"-1\"\n" + ], + [ + 90, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 91, + " }\n" + ], + [ + 92, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 65, + 92 + ], + "resource": "aws_security_group.database_exposed", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupRuleDescription", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_382", + "bc_check_id": null, + "check_name": "Ensure no security groups allow egress from 0.0.0.0:0 to port -1", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "egress/[0]/from_port", + "egress/[0]/to_port", + "egress/[0]/cidr_blocks", + "egress/[0]/ipv6_cidr_blocks" + ] + }, + "code_block": [ + [ + 65, + "resource \"aws_security_group\" \"database_exposed\" {\n" + ], + [ + 66, + " name = \"database-public\"\n" + ], + [ + 67, + " description = \"Database accessible from internet\"\n" + ], + [ + 68, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 69, + "\n" + ], + [ + 70, + " ingress {\n" + ], + [ + 71, + " description = \"MySQL from anywhere\"\n" + ], + [ + 72, + " from_port = 3306\n" + ], + [ + 73, + " to_port = 3306\n" + ], + [ + 74, + " protocol = \"tcp\"\n" + ], + [ + 75, + " cidr_blocks = [\"0.0.0.0/0\"] # Database exposed!\n" + ], + [ + 76, + " }\n" + ], + [ + 77, + "\n" + ], + [ + 78, + " ingress {\n" + ], + [ + 79, + " description = \"PostgreSQL from anywhere\"\n" + ], + [ + 80, + " from_port = 5432\n" + ], + [ + 81, + " to_port = 5432\n" + ], + [ + 82, + " protocol = \"tcp\"\n" + ], + [ + 83, + " cidr_blocks = [\"0.0.0.0/0\"] # Database exposed!\n" + ], + [ + 84, + " }\n" + ], + [ + 85, + "\n" + ], + [ + 86, + " egress {\n" + ], + [ + 87, + " from_port = 0\n" + ], + [ + 88, + " to_port = 0\n" + ], + [ + 89, + " protocol = \"-1\"\n" + ], + [ + 90, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 91, + " }\n" + ], + [ + 92, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 65, + 92 + ], + "resource": "aws_security_group.database_exposed", + "evaluations": null, + "check_class": "checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedEgressAny", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV2_AWS_62", + "bc_check_id": null, + "check_name": "Ensure S3 buckets should have event notifications enabled", + "check_result": { + "result": "FAILED", + "entity": { + "aws_s3_bucket": { + "public_data": { + "__end_line__": 21, + "__start_line__": 13, + "acl": [ + "public-read" + ], + "bucket": [ + "my-public-bucket-lab6" + ], + "tags": [ + { + "Name": "Public Data Bucket" + } + ], + "__address__": "aws_s3_bucket.public_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type" + ] + }, + "code_block": [ + [ + 13, + "resource \"aws_s3_bucket\" \"public_data\" {\n" + ], + [ + 14, + " bucket = \"my-public-bucket-lab6\"\n" + ], + [ + 15, + " acl = \"public-read\" # Public access enabled!\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " tags = {\n" + ], + [ + 18, + " Name = \"Public Data Bucket\"\n" + ], + [ + 19, + " # Missing required tags: Environment, Owner, CostCenter\n" + ], + [ + 20, + " }\n" + ], + [ + 21, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 13, + 21 + ], + "resource": "aws_s3_bucket.public_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Public Data Bucket" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV2_AWS_62", + "bc_check_id": null, + "check_name": "Ensure S3 buckets should have event notifications enabled", + "check_result": { + "result": "FAILED", + "entity": { + "aws_s3_bucket": { + "unencrypted_data": { + "__end_line__": 33, + "__start_line__": 24, + "acl": [ + "private" + ], + "bucket": [ + "my-unencrypted-bucket-lab6" + ], + "versioning": [ + { + "enabled": [ + false + ] + } + ], + "__address__": "aws_s3_bucket.unencrypted_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type" + ] + }, + "code_block": [ + [ + 24, + "resource \"aws_s3_bucket\" \"unencrypted_data\" {\n" + ], + [ + 25, + " bucket = \"my-unencrypted-bucket-lab6\"\n" + ], + [ + 26, + " acl = \"private\"\n" + ], + [ + 27, + " \n" + ], + [ + 28, + " # No server_side_encryption_configuration!\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " versioning {\n" + ], + [ + 31, + " enabled = false # Versioning disabled\n" + ], + [ + 32, + " }\n" + ], + [ + 33, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 24, + 33 + ], + "resource": "aws_s3_bucket.unencrypted_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV2_AWS_60", + "bc_check_id": null, + "check_name": "Ensure RDS instance with copy tags to snapshots is enabled", + "check_result": { + "result": "FAILED", + "entity": { + "aws_db_instance": { + "unencrypted_db": { + "__end_line__": 37, + "__start_line__": 5, + "allocated_storage": [ + 20 + ], + "backup_retention_period": [ + 0 + ], + "deletion_protection": [ + false + ], + "enabled_cloudwatch_logs_exports": [ + [] + ], + "engine": [ + "postgres" + ], + "engine_version": [ + "13.7" + ], + "identifier": [ + "mydb-unencrypted" + ], + "instance_class": [ + "db.t3.micro" + ], + "password": [ + "SuperSecretPassword123!" + ], + "publicly_accessible": [ + true + ], + "skip_final_snapshot": [ + true + ], + "storage_encrypted": [ + false + ], + "tags": [ + { + "Name": "Unencrypted Database" + } + ], + "username": [ + "admin" + ], + "vpc_security_group_ids": [ + [ + "aws_security_group.database_exposed.id" + ] + ], + "__address__": "aws_db_instance.unencrypted_db" + } + } + }, + "evaluated_keys": [ + "copy_tags_to_snapshot", + "engine" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV2_AWS_60", + "bc_check_id": null, + "check_name": "Ensure RDS instance with copy tags to snapshots is enabled", + "check_result": { + "result": "FAILED", + "entity": { + "aws_db_instance": { + "weak_db": { + "__end_line__": 69, + "__start_line__": 40, + "allocated_storage": [ + 20 + ], + "auto_minor_version_upgrade": [ + false + ], + "engine": [ + "mysql" + ], + "engine_version": [ + "5.7.38" + ], + "identifier": [ + "mydb-weak" + ], + "instance_class": [ + "db.t3.micro" + ], + "kms_key_id": [ + "" + ], + "multi_az": [ + false + ], + "password": [ + "password123" + ], + "performance_insights_enabled": [ + false + ], + "publicly_accessible": [ + false + ], + "skip_final_snapshot": [ + true + ], + "storage_encrypted": [ + true + ], + "tags": [ + { + "Name": "Weak Database" + } + ], + "username": [ + "root" + ], + "__address__": "aws_db_instance.weak_db" + } + } + }, + "evaluated_keys": [ + "copy_tags_to_snapshot", + "engine" + ] + }, + "code_block": [ + [ + 40, + "resource \"aws_db_instance\" \"weak_db\" {\n" + ], + [ + 41, + " identifier = \"mydb-weak\"\n" + ], + [ + 42, + " engine = \"mysql\"\n" + ], + [ + 43, + " engine_version = \"5.7.38\" # Old version with known vulnerabilities\n" + ], + [ + 44, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 45, + " allocated_storage = 20\n" + ], + [ + 46, + " \n" + ], + [ + 47, + " username = \"root\" # Using default admin username\n" + ], + [ + 48, + " password = \"password123\" # Weak password!\n" + ], + [ + 49, + " \n" + ], + [ + 50, + " storage_encrypted = true\n" + ], + [ + 51, + " kms_key_id = \"\" # Empty KMS key - using default key\n" + ], + [ + 52, + " \n" + ], + [ + 53, + " publicly_accessible = false\n" + ], + [ + 54, + " \n" + ], + [ + 55, + " # Multi-AZ disabled\n" + ], + [ + 56, + " multi_az = false # SECURITY ISSUE #14 - No high availability\n" + ], + [ + 57, + " \n" + ], + [ + 58, + " # Auto minor version upgrade disabled\n" + ], + [ + 59, + " auto_minor_version_upgrade = false # SECURITY ISSUE #15\n" + ], + [ + 60, + " \n" + ], + [ + 61, + " # No performance insights\n" + ], + [ + 62, + " performance_insights_enabled = false\n" + ], + [ + 63, + " \n" + ], + [ + 64, + " skip_final_snapshot = true\n" + ], + [ + 65, + " \n" + ], + [ + 66, + " tags = {\n" + ], + [ + 67, + " Name = \"Weak Database\"\n" + ], + [ + 68, + " }\n" + ], + [ + 69, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 40, + 69 + ], + "resource": "aws_db_instance.weak_db", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Weak Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV_AWS_20", + "bc_check_id": null, + "check_name": "S3 Bucket has an ACL defined which allows public READ access.", + "check_result": { + "result": "FAILED", + "entity": { + "aws_s3_bucket": { + "public_data": { + "__end_line__": 21, + "__start_line__": 13, + "acl": [ + "public-read" + ], + "bucket": [ + "my-public-bucket-lab6" + ], + "tags": [ + { + "Name": "Public Data Bucket" + } + ], + "__address__": "aws_s3_bucket.public_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "access_control_policy", + "access_control_policy/grant/*/grantee/uri", + "acl", + "access_control_policy/grant" + ] + }, + "code_block": [ + [ + 13, + "resource \"aws_s3_bucket\" \"public_data\" {\n" + ], + [ + 14, + " bucket = \"my-public-bucket-lab6\"\n" + ], + [ + 15, + " acl = \"public-read\" # Public access enabled!\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " tags = {\n" + ], + [ + 18, + " Name = \"Public Data Bucket\"\n" + ], + [ + 19, + " # Missing required tags: Environment, Owner, CostCenter\n" + ], + [ + 20, + " }\n" + ], + [ + 21, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 13, + 21 + ], + "resource": "aws_s3_bucket.public_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Public Data Bucket" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV2_AWS_61", + "bc_check_id": null, + "check_name": "Ensure that an S3 bucket has a lifecycle configuration", + "check_result": { + "result": "FAILED", + "entity": { + "aws_s3_bucket": { + "public_data": { + "__end_line__": 21, + "__start_line__": 13, + "acl": [ + "public-read" + ], + "bucket": [ + "my-public-bucket-lab6" + ], + "tags": [ + { + "Name": "Public Data Bucket" + } + ], + "__address__": "aws_s3_bucket.public_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "lifecycle_rule" + ] + }, + "code_block": [ + [ + 13, + "resource \"aws_s3_bucket\" \"public_data\" {\n" + ], + [ + 14, + " bucket = \"my-public-bucket-lab6\"\n" + ], + [ + 15, + " acl = \"public-read\" # Public access enabled!\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " tags = {\n" + ], + [ + 18, + " Name = \"Public Data Bucket\"\n" + ], + [ + 19, + " # Missing required tags: Environment, Owner, CostCenter\n" + ], + [ + 20, + " }\n" + ], + [ + 21, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 13, + 21 + ], + "resource": "aws_s3_bucket.public_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Public Data Bucket" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV2_AWS_61", + "bc_check_id": null, + "check_name": "Ensure that an S3 bucket has a lifecycle configuration", + "check_result": { + "result": "FAILED", + "entity": { + "aws_s3_bucket": { + "unencrypted_data": { + "__end_line__": 33, + "__start_line__": 24, + "acl": [ + "private" + ], + "bucket": [ + "my-unencrypted-bucket-lab6" + ], + "versioning": [ + { + "enabled": [ + false + ] + } + ], + "__address__": "aws_s3_bucket.unencrypted_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "lifecycle_rule" + ] + }, + "code_block": [ + [ + 24, + "resource \"aws_s3_bucket\" \"unencrypted_data\" {\n" + ], + [ + 25, + " bucket = \"my-unencrypted-bucket-lab6\"\n" + ], + [ + 26, + " acl = \"private\"\n" + ], + [ + 27, + " \n" + ], + [ + 28, + " # No server_side_encryption_configuration!\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " versioning {\n" + ], + [ + 31, + " enabled = false # Versioning disabled\n" + ], + [ + 32, + " }\n" + ], + [ + 33, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 24, + 33 + ], + "resource": "aws_s3_bucket.unencrypted_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV2_AWS_6", + "bc_check_id": null, + "check_name": "Ensure that S3 bucket has a Public Access block", + "check_result": { + "result": "FAILED", + "entity": { + "aws_s3_bucket": { + "public_data": { + "__end_line__": 21, + "__start_line__": 13, + "acl": [ + "public-read" + ], + "bucket": [ + "my-public-bucket-lab6" + ], + "tags": [ + { + "Name": "Public Data Bucket" + } + ], + "__address__": "aws_s3_bucket.public_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "block_public_acls", + "block_public_policy" + ] + }, + "code_block": [ + [ + 13, + "resource \"aws_s3_bucket\" \"public_data\" {\n" + ], + [ + 14, + " bucket = \"my-public-bucket-lab6\"\n" + ], + [ + 15, + " acl = \"public-read\" # Public access enabled!\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " tags = {\n" + ], + [ + 18, + " Name = \"Public Data Bucket\"\n" + ], + [ + 19, + " # Missing required tags: Environment, Owner, CostCenter\n" + ], + [ + 20, + " }\n" + ], + [ + 21, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 13, + 21 + ], + "resource": "aws_s3_bucket.public_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Public Data Bucket" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": { + "code_block": [ + [ + 36, + "resource \"aws_s3_bucket_public_access_block\" \"bad_config\" {\n" + ], + [ + 37, + " bucket = aws_s3_bucket.public_data.id\n" + ], + [ + 38, + "\n" + ], + [ + 39, + " block_public_acls = false # Should be true\n" + ], + [ + 40, + " block_public_policy = false # Should be true\n" + ], + [ + 41, + " ignore_public_acls = false # Should be true\n" + ], + [ + 42, + " restrict_public_buckets = false # Should be true\n" + ], + [ + 43, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_line_range": [ + 36, + 43 + ], + "resource": "aws_s3_bucket_public_access_block.bad_config", + "entity_tags": {}, + "evaluations": null, + "file_abs_path": "/tf/main.tf", + "resource_address": null + }, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV2_AWS_6", + "bc_check_id": null, + "check_name": "Ensure that S3 bucket has a Public Access block", + "check_result": { + "result": "FAILED", + "entity": { + "aws_s3_bucket": { + "unencrypted_data": { + "__end_line__": 33, + "__start_line__": 24, + "acl": [ + "private" + ], + "bucket": [ + "my-unencrypted-bucket-lab6" + ], + "versioning": [ + { + "enabled": [ + false + ] + } + ], + "__address__": "aws_s3_bucket.unencrypted_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "block_public_acls", + "block_public_policy" + ] + }, + "code_block": [ + [ + 24, + "resource \"aws_s3_bucket\" \"unencrypted_data\" {\n" + ], + [ + 25, + " bucket = \"my-unencrypted-bucket-lab6\"\n" + ], + [ + 26, + " acl = \"private\"\n" + ], + [ + 27, + " \n" + ], + [ + 28, + " # No server_side_encryption_configuration!\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " versioning {\n" + ], + [ + 31, + " enabled = false # Versioning disabled\n" + ], + [ + 32, + " }\n" + ], + [ + 33, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 24, + 33 + ], + "resource": "aws_s3_bucket.unencrypted_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV2_AWS_30", + "bc_check_id": null, + "check_name": "Ensure Postgres RDS as aws_db_instance has Query Logging enabled", + "check_result": { + "result": "FAILED", + "entity": { + "aws_db_instance": { + "unencrypted_db": { + "__end_line__": 37, + "__start_line__": 5, + "allocated_storage": [ + 20 + ], + "backup_retention_period": [ + 0 + ], + "deletion_protection": [ + false + ], + "enabled_cloudwatch_logs_exports": [ + [] + ], + "engine": [ + "postgres" + ], + "engine_version": [ + "13.7" + ], + "identifier": [ + "mydb-unencrypted" + ], + "instance_class": [ + "db.t3.micro" + ], + "password": [ + "SuperSecretPassword123!" + ], + "publicly_accessible": [ + true + ], + "skip_final_snapshot": [ + true + ], + "storage_encrypted": [ + false + ], + "tags": [ + { + "Name": "Unencrypted Database" + } + ], + "username": [ + "admin" + ], + "vpc_security_group_ids": [ + [ + "aws_security_group.database_exposed.id" + ] + ], + "__address__": "aws_db_instance.unencrypted_db" + } + } + }, + "evaluated_keys": [ + "resource_type", + "parameter/*/name", + "engine" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_db_instance\" \"unencrypted_db\" {\n" + ], + [ + 6, + " identifier = \"mydb-unencrypted\"\n" + ], + [ + 7, + " engine = \"postgres\"\n" + ], + [ + 8, + " engine_version = \"13.7\"\n" + ], + [ + 9, + " instance_class = \"db.t3.micro\"\n" + ], + [ + 10, + " allocated_storage = 20\n" + ], + [ + 11, + " \n" + ], + [ + 12, + " username = \"admin\"\n" + ], + [ + 13, + " password = \"SuperSecretPassword123!\" # SECURITY ISSUE #9 - Hardcoded password!\n" + ], + [ + 14, + " \n" + ], + [ + 15, + " storage_encrypted = false # No encryption!\n" + ], + [ + 16, + " \n" + ], + [ + 17, + " publicly_accessible = true # SECURITY ISSUE #10 - Public access!\n" + ], + [ + 18, + " \n" + ], + [ + 19, + " skip_final_snapshot = true\n" + ], + [ + 20, + " \n" + ], + [ + 21, + " # No backup configuration\n" + ], + [ + 22, + " backup_retention_period = 0 # SECURITY ISSUE #11 - No backups!\n" + ], + [ + 23, + " \n" + ], + [ + 24, + " # Missing monitoring\n" + ], + [ + 25, + " enabled_cloudwatch_logs_exports = []\n" + ], + [ + 26, + " \n" + ], + [ + 27, + " # No deletion protection\n" + ], + [ + 28, + " deletion_protection = false # SECURITY ISSUE #12\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " # Using default security group\n" + ], + [ + 31, + " vpc_security_group_ids = [aws_security_group.database_exposed.id]\n" + ], + [ + 32, + " \n" + ], + [ + 33, + " tags = {\n" + ], + [ + 34, + " Name = \"Unencrypted Database\"\n" + ], + [ + 35, + " # Missing required tags\n" + ], + [ + 36, + " }\n" + ], + [ + 37, + "}\n" + ] + ], + "file_path": "/database.tf", + "file_abs_path": "/tf/database.tf", + "repo_file_path": "/tf/database.tf", + "file_line_range": [ + 5, + 37 + ], + "resource": "aws_db_instance.unencrypted_db", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Unencrypted Database" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/database.tf" + }, + { + "check_id": "CKV2_AWS_5", + "bc_check_id": null, + "check_name": "Ensure that Security Groups are attached to another resource", + "check_result": { + "result": "FAILED", + "entity": { + "aws_security_group": { + "allow_all": { + "__end_line__": 28, + "__start_line__": 5, + "description": [ + "Allow all inbound traffic from anywhere" + ], + "egress": [ + { + "cidr_blocks": [ + [ + "0.0.0.0/0" + ] + ], + "from_port": [ + 0 + ], + "protocol": [ + "-1" + ], + "to_port": [ + 0 + ] + } + ], + "ingress": [ + { + "cidr_blocks": [ + [ + "0.0.0.0/0" + ] + ], + "description": [ + "Allow all traffic" + ], + "from_port": [ + 0 + ], + "protocol": [ + "-1" + ], + "to_port": [ + 65535 + ] + } + ], + "name": [ + "allow-all-traffic" + ], + "tags": [ + { + "Name": "Allow All Security Group" + } + ], + "vpc_id": [ + "vpc-12345678" + ], + "__address__": "aws_security_group.allow_all" + } + } + }, + "evaluated_keys": [ + "resource_type", + "networking" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_security_group\" \"allow_all\" {\n" + ], + [ + 6, + " name = \"allow-all-traffic\"\n" + ], + [ + 7, + " description = \"Allow all inbound traffic from anywhere\"\n" + ], + [ + 8, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 9, + "\n" + ], + [ + 10, + " ingress {\n" + ], + [ + 11, + " description = \"Allow all traffic\"\n" + ], + [ + 12, + " from_port = 0\n" + ], + [ + 13, + " to_port = 65535\n" + ], + [ + 14, + " protocol = \"-1\" # All protocols\n" + ], + [ + 15, + " cidr_blocks = [\"0.0.0.0/0\"] # From anywhere!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + "\n" + ], + [ + 18, + " egress {\n" + ], + [ + 19, + " from_port = 0\n" + ], + [ + 20, + " to_port = 0\n" + ], + [ + 21, + " protocol = \"-1\"\n" + ], + [ + 22, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 23, + " }\n" + ], + [ + 24, + "\n" + ], + [ + 25, + " tags = {\n" + ], + [ + 26, + " Name = \"Allow All Security Group\"\n" + ], + [ + 27, + " }\n" + ], + [ + 28, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 5, + 28 + ], + "resource": "aws_security_group.allow_all", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Allow All Security Group" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV2_AWS_5", + "bc_check_id": null, + "check_name": "Ensure that Security Groups are attached to another resource", + "check_result": { + "result": "FAILED", + "entity": { + "aws_security_group": { + "ssh_open": { + "__end_line__": 62, + "__start_line__": 31, + "description": [ + "SSH access from anywhere" + ], + "egress": [ + { + "cidr_blocks": [ + [ + "0.0.0.0/0" + ] + ], + "from_port": [ + 0 + ], + "protocol": [ + "-1" + ], + "to_port": [ + 0 + ] + } + ], + "ingress": [ + { + "cidr_blocks": [ + [ + "0.0.0.0/0" + ] + ], + "description": [ + "SSH from anywhere" + ], + "from_port": [ + 22 + ], + "protocol": [ + "tcp" + ], + "to_port": [ + 22 + ] + }, + { + "cidr_blocks": [ + [ + "0.0.0.0/0" + ] + ], + "description": [ + "RDP from anywhere" + ], + "from_port": [ + 3389 + ], + "protocol": [ + "tcp" + ], + "to_port": [ + 3389 + ] + } + ], + "name": [ + "ssh-from-anywhere" + ], + "tags": [ + { + "Name": "SSH Open Security Group" + } + ], + "vpc_id": [ + "vpc-12345678" + ], + "__address__": "aws_security_group.ssh_open" + } + } + }, + "evaluated_keys": [ + "resource_type", + "networking" + ] + }, + "code_block": [ + [ + 31, + "resource \"aws_security_group\" \"ssh_open\" {\n" + ], + [ + 32, + " name = \"ssh-from-anywhere\"\n" + ], + [ + 33, + " description = \"SSH access from anywhere\"\n" + ], + [ + 34, + " vpc_id = \"vpc-12345678\"\n" + ], + [ + 35, + "\n" + ], + [ + 36, + " ingress {\n" + ], + [ + 37, + " description = \"SSH from anywhere\"\n" + ], + [ + 38, + " from_port = 22\n" + ], + [ + 39, + " to_port = 22\n" + ], + [ + 40, + " protocol = \"tcp\"\n" + ], + [ + 41, + " cidr_blocks = [\"0.0.0.0/0\"] # SSH from anywhere!\n" + ], + [ + 42, + " }\n" + ], + [ + 43, + "\n" + ], + [ + 44, + " ingress {\n" + ], + [ + 45, + " description = \"RDP from anywhere\"\n" + ], + [ + 46, + " from_port = 3389\n" + ], + [ + 47, + " to_port = 3389\n" + ], + [ + 48, + " protocol = \"tcp\"\n" + ], + [ + 49, + " cidr_blocks = [\"0.0.0.0/0\"] # RDP from anywhere!\n" + ], + [ + 50, + " }\n" + ], + [ + 51, + "\n" + ], + [ + 52, + " egress {\n" + ], + [ + 53, + " from_port = 0\n" + ], + [ + 54, + " to_port = 0\n" + ], + [ + 55, + " protocol = \"-1\"\n" + ], + [ + 56, + " cidr_blocks = [\"0.0.0.0/0\"]\n" + ], + [ + 57, + " }\n" + ], + [ + 58, + "\n" + ], + [ + 59, + " tags = {\n" + ], + [ + 60, + " Name = \"SSH Open Security Group\"\n" + ], + [ + 61, + " }\n" + ], + [ + 62, + "}\n" + ] + ], + "file_path": "/security_groups.tf", + "file_abs_path": "/tf/security_groups.tf", + "repo_file_path": "/tf/security_groups.tf", + "file_line_range": [ + 31, + 62 + ], + "resource": "aws_security_group.ssh_open", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "SSH Open Security Group" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/security_groups.tf" + }, + { + "check_id": "CKV_AWS_144", + "bc_check_id": null, + "check_name": "Ensure that S3 bucket has cross-region replication enabled", + "check_result": { + "result": "FAILED", + "entity": { + "aws_s3_bucket": { + "public_data": { + "__end_line__": 21, + "__start_line__": 13, + "acl": [ + "public-read" + ], + "bucket": [ + "my-public-bucket-lab6" + ], + "tags": [ + { + "Name": "Public Data Bucket" + } + ], + "__address__": "aws_s3_bucket.public_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "replication_configuration/rules/*/status", + "rule/*/status" + ] + }, + "code_block": [ + [ + 13, + "resource \"aws_s3_bucket\" \"public_data\" {\n" + ], + [ + 14, + " bucket = \"my-public-bucket-lab6\"\n" + ], + [ + 15, + " acl = \"public-read\" # Public access enabled!\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " tags = {\n" + ], + [ + 18, + " Name = \"Public Data Bucket\"\n" + ], + [ + 19, + " # Missing required tags: Environment, Owner, CostCenter\n" + ], + [ + 20, + " }\n" + ], + [ + 21, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 13, + 21 + ], + "resource": "aws_s3_bucket.public_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Public Data Bucket" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_144", + "bc_check_id": null, + "check_name": "Ensure that S3 bucket has cross-region replication enabled", + "check_result": { + "result": "FAILED", + "entity": { + "aws_s3_bucket": { + "unencrypted_data": { + "__end_line__": 33, + "__start_line__": 24, + "acl": [ + "private" + ], + "bucket": [ + "my-unencrypted-bucket-lab6" + ], + "versioning": [ + { + "enabled": [ + false + ] + } + ], + "__address__": "aws_s3_bucket.unencrypted_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "replication_configuration/rules/*/status", + "rule/*/status" + ] + }, + "code_block": [ + [ + 24, + "resource \"aws_s3_bucket\" \"unencrypted_data\" {\n" + ], + [ + 25, + " bucket = \"my-unencrypted-bucket-lab6\"\n" + ], + [ + 26, + " acl = \"private\"\n" + ], + [ + 27, + " \n" + ], + [ + 28, + " # No server_side_encryption_configuration!\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " versioning {\n" + ], + [ + 31, + " enabled = false # Versioning disabled\n" + ], + [ + 32, + " }\n" + ], + [ + 33, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 24, + 33 + ], + "resource": "aws_s3_bucket.unencrypted_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_145", + "bc_check_id": null, + "check_name": "Ensure that S3 buckets are encrypted with KMS by default", + "check_result": { + "result": "FAILED", + "entity": { + "aws_s3_bucket": { + "public_data": { + "__end_line__": 21, + "__start_line__": 13, + "acl": [ + "public-read" + ], + "bucket": [ + "my-public-bucket-lab6" + ], + "tags": [ + { + "Name": "Public Data Bucket" + } + ], + "__address__": "aws_s3_bucket.public_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "server_side_encryption_configuration/rule/apply_server_side_encryption_by_default/sse_algorithm", + "rule/apply_server_side_encryption_by_default/sse_algorithm" + ] + }, + "code_block": [ + [ + 13, + "resource \"aws_s3_bucket\" \"public_data\" {\n" + ], + [ + 14, + " bucket = \"my-public-bucket-lab6\"\n" + ], + [ + 15, + " acl = \"public-read\" # Public access enabled!\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " tags = {\n" + ], + [ + 18, + " Name = \"Public Data Bucket\"\n" + ], + [ + 19, + " # Missing required tags: Environment, Owner, CostCenter\n" + ], + [ + 20, + " }\n" + ], + [ + 21, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 13, + 21 + ], + "resource": "aws_s3_bucket.public_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Public Data Bucket" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_145", + "bc_check_id": null, + "check_name": "Ensure that S3 buckets are encrypted with KMS by default", + "check_result": { + "result": "FAILED", + "entity": { + "aws_s3_bucket": { + "unencrypted_data": { + "__end_line__": 33, + "__start_line__": 24, + "acl": [ + "private" + ], + "bucket": [ + "my-unencrypted-bucket-lab6" + ], + "versioning": [ + { + "enabled": [ + false + ] + } + ], + "__address__": "aws_s3_bucket.unencrypted_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "server_side_encryption_configuration/rule/apply_server_side_encryption_by_default/sse_algorithm", + "rule/apply_server_side_encryption_by_default/sse_algorithm" + ] + }, + "code_block": [ + [ + 24, + "resource \"aws_s3_bucket\" \"unencrypted_data\" {\n" + ], + [ + 25, + " bucket = \"my-unencrypted-bucket-lab6\"\n" + ], + [ + 26, + " acl = \"private\"\n" + ], + [ + 27, + " \n" + ], + [ + 28, + " # No server_side_encryption_configuration!\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " versioning {\n" + ], + [ + 31, + " enabled = false # Versioning disabled\n" + ], + [ + 32, + " }\n" + ], + [ + 33, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 24, + 33 + ], + "resource": "aws_s3_bucket.unencrypted_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_18", + "bc_check_id": null, + "check_name": "Ensure the S3 bucket has access logging enabled", + "check_result": { + "result": "FAILED", + "entity": { + "aws_s3_bucket": { + "public_data": { + "__end_line__": 21, + "__start_line__": 13, + "acl": [ + "public-read" + ], + "bucket": [ + "my-public-bucket-lab6" + ], + "tags": [ + { + "Name": "Public Data Bucket" + } + ], + "__address__": "aws_s3_bucket.public_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "logging" + ] + }, + "code_block": [ + [ + 13, + "resource \"aws_s3_bucket\" \"public_data\" {\n" + ], + [ + 14, + " bucket = \"my-public-bucket-lab6\"\n" + ], + [ + 15, + " acl = \"public-read\" # Public access enabled!\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " tags = {\n" + ], + [ + 18, + " Name = \"Public Data Bucket\"\n" + ], + [ + 19, + " # Missing required tags: Environment, Owner, CostCenter\n" + ], + [ + 20, + " }\n" + ], + [ + 21, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 13, + 21 + ], + "resource": "aws_s3_bucket.public_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Public Data Bucket" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_18", + "bc_check_id": null, + "check_name": "Ensure the S3 bucket has access logging enabled", + "check_result": { + "result": "FAILED", + "entity": { + "aws_s3_bucket": { + "unencrypted_data": { + "__end_line__": 33, + "__start_line__": 24, + "acl": [ + "private" + ], + "bucket": [ + "my-unencrypted-bucket-lab6" + ], + "versioning": [ + { + "enabled": [ + false + ] + } + ], + "__address__": "aws_s3_bucket.unencrypted_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "resource_type", + "logging" + ] + }, + "code_block": [ + [ + 24, + "resource \"aws_s3_bucket\" \"unencrypted_data\" {\n" + ], + [ + 25, + " bucket = \"my-unencrypted-bucket-lab6\"\n" + ], + [ + 26, + " acl = \"private\"\n" + ], + [ + 27, + " \n" + ], + [ + 28, + " # No server_side_encryption_configuration!\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " versioning {\n" + ], + [ + 31, + " enabled = false # Versioning disabled\n" + ], + [ + 32, + " }\n" + ], + [ + 33, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 24, + 33 + ], + "resource": "aws_s3_bucket.unencrypted_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_21", + "bc_check_id": null, + "check_name": "Ensure all data stored in the S3 bucket have versioning enabled", + "check_result": { + "result": "FAILED", + "entity": { + "aws_s3_bucket": { + "public_data": { + "__end_line__": 21, + "__start_line__": 13, + "acl": [ + "public-read" + ], + "bucket": [ + "my-public-bucket-lab6" + ], + "tags": [ + { + "Name": "Public Data Bucket" + } + ], + "__address__": "aws_s3_bucket.public_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "versioning_configuration/status", + "versioning/enabled", + "resource_type" + ] + }, + "code_block": [ + [ + 13, + "resource \"aws_s3_bucket\" \"public_data\" {\n" + ], + [ + 14, + " bucket = \"my-public-bucket-lab6\"\n" + ], + [ + 15, + " acl = \"public-read\" # Public access enabled!\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " tags = {\n" + ], + [ + 18, + " Name = \"Public Data Bucket\"\n" + ], + [ + 19, + " # Missing required tags: Environment, Owner, CostCenter\n" + ], + [ + 20, + " }\n" + ], + [ + 21, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 13, + 21 + ], + "resource": "aws_s3_bucket.public_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": { + "Name": "Public Data Bucket" + }, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV_AWS_21", + "bc_check_id": null, + "check_name": "Ensure all data stored in the S3 bucket have versioning enabled", + "check_result": { + "result": "FAILED", + "entity": { + "aws_s3_bucket": { + "unencrypted_data": { + "__end_line__": 33, + "__start_line__": 24, + "acl": [ + "private" + ], + "bucket": [ + "my-unencrypted-bucket-lab6" + ], + "versioning": [ + { + "enabled": [ + false + ] + } + ], + "__address__": "aws_s3_bucket.unencrypted_data", + "__provider_address__": "aws.default" + } + } + }, + "evaluated_keys": [ + "versioning_configuration/status", + "versioning/enabled", + "resource_type" + ] + }, + "code_block": [ + [ + 24, + "resource \"aws_s3_bucket\" \"unencrypted_data\" {\n" + ], + [ + 25, + " bucket = \"my-unencrypted-bucket-lab6\"\n" + ], + [ + 26, + " acl = \"private\"\n" + ], + [ + 27, + " \n" + ], + [ + 28, + " # No server_side_encryption_configuration!\n" + ], + [ + 29, + " \n" + ], + [ + 30, + " versioning {\n" + ], + [ + 31, + " enabled = false # Versioning disabled\n" + ], + [ + 32, + " }\n" + ], + [ + 33, + "}\n" + ] + ], + "file_path": "/main.tf", + "file_abs_path": "/tf/main.tf", + "repo_file_path": "/tf/main.tf", + "file_line_range": [ + 24, + 33 + ], + "resource": "aws_s3_bucket.unencrypted_data", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/main.tf" + }, + { + "check_id": "CKV2_AWS_40", + "bc_check_id": null, + "check_name": "Ensure AWS IAM policy does not allow full IAM privileges", + "check_result": { + "result": "FAILED", + "entity": { + "aws_iam_policy": { + "admin_policy": { + "__end_line__": 19, + "__start_line__": 5, + "description": [ + "Policy with wildcard permissions" + ], + "name": [ + "overly-permissive-policy" + ], + "policy": [ + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] + } + ], + "__address__": "aws_iam_policy.admin_policy" + } + } + }, + "evaluated_keys": [ + "inline_policy/Statement[?(@/Effect == Allow)]/Action[*]", + "policy/Statement[?(@/Effect == Allow)]/Action[*]", + "statement[?(@/effect == Allow)]/actions[*]" + ] + }, + "code_block": [ + [ + 5, + "resource \"aws_iam_policy\" \"admin_policy\" {\n" + ], + [ + 6, + " name = \"overly-permissive-policy\"\n" + ], + [ + 7, + " description = \"Policy with wildcard permissions\"\n" + ], + [ + 8, + "\n" + ], + [ + 9, + " policy = jsonencode({\n" + ], + [ + 10, + " Version = \"2012-10-17\"\n" + ], + [ + 11, + " Statement = [\n" + ], + [ + 12, + " {\n" + ], + [ + 13, + " Effect = \"Allow\"\n" + ], + [ + 14, + " Action = \"*\" # All actions allowed!\n" + ], + [ + 15, + " Resource = \"*\" # On all resources!\n" + ], + [ + 16, + " }\n" + ], + [ + 17, + " ]\n" + ], + [ + 18, + " })\n" + ], + [ + 19, + "}\n" + ] + ], + "file_path": "/iam.tf", + "file_abs_path": "/tf/iam.tf", + "repo_file_path": "/tf/iam.tf", + "file_line_range": [ + 5, + 19 + ], + "resource": "aws_iam_policy.admin_policy", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": {}, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": {}, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": "/tf/iam.tf" + } + ], + "skipped_checks": [], + "parsing_errors": [] + }, + "summary": { + "passed": 48, + "failed": 78, + "skipped": 0, + "parsing_errors": 0, + "resource_count": 16, + "checkov_version": "3.2.474" + }, + "url": "Add an api key '--bc-api-key ' to see more detailed insights via https://bridgecrew.cloud" +} diff --git a/labs/lab6/analysis/kics-ansible-report.html b/labs/lab6/analysis/kics-ansible-report.html new file mode 100755 index 00000000..69d31d0a --- /dev/null +++ b/labs/lab6/analysis/kics-ansible-report.html @@ -0,0 +1,44 @@ +KICS Scan ResultCheckmarx logo
KICS REPORT10/06/2025 09:53KICS.IO
KICS v2.1.14 +Scanned paths: /src +Platforms: Common, AnsibleStart time: 09:53:54, Oct 06 2025 +End time: 09:53:59, Oct 06 2025

Vulnerabilities:

0 +CRITICAL
8 +HIGH
0 +MEDIUM
1 +LOW
0 +INFO
9 +TOTAL

Passwords And Secrets - Generic Password

Platform: Common +CWE: 798 +Category: Secret Management
Query to find passwords and secrets in infrastructure code.https://docs.kics.io/latest/secrets/
Results (6)
File: ../../src/configure.yml +Line 16
Expected: Hardcoded secret key should not appear in source +Found: Hardcoded secret key appears in source
15
16 admin_password: <SECRET-MASKED-ON-PURPOSE>
17
File: ../../src/inventory.ini +Line 5
Expected: Hardcoded secret key should not appear in source +Found: Hardcoded secret key appears in source
4[webservers]
5web1.example.com ansible_user=root ansible_password=<SECRET-MASKED-ON-PURPOSE>
6web2.example.com ansible_user=root ansible_ssh_pass=RootPass123!
File: ../../src/inventory.ini +Line 19
Expected: Hardcoded secret key should not appear in source +Found: Hardcoded secret key appears in source
18ansible_become_password=<SECRET-MASKED-ON-PURPOSE>
19db_admin_password=<SECRET-MASKED-ON-PURPOSE>
20api_secret_key=sk_live_abcdef1234567890
File: ../../src/inventory.ini +Line 18
Expected: Hardcoded secret key should not appear in source +Found: Hardcoded secret key appears in source
17# SECURITY ISSUE #38 - Global variables with secrets
18ansible_become_password=<SECRET-MASKED-ON-PURPOSE>
19db_admin_password=<SECRET-MASKED-ON-PURPOSE>
File: ../../src/inventory.ini +Line 10
Expected: Hardcoded secret key should not appear in source +Found: Hardcoded secret key appears in source
9# SECURITY ISSUE #36 - Using root user and default port
10db1.example.com ansible_user=root ansible_port=22 ansible_password=<SECRET-MASKED-ON-PURPOSE>
11
File: ../../src/deploy.yml +Line 12
Expected: Hardcoded secret key should not appear in source +Found: Hardcoded secret key appears in source
11 # SECURITY ISSUE #1 - Hardcoded password in playbook!
12 db_password: <SECRET-MASKED-ON-PURPOSE>
13 # SECURITY ISSUE #2 - Hardcoded API key!

Passwords And Secrets - Password in URL

Platform: Common +CWE: 798 +Category: Secret Management
Query to find passwords and secrets in infrastructure code.https://docs.kics.io/latest/secrets/
Results (2)
File: ../../src/deploy.yml +Line 16
Expected: Hardcoded secret key should not appear in source +Found: Hardcoded secret key appears in source
15 # SECURITY ISSUE #3 - Database connection string with credentials
16 db_connection: <SECRET-MASKED-ON-PURPOSE>:5432/myapp"
17
File: ../../src/deploy.yml +Line 72
Expected: Hardcoded secret key should not appear in source +Found: Hardcoded secret key appears in source
71 git:
72 repo: <SECRET-MASKED-ON-PURPOSE>/company/repo.git'
73 dest: /var/www/myapp

Unpinned Package Version

Platform: Ansible +CWE: 706 +Category: Supply-Chain
Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of servicehttps://ansible.readthedocs.io/projects/lint/rules/package-latest/
Results (1)
File: ../../src/deploy.yml +Line 99
Expected: State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true' +Found: State's task is set to 'latest'
98 name: myapp
99 state: latest # Should pin specific version
100 update_cache: yes
KICS is open and will always stay such. Both the scanning engine and the security queries are clear and open for the software development community.
Spread the love:
The KICS project is powered by Checkmarx, global leader of Application Security Testing
\ No newline at end of file diff --git a/labs/lab6/analysis/kics-ansible-report.txt b/labs/lab6/analysis/kics-ansible-report.txt new file mode 100644 index 00000000..4d5c346a --- /dev/null +++ b/labs/lab6/analysis/kics-ansible-report.txt @@ -0,0 +1,73 @@ +38;2;34;187;51m + + + MLLLLLM MLLLLLLLLL LLLLLLL KLLLLLLLLLLLLLLLL LLLLLLLLLLLLLLLLLLLLLLL + MMMMMMM MMMMMMMMMML MMMMMMMK LMMMMMMMMMMMMMMMMMMMML KLMMMMMMMMMMMMMMMMMMMMMMMMM + MMMMMMM MMMMMMMMML MMMMMMMK LMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMM + MMMMMMM MMMMMMMMMML MMMMMMMK LMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM + MMMMMMM LMMMMMMMMML MMMMMMMK LMMMMMMMMMLLMLLLLLLLLLLLLLL LMMMMMMMLLLLLLLLLLLLLLLLLLLLM + MMMMMMM MMMMMMMMMLM MMMMMMMK LMMMMMMMM LMMMMMML + MMMMMMMLMMMMMMMML MMMMMMMK MMMMMMML LMMMMMMMMLLLLLLLLLLLLLMLL + MMMMMMMMMMMMMMMM MMMMMMMK MMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMML + MMMMMMMMMMMMMMMMMM MMMMMMMK MMMMMMM LMMMMMMMMMMMMMMMMMMMMMMMML + MMMMMMM KLMMMMMMMMML MMMMMMMK LMMMMMMM MMMMMMMML + MMMMMMM LMMMMMMMMMM MMMMMMMK LMMMMMMMMLL MMMMMMML + MMMMMMM LMMMMMMMMMLL MMMMMMMK LMMMMMMMMMMMMMMMMMMMMMMMMML LLLLLLLLLLLLLLLLLLLLMMMMMMMMMM + MMMMMMM MMMMMMMMMMML MMMMMMMK MMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM + MMMMMMM LLMMMMMMMMML MMMMMMMK LLMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMML + MMMMMMM MMMMMMMMMML MMMMMMMK KLMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMLK + + + +0m +Scanning with Keeping Infrastructure as Code Secure v2.1.14 + + + +Preparing Scan Assets: Done + + + + + + + + + + + + + + + + + + + + + + + + + +Unpinned Package Version, Severity: LOW, Results: 1 + [1]: ../../src/deploy.yml:99 +Passwords And Secrets - Password in URL, Severity: HIGH, Results: 2 + [1]: ../../src/deploy.yml:16 + [2]: ../../src/deploy.yml:72 +Passwords And Secrets - Generic Password, Severity: HIGH, Results: 6 + [1]: ../../src/configure.yml:16 + [2]: ../../src/inventory.ini:5 + [3]: ../../src/inventory.ini:10 + [4]: ../../src/deploy.yml:12 + [5]: ../../src/inventory.ini:19 + [6]: ../../src/inventory.ini:18 + +Results Summary: +CRITICAL: 0 +HIGH: 8 +MEDIUM: 0 +LOW: 1 +INFO: 0 +TOTAL: 9 + diff --git a/labs/lab6/analysis/kics-ansible-results.json b/labs/lab6/analysis/kics-ansible-results.json new file mode 100755 index 00000000..be5880d1 --- /dev/null +++ b/labs/lab6/analysis/kics-ansible-results.json @@ -0,0 +1,176 @@ +{ + "kics_version": "v2.1.14", + "files_scanned": 3, + "lines_scanned": 309, + "files_parsed": 3, + "lines_parsed": 260, + "lines_ignored": 49, + "files_failed_to_scan": 0, + "queries_total": 287, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 8, + "INFO": 0, + "LOW": 1, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 9, + "total_bom_resources": 0, + "start": "2025-10-06T09:53:54.6122475Z", + "end": "2025-10-06T09:53:59.028629336Z", + "paths": [ + "/src" + ], + "queries": [ + { + "query_name": "Passwords And Secrets - Generic Password", + "query_id": "487f4be7-3fd9-4506-a07a-eae252180c08", + "query_url": "https://docs.kics.io/latest/secrets/", + "severity": "HIGH", + "platform": "Common", + "cwe": "798", + "cloud_provider": "COMMON", + "category": "Secret Management", + "experimental": false, + "description": "Query to find passwords and secrets in infrastructure code.", + "description_id": "d69d8a89", + "files": [ + { + "file_name": "../../src/configure.yml", + "similarity_id": "2a8df5710fcdceeff811ec6532d6bcba17d9b6c603d0fecdfecc87f3b128aac5", + "line": 16, + "issue_type": "RedundantAttribute", + "search_key": "", + "search_line": 0, + "search_value": "", + "expected_value": "Hardcoded secret key should not appear in source", + "actual_value": "Hardcoded secret key appears in source" + }, + { + "file_name": "../../src/inventory.ini", + "similarity_id": "21ca21d14467d66a7b83bdc36e6292b114d13bde377021c0ca107078a8afa0d4", + "line": 5, + "issue_type": "RedundantAttribute", + "search_key": "", + "search_line": 0, + "search_value": "", + "expected_value": "Hardcoded secret key should not appear in source", + "actual_value": "Hardcoded secret key appears in source" + }, + { + "file_name": "../../src/inventory.ini", + "similarity_id": "33738570f6448f344b956896d42f75b6216ace7814a46c8b6002d483c70c25b8", + "line": 19, + "issue_type": "RedundantAttribute", + "search_key": "", + "search_line": 0, + "search_value": "", + "expected_value": "Hardcoded secret key should not appear in source", + "actual_value": "Hardcoded secret key appears in source" + }, + { + "file_name": "../../src/inventory.ini", + "similarity_id": "97e89fa95681e604d1c4504858554eef5df45cee2055fe4505a1e6c1baf30aa8", + "line": 18, + "issue_type": "RedundantAttribute", + "search_key": "", + "search_line": 0, + "search_value": "", + "expected_value": "Hardcoded secret key should not appear in source", + "actual_value": "Hardcoded secret key appears in source" + }, + { + "file_name": "../../src/inventory.ini", + "similarity_id": "369901d122f4a6d8adec4bec409dc25e92c96ff37c26a145b681702f7971a6a1", + "line": 10, + "issue_type": "RedundantAttribute", + "search_key": "", + "search_line": 0, + "search_value": "", + "expected_value": "Hardcoded secret key should not appear in source", + "actual_value": "Hardcoded secret key appears in source" + }, + { + "file_name": "../../src/deploy.yml", + "similarity_id": "d6fbd659326192fbd0bfcc010d5fc97f5db716570596efd8b730ce20e6606683", + "line": 12, + "issue_type": "RedundantAttribute", + "search_key": "", + "search_line": 0, + "search_value": "", + "expected_value": "Hardcoded secret key should not appear in source", + "actual_value": "Hardcoded secret key appears in source" + } + ] + }, + { + "query_name": "Passwords And Secrets - Password in URL", + "query_id": "c4d3b58a-e6d4-450f-9340-04f1e702eaae", + "query_url": "https://docs.kics.io/latest/secrets/", + "severity": "HIGH", + "platform": "Common", + "cwe": "798", + "cloud_provider": "COMMON", + "category": "Secret Management", + "experimental": false, + "description": "Query to find passwords and secrets in infrastructure code.", + "description_id": "d69d8a89", + "files": [ + { + "file_name": "../../src/deploy.yml", + "similarity_id": "895e407b4fb7371dee128429969964f297da99fed47494dbb55bb0627fb8b7ff", + "line": 16, + "issue_type": "RedundantAttribute", + "search_key": "", + "search_line": 0, + "search_value": "", + "expected_value": "Hardcoded secret key should not appear in source", + "actual_value": "Hardcoded secret key appears in source" + }, + { + "file_name": "../../src/deploy.yml", + "similarity_id": "8c1dd50d50bac18f0c169f282f8af8782dfbc8f0c3271edb415981a73d6e5af5", + "line": 72, + "issue_type": "RedundantAttribute", + "search_key": "", + "search_line": 0, + "search_value": "", + "expected_value": "Hardcoded secret key should not appear in source", + "actual_value": "Hardcoded secret key appears in source" + } + ] + }, + { + "query_name": "Unpinned Package Version", + "query_id": "c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8", + "query_url": "https://ansible.readthedocs.io/projects/lint/rules/package-latest/", + "severity": "LOW", + "platform": "Ansible", + "cwe": "706", + "cloud_provider": "COMMON", + "category": "Supply-Chain", + "experimental": false, + "description": "Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service", + "description_id": "43e877b3", + "files": [ + { + "file_name": "../../src/deploy.yml", + "similarity_id": "314c76114114e1e23377a262e72590a75327039d9d6137b44fdb17922fe5f990", + "line": 99, + "resource_type": "apt", + "resource_name": "Install application", + "issue_type": "IncorrectValue", + "search_key": "name={{Install application}}.{{apt}}.state", + "search_line": -1, + "search_value": "", + "expected_value": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actual_value": "State's task is set to 'latest'" + } + ] + } + ] +} diff --git a/labs/lab6/analysis/kics-pulumi-report.html b/labs/lab6/analysis/kics-pulumi-report.html new file mode 100755 index 00000000..affff341 --- /dev/null +++ b/labs/lab6/analysis/kics-pulumi-report.html @@ -0,0 +1,44 @@ +KICS Scan ResultCheckmarx logo
KICS REPORT10/06/2025 09:44KICS.IO
KICS v2.1.14 +Scanned paths: /src +Platforms: Pulumi, CommonStart time: 09:44:28, Oct 06 2025 +End time: 09:44:29, Oct 06 2025

Vulnerabilities:

0 +CRITICAL
2 +HIGH
2 +MEDIUM
0 +LOW
2 +INFO
6 +TOTAL

DynamoDB Table Not Encrypted

Platform: Pulumi +CWE: 311 +Category: Encryption
AWS DynamoDB Tables should have serverSideEncryption enabledhttps://www.pulumi.com/registry/packages/aws/api-docs/dynamodb/table/#serversideencryption_yaml
Results (1)
File: ../../src/Pulumi-vulnerable.yaml +Line 205
Expected: Attribute 'serverSideEncryption' should be defined +Found: Attribute 'serverSideEncryption' is not defined
204 type: aws:dynamodb:Table
205 properties:
206 name: my-table-pulumi-yaml

Passwords And Secrets - Generic Password

Platform: Common +CWE: 798 +Category: Secret Management
Query to find passwords and secrets in infrastructure code.https://docs.kics.io/latest/secrets/
Results (1)
File: ../../src/Pulumi-vulnerable.yaml +Line 16
Expected: Hardcoded secret key should not appear in source +Found: Hardcoded secret key appears in source
15 # SECURITY ISSUE #1 - Hardcoded database password
16 dbPassword: <SECRET-MASKED-ON-PURPOSE>
17

EC2 Instance Monitoring Disabled

Platform: Pulumi +CWE: 778 +Category: Observability
EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periodshttps://www.pulumi.com/registry/packages/aws/api-docs/ec2/instance/#monitoring_yaml
Results (1)
File: ../../src/Pulumi-vulnerable.yaml +Line 157
Expected: Attribute 'monitoring' should be defined and set to true +Found: Attribute 'monitoring' is not defined
156 type: aws:ec2:Instance
157 properties:
158 ami: ami-0c55b159cbfafe1f0

RDS DB Instance Publicly Accessible

Platform: Pulumi +CWE: 284 +Category: Insecure Configurations
RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.https://www.pulumi.com/registry/packages/aws/api-docs/rds/instance/#publiclyaccessible_yaml
Results (1)
File: ../../src/Pulumi-vulnerable.yaml +Line 104
Expected: 'resources.unencryptedDb.properties.publiclyAccessible' should be set to 'false' +Found: 'resources.unencryptedDb.properties.publiclyAccessible' is set to 'true'
103 storageEncrypted: false # SECURITY ISSUE #7 - No encryption!
104 publiclyAccessible: true # SECURITY ISSUE #8 - Public access!
105 skipFinalSnapshot: true

DynamoDB Table Point In Time Recovery Disabled

Platform: Pulumi +CWE: 459 +Category: Best Practices
It's considered a best practice to have point in time recovery enabled for DynamoDB Tablehttps://www.pulumi.com/registry/packages/aws/api-docs/dynamodb/table/#pointintimerecovery_yaml
Results (1)
File: ../../src/Pulumi-vulnerable.yaml +Line 213
Expected: Attribute 'enabled' in 'pointInTimeRecovery' should be set to true +Found: Attribute 'enabled' in 'pointInTimeRecovery' is set to false
212 pointInTimeRecovery:
213 enabled: false # SECURITY ISSUE #18 - No PITR
214 tags:

EC2 Not EBS Optimized

Platform: Pulumi +CWE: 459 +Category: Best Practices
It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instancehttps://www.pulumi.com/registry/packages/aws/api-docs/ec2/instance/#ebsoptimized_yaml
Results (1)
File: ../../src/Pulumi-vulnerable.yaml +Line 157
Expected: Attribute 'ebsOptimized' should be defined and set to true +Found: Attribute 'ebsOptimized' is not defined
156 type: aws:ec2:Instance
157 properties:
158 ami: ami-0c55b159cbfafe1f0
KICS is open and will always stay such. Both the scanning engine and the security queries are clear and open for the software development community.
Spread the love:
The KICS project is powered by Checkmarx, global leader of Application Security Testing
\ No newline at end of file diff --git a/labs/lab6/analysis/kics-pulumi-report.txt b/labs/lab6/analysis/kics-pulumi-report.txt new file mode 100644 index 00000000..1d65c05e --- /dev/null +++ b/labs/lab6/analysis/kics-pulumi-report.txt @@ -0,0 +1,54 @@ +38;2;34;187;51m + + + MLLLLLM MLLLLLLLLL LLLLLLL KLLLLLLLLLLLLLLLL LLLLLLLLLLLLLLLLLLLLLLL + MMMMMMM MMMMMMMMMML MMMMMMMK LMMMMMMMMMMMMMMMMMMMML KLMMMMMMMMMMMMMMMMMMMMMMMMM + MMMMMMM MMMMMMMMML MMMMMMMK LMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMM + MMMMMMM MMMMMMMMMML MMMMMMMK LMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM + MMMMMMM LMMMMMMMMML MMMMMMMK LMMMMMMMMMLLMLLLLLLLLLLLLLL LMMMMMMMLLLLLLLLLLLLLLLLLLLLM + MMMMMMM MMMMMMMMMLM MMMMMMMK LMMMMMMMM LMMMMMML + MMMMMMMLMMMMMMMML MMMMMMMK MMMMMMML LMMMMMMMMLLLLLLLLLLLLLMLL + MMMMMMMMMMMMMMMM MMMMMMMK MMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMML + MMMMMMMMMMMMMMMMMM MMMMMMMK MMMMMMM LMMMMMMMMMMMMMMMMMMMMMMMML + MMMMMMM KLMMMMMMMMML MMMMMMMK LMMMMMMM MMMMMMMML + MMMMMMM LMMMMMMMMMM MMMMMMMK LMMMMMMMMLL MMMMMMML + MMMMMMM LMMMMMMMMMLL MMMMMMMK LMMMMMMMMMMMMMMMMMMMMMMMMML LLLLLLLLLLLLLLLLLLLLMMMMMMMMMM + MMMMMMM MMMMMMMMMMML MMMMMMMK MMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM + MMMMMMM LLMMMMMMMMML MMMMMMMK LLMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMML + MMMMMMM MMMMMMMMMML MMMMMMMK KLMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMLK + + + +0m +Scanning with Keeping Infrastructure as Code Secure v2.1.14 + + + +Preparing Scan Assets: Done + + + + + + +EC2 Not EBS Optimized, Severity: INFO, Results: 1 + [1]: ../../src/Pulumi-vulnerable.yaml:157 +DynamoDB Table Point In Time Recovery Disabled, Severity: INFO, Results: 1 + [1]: ../../src/Pulumi-vulnerable.yaml:213 +RDS DB Instance Publicly Accessible, Severity: MEDIUM, Results: 1 + [1]: ../../src/Pulumi-vulnerable.yaml:104 +EC2 Instance Monitoring Disabled, Severity: MEDIUM, Results: 1 + [1]: ../../src/Pulumi-vulnerable.yaml:157 +Passwords And Secrets - Generic Password, Severity: HIGH, Results: 1 + [1]: ../../src/Pulumi-vulnerable.yaml:16 +DynamoDB Table Not Encrypted, Severity: HIGH, Results: 1 + [1]: ../../src/Pulumi-vulnerable.yaml:205 + +Results Summary: +CRITICAL: 0 +HIGH: 2 +MEDIUM: 2 +LOW: 0 +INFO: 2 +TOTAL: 6 + diff --git a/labs/lab6/analysis/kics-pulumi-results.json b/labs/lab6/analysis/kics-pulumi-results.json new file mode 100755 index 00000000..1760e0f0 --- /dev/null +++ b/labs/lab6/analysis/kics-pulumi-results.json @@ -0,0 +1,196 @@ +{ + "kics_version": "v2.1.14", + "files_scanned": 1, + "lines_scanned": 280, + "files_parsed": 1, + "lines_parsed": 261, + "lines_ignored": 19, + "files_failed_to_scan": 0, + "queries_total": 21, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 2, + "INFO": 2, + "LOW": 0, + "MEDIUM": 2, + "TRACE": 0 + }, + "total_counter": 6, + "total_bom_resources": 0, + "start": "2025-10-06T09:44:28.933934962Z", + "end": "2025-10-06T09:44:29.172002087Z", + "paths": [ + "/src" + ], + "queries": [ + { + "query_name": "DynamoDB Table Not Encrypted", + "query_id": "b6a7e0ae-aed8-4a19-a993-a95760bf8836", + "query_url": "https://www.pulumi.com/registry/packages/aws/api-docs/dynamodb/table/#serversideencryption_yaml", + "severity": "HIGH", + "platform": "Pulumi", + "cwe": "311", + "cloud_provider": "AWS", + "category": "Encryption", + "experimental": false, + "description": "AWS DynamoDB Tables should have serverSideEncryption enabled", + "description_id": "fb6a0c51", + "files": [ + { + "file_name": "../../src/Pulumi-vulnerable.yaml", + "similarity_id": "15376a569938e2989eb0e9db7ff05213e04607ad547e550bbc579aaa5f64e8ce", + "line": 205, + "resource_type": "aws:dynamodb:Table", + "resource_name": "Unencrypted Table", + "issue_type": "MissingAttribute", + "search_key": "resources[unencryptedTable].properties", + "search_line": 205, + "search_value": "", + "expected_value": "Attribute 'serverSideEncryption' should be defined", + "actual_value": "Attribute 'serverSideEncryption' is not defined" + } + ] + }, + { + "query_name": "Passwords And Secrets - Generic Password", + "query_id": "487f4be7-3fd9-4506-a07a-eae252180c08", + "query_url": "https://docs.kics.io/latest/secrets/", + "severity": "HIGH", + "platform": "Common", + "cwe": "798", + "cloud_provider": "COMMON", + "category": "Secret Management", + "experimental": false, + "description": "Query to find passwords and secrets in infrastructure code.", + "description_id": "d69d8a89", + "files": [ + { + "file_name": "../../src/Pulumi-vulnerable.yaml", + "similarity_id": "1d73d5dae3d1a4824830f1a423473d36b79973a15ca9d23f1348c3dc8a30c7e4", + "line": 16, + "issue_type": "RedundantAttribute", + "search_key": "", + "search_line": 0, + "search_value": "", + "expected_value": "Hardcoded secret key should not appear in source", + "actual_value": "Hardcoded secret key appears in source" + } + ] + }, + { + "query_name": "EC2 Instance Monitoring Disabled", + "query_id": "daa581ef-731c-4121-832d-cf078f67759d", + "query_url": "https://www.pulumi.com/registry/packages/aws/api-docs/ec2/instance/#monitoring_yaml", + "severity": "MEDIUM", + "platform": "Pulumi", + "cwe": "778", + "cloud_provider": "AWS", + "category": "Observability", + "experimental": false, + "description": "EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods", + "description_id": "7f96d3ac", + "files": [ + { + "file_name": "../../src/Pulumi-vulnerable.yaml", + "similarity_id": "4d692568cdae89e9d5e0ebef040401e6b922b9ac9a51a09554ba9629b730ad7c", + "line": 157, + "resource_type": "aws:ec2:Instance", + "resource_name": "Unencrypted Instance", + "issue_type": "MissingAttribute", + "search_key": "resources[unencryptedInstance].properties", + "search_line": 157, + "search_value": "", + "expected_value": "Attribute 'monitoring' should be defined and set to true", + "actual_value": "Attribute 'monitoring' is not defined" + } + ] + }, + { + "query_name": "RDS DB Instance Publicly Accessible", + "query_id": "647de8aa-5a42-41b5-9faf-22136f117380", + "query_url": "https://www.pulumi.com/registry/packages/aws/api-docs/rds/instance/#publiclyaccessible_yaml", + "severity": "MEDIUM", + "platform": "Pulumi", + "cwe": "284", + "cloud_provider": "AWS", + "category": "Insecure Configurations", + "experimental": false, + "description": "RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.", + "description_id": "be6d13f0", + "files": [ + { + "file_name": "../../src/Pulumi-vulnerable.yaml", + "similarity_id": "d5a823d6c65082cd99457a40fbabdf497078bce057628d51e5ec141537ee5d53", + "line": 104, + "resource_type": "aws:rds:Instance", + "resource_name": "unencryptedDb", + "issue_type": "IncorrectValue", + "search_key": "resources[unencryptedDb].properties.publiclyAccessible", + "search_line": 104, + "search_value": "", + "expected_value": "'resources.unencryptedDb.properties.publiclyAccessible' should be set to 'false'", + "actual_value": "'resources.unencryptedDb.properties.publiclyAccessible' is set to 'true'" + } + ] + }, + { + "query_name": "DynamoDB Table Point In Time Recovery Disabled", + "query_id": "327b0729-4c5c-4c44-8b5c-e476cd9c7290", + "query_url": "https://www.pulumi.com/registry/packages/aws/api-docs/dynamodb/table/#pointintimerecovery_yaml", + "severity": "INFO", + "platform": "Pulumi", + "cwe": "459", + "cloud_provider": "AWS", + "category": "Best Practices", + "experimental": false, + "description": "It's considered a best practice to have point in time recovery enabled for DynamoDB Table", + "description_id": "6ff56c6e", + "files": [ + { + "file_name": "../../src/Pulumi-vulnerable.yaml", + "similarity_id": "7b5c72142600d0995c06ae3634f4776b5565be2c0323d509b9b51e9d915b03e8", + "line": 213, + "resource_type": "aws:dynamodb:Table", + "resource_name": "Unencrypted Table", + "issue_type": "IncorrectValue", + "search_key": "resources[unencryptedTable].properties.pointInTimeRecovery.enabled", + "search_line": 213, + "search_value": "", + "expected_value": "Attribute 'enabled' in 'pointInTimeRecovery' should be set to true", + "actual_value": "Attribute 'enabled' in 'pointInTimeRecovery' is set to false" + } + ] + }, + { + "query_name": "EC2 Not EBS Optimized", + "query_id": "d991e4ae-42ab-429b-ab43-d5e5fa9ca633", + "query_url": "https://www.pulumi.com/registry/packages/aws/api-docs/ec2/instance/#ebsoptimized_yaml", + "severity": "INFO", + "platform": "Pulumi", + "cwe": "459", + "cloud_provider": "AWS", + "category": "Best Practices", + "experimental": false, + "description": "It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance", + "description_id": "81a001dd", + "files": [ + { + "file_name": "../../src/Pulumi-vulnerable.yaml", + "similarity_id": "9d46c3011c910cf43e7d99575a291f05b1b4f701f62e99c132837e16f7ee27a4", + "line": 157, + "resource_type": "aws:ec2:Instance", + "resource_name": "unencryptedInstance", + "issue_type": "MissingAttribute", + "search_key": "resources[unencryptedInstance].properties", + "search_line": 157, + "search_value": "", + "expected_value": "Attribute 'ebsOptimized' should be defined and set to true", + "actual_value": "Attribute 'ebsOptimized' is not defined" + } + ] + } + ] +} diff --git a/labs/lab6/analysis/pulumi-analysis.txt b/labs/lab6/analysis/pulumi-analysis.txt new file mode 100644 index 00000000..da2815a8 --- /dev/null +++ b/labs/lab6/analysis/pulumi-analysis.txt @@ -0,0 +1,5 @@ +=== Pulumi Security Analysis (KICS) === +KICS Pulumi findings: 6 + HIGH severity: 2 + MEDIUM severity: 2 + LOW severity: 0 diff --git a/labs/lab6/analysis/terraform-comparison.txt b/labs/lab6/analysis/terraform-comparison.txt new file mode 100644 index 00000000..7d2f4695 --- /dev/null +++ b/labs/lab6/analysis/terraform-comparison.txt @@ -0,0 +1,4 @@ +=== Terraform Security Analysis === +tfsec findings: 53 +Checkov findings: 78 +Terrascan findings: 22 diff --git a/labs/lab6/analysis/terrascan-report.txt b/labs/lab6/analysis/terrascan-report.txt new file mode 100644 index 00000000..aacc1b9b --- /dev/null +++ b/labs/lab6/analysis/terrascan-report.txt @@ -0,0 +1,216 @@ + + + +Violation Details - + + Description : Ensure Point In Time Recovery is enabled for DynamoDB Tables + File : database.tf + Module Name : root + Plan Root : ./ + Line : 72 + Severity : MEDIUM + + ----------------------------------------------------------------------- + + Description : Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion + File : main.tf + Module Name : root + Plan Root : ./ + Line : 13 + Severity : HIGH + + ----------------------------------------------------------------------- + + Description : Ensure S3 buckets do not have, a both public ACL on the bucket and a public access block. + File : main.tf + Module Name : root + Plan Root : ./ + Line : 13 + Severity : HIGH + + ----------------------------------------------------------------------- + + Description : RDS Instance Auto Minor Version Upgrade flag disabled + File : database.tf + Module Name : root + Plan Root : ./ + Line : 40 + Severity : HIGH + + ----------------------------------------------------------------------- + + Description : RDS Instance publicly_accessible flag is true + File : database.tf + Module Name : root + Plan Root : ./ + Line : 5 + Severity : HIGH + + ----------------------------------------------------------------------- + + Description : Security Groups - Unrestricted Specific Ports - (SSH,22) + File : security_groups.tf + Module Name : root + Plan Root : ./ + Line : 31 + Severity : HIGH + + ----------------------------------------------------------------------- + + Description : Ensure IAM policies are attached only to groups or roles + File : iam.tf + Module Name : root + Plan Root : ./ + Line : 67 + Severity : MEDIUM + + ----------------------------------------------------------------------- + + Description : Ensure CloudWatch logging is enabled for AWS DB instances + File : database.tf + Module Name : root + Plan Root : ./ + Line : 5 + Severity : MEDIUM + + ----------------------------------------------------------------------- + + Description : Ensure CloudWatch logging is enabled for AWS DB instances + File : database.tf + Module Name : root + Plan Root : ./ + Line : 40 + Severity : MEDIUM + + ----------------------------------------------------------------------- + + Description : Ensure that your RDS database instances encrypt the underlying storage. Encrypted RDS instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts RDS DB instances. After data is encrypted, RDS handles authentication of access and description of data transparently with minimal impact on performance. + File : database.tf + Module Name : root + Plan Root : ./ + Line : 5 + Severity : HIGH + + ----------------------------------------------------------------------- + + Description : Ensure DynamoDb is encrypted at rest + File : database.tf + Module Name : root + Plan Root : ./ + Line : 72 + Severity : MEDIUM + + ----------------------------------------------------------------------- + + Description : Security Groups - Unrestricted Specific Ports - Postgres SQL (TCP,5432) + File : security_groups.tf + Module Name : root + Plan Root : ./ + Line : 65 + Severity : HIGH + + ----------------------------------------------------------------------- + + Description : Security Groups - Unrestricted Specific Ports - MySQL (TCP,3306) + File : security_groups.tf + Module Name : root + Plan Root : ./ + Line : 65 + Severity : HIGH + + ----------------------------------------------------------------------- + + Description : Ensure automated backups are enabled for AWS RDS instances + File : database.tf + Module Name : root + Plan Root : ./ + Line : 5 + Severity : HIGH + + ----------------------------------------------------------------------- + + Description : Ensure automated backups are enabled for AWS RDS instances + File : database.tf + Module Name : root + Plan Root : ./ + Line : 40 + Severity : HIGH + + ----------------------------------------------------------------------- + + Description : Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites + File : main.tf + Module Name : root + Plan Root : ./ + Line : 13 + Severity : HIGH + + ----------------------------------------------------------------------- + + Description : Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites + File : main.tf + Module Name : root + Plan Root : ./ + Line : 24 + Severity : HIGH + + ----------------------------------------------------------------------- + + Description : Ensure that your RDS database has IAM Authentication enabled. + File : database.tf + Module Name : root + Plan Root : ./ + Line : 5 + Severity : MEDIUM + + ----------------------------------------------------------------------- + + Description : Ensure that your RDS database has IAM Authentication enabled. + File : database.tf + Module Name : root + Plan Root : ./ + Line : 40 + Severity : MEDIUM + + ----------------------------------------------------------------------- + + Description : Ensure that there are no exposed Amazon IAM access keys in order to protect your AWS resources against unapproved access + File : iam.tf + Module Name : root + Plan Root : ./ + Line : 88 + Severity : MEDIUM + + ----------------------------------------------------------------------- + + Description : Ensure no security groups is wide open to public, that is, allows traffic from 0.0.0.0/0 to ALL ports and protocols + File : security_groups.tf + Module Name : root + Plan Root : ./ + Line : 5 + Severity : HIGH + + ----------------------------------------------------------------------- + + Description : Security Groups - Unrestricted Specific Ports - remote desktop port (TCP,3389) + File : security_groups.tf + Module Name : root + Plan Root : ./ + Line : 31 + Severity : HIGH + + ----------------------------------------------------------------------- + + +Scan Summary - + + File/Folder : /iac + IaC Type : terraform + Scanned At : 2025-10-06 09:42:46.031826304 +0000 UTC + Policies Validated : 167 + Violated Policies : 22 + Low : 0 + Medium : 8 + High : 14 + + diff --git a/labs/lab6/analysis/terrascan-results.json b/labs/lab6/analysis/terrascan-results.json new file mode 100644 index 00000000..84e98837 --- /dev/null +++ b/labs/lab6/analysis/terrascan-results.json @@ -0,0 +1,303 @@ +{ + "results": { + "violations": [ + { + "rule_name": "programmaticAccessCreation", + "description": "Ensure that there are no exposed Amazon IAM access keys in order to protect your AWS resources against unapproved access", + "rule_id": "AC_AWS_0133", + "severity": "MEDIUM", + "category": "Identity and Access Management", + "resource_name": "service_key", + "resource_type": "aws_iam_access_key", + "module_name": "root", + "file": "iam.tf", + "plan_root": "./", + "line": 88 + }, + { + "rule_name": "s3Versioning", + "description": "Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites", + "rule_id": "AC_AWS_0214", + "severity": "HIGH", + "category": "Resilience", + "resource_name": "public_data", + "resource_type": "aws_s3_bucket", + "module_name": "root", + "file": "main.tf", + "plan_root": "./", + "line": 13 + }, + { + "rule_name": "s3Versioning", + "description": "Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites", + "rule_id": "AC_AWS_0214", + "severity": "HIGH", + "category": "Resilience", + "resource_name": "unencrypted_data", + "resource_type": "aws_s3_bucket", + "module_name": "root", + "file": "main.tf", + "plan_root": "./", + "line": 24 + }, + { + "rule_name": "dynamoderecovery_enabled", + "description": "Ensure Point In Time Recovery is enabled for DynamoDB Tables", + "rule_id": "AC_AWS_0458", + "severity": "MEDIUM", + "category": "Resilience", + "resource_name": "unencrypted_table", + "resource_type": "aws_dynamodb_table", + "module_name": "root", + "file": "database.tf", + "plan_root": "./", + "line": 72 + }, + { + "rule_name": "dynamoDbEncrypted", + "description": "Ensure DynamoDb is encrypted at rest", + "rule_id": "AC_AWS_0457", + "severity": "MEDIUM", + "category": "Data Protection", + "resource_name": "unencrypted_table", + "resource_type": "aws_dynamodb_table", + "module_name": "root", + "file": "database.tf", + "plan_root": "./", + "line": 72 + }, + { + "rule_name": "rdsHasStorageEncrypted", + "description": "Ensure that your RDS database instances encrypt the underlying storage. Encrypted RDS instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts RDS DB instances. After data is encrypted, RDS handles authentication of access and description of data transparently with minimal impact on performance.", + "rule_id": "AC_AWS_0058", + "severity": "HIGH", + "category": "Data Protection", + "resource_name": "unencrypted_db", + "resource_type": "aws_db_instance", + "module_name": "root", + "file": "database.tf", + "plan_root": "./", + "line": 5 + }, + { + "rule_name": "port22OpenToInternet", + "description": "Security Groups - Unrestricted Specific Ports - (SSH,22)", + "rule_id": "AC_AWS_0227", + "severity": "HIGH", + "category": "Infrastructure Security", + "resource_name": "ssh_open", + "resource_type": "aws_security_group", + "module_name": "root", + "file": "security_groups.tf", + "plan_root": "./", + "line": 31 + }, + { + "rule_name": "port3306AlbNetworkPortSecurity", + "description": "Security Groups - Unrestricted Specific Ports - MySQL (TCP,3306)", + "rule_id": "AC_AWS_0253", + "severity": "HIGH", + "category": "Infrastructure Security", + "resource_name": "database_exposed", + "resource_type": "aws_security_group", + "module_name": "root", + "file": "security_groups.tf", + "plan_root": "./", + "line": 65 + }, + { + "rule_name": "rdsLogExportDisabled", + "description": "Ensure CloudWatch logging is enabled for AWS DB instances", + "rule_id": "AC_AWS_0454", + "severity": "MEDIUM", + "category": "Logging and Monitoring", + "resource_name": "unencrypted_db", + "resource_type": "aws_db_instance", + "module_name": "root", + "file": "database.tf", + "plan_root": "./", + "line": 5 + }, + { + "rule_name": "rdsLogExportDisabled", + "description": "Ensure CloudWatch logging is enabled for AWS DB instances", + "rule_id": "AC_AWS_0454", + "severity": "MEDIUM", + "category": "Logging and Monitoring", + "resource_name": "weak_db", + "resource_type": "aws_db_instance", + "module_name": "root", + "file": "database.tf", + "plan_root": "./", + "line": 40 + }, + { + "rule_name": "port3389OpenToInternet", + "description": "Security Groups - Unrestricted Specific Ports - remote desktop port (TCP,3389)", + "rule_id": "AC_AWS_0230", + "severity": "HIGH", + "category": "Infrastructure Security", + "resource_name": "ssh_open", + "resource_type": "aws_security_group", + "module_name": "root", + "file": "security_groups.tf", + "plan_root": "./", + "line": 31 + }, + { + "rule_name": "iamUserInlinePolicy", + "description": "Ensure IAM policies are attached only to groups or roles", + "rule_id": "AC_AWS_0475", + "severity": "MEDIUM", + "category": "Identity and Access Management", + "resource_name": "service_policy", + "resource_type": "aws_iam_user_policy", + "module_name": "root", + "file": "iam.tf", + "plan_root": "./", + "line": 67 + }, + { + "rule_name": "rdsPubliclyAccessible", + "description": "RDS Instance publicly_accessible flag is true", + "rule_id": "AC_AWS_0054", + "severity": "HIGH", + "category": "Infrastructure Security", + "resource_name": "unencrypted_db", + "resource_type": "aws_db_instance", + "module_name": "root", + "file": "database.tf", + "plan_root": "./", + "line": 5 + }, + { + "rule_name": "rdsIamAuthEnabled", + "description": "Ensure that your RDS database has IAM Authentication enabled.", + "rule_id": "AC_AWS_0053", + "severity": "MEDIUM", + "category": "Data Protection", + "resource_name": "unencrypted_db", + "resource_type": "aws_db_instance", + "module_name": "root", + "file": "database.tf", + "plan_root": "./", + "line": 5 + }, + { + "rule_name": "rdsIamAuthEnabled", + "description": "Ensure that your RDS database has IAM Authentication enabled.", + "rule_id": "AC_AWS_0053", + "severity": "MEDIUM", + "category": "Data Protection", + "resource_name": "weak_db", + "resource_type": "aws_db_instance", + "module_name": "root", + "file": "database.tf", + "plan_root": "./", + "line": 40 + }, + { + "rule_name": "port5432AlbNetworkPortSecurity", + "description": "Security Groups - Unrestricted Specific Ports - Postgres SQL (TCP,5432)", + "rule_id": "AC_AWS_0262", + "severity": "HIGH", + "category": "Infrastructure Security", + "resource_name": "database_exposed", + "resource_type": "aws_security_group", + "module_name": "root", + "file": "security_groups.tf", + "plan_root": "./", + "line": 65 + }, + { + "rule_name": "allUsersReadAccess", + "description": "Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion", + "rule_id": "AC_AWS_0210", + "severity": "HIGH", + "category": "Identity and Access Management", + "resource_name": "public_data", + "resource_type": "aws_s3_bucket", + "module_name": "root", + "file": "main.tf", + "plan_root": "./", + "line": 13 + }, + { + "rule_name": "portWideOpenToPublic", + "description": "Ensure no security groups is wide open to public, that is, allows traffic from 0.0.0.0/0 to ALL ports and protocols", + "rule_id": "AC_AWS_0275", + "severity": "HIGH", + "category": "Infrastructure Security", + "resource_name": "allow_all", + "resource_type": "aws_security_group", + "module_name": "root", + "file": "security_groups.tf", + "plan_root": "./", + "line": 5 + }, + { + "rule_name": "rdsBackupDisabled", + "description": "Ensure automated backups are enabled for AWS RDS instances", + "rule_id": "AC_AWS_0052", + "severity": "HIGH", + "category": "Data Protection", + "resource_name": "unencrypted_db", + "resource_type": "aws_db_instance", + "module_name": "root", + "file": "database.tf", + "plan_root": "./", + "line": 5 + }, + { + "rule_name": "rdsBackupDisabled", + "description": "Ensure automated backups are enabled for AWS RDS instances", + "rule_id": "AC_AWS_0052", + "severity": "HIGH", + "category": "Data Protection", + "resource_name": "weak_db", + "resource_type": "aws_db_instance", + "module_name": "root", + "file": "database.tf", + "plan_root": "./", + "line": 40 + }, + { + "rule_name": "rdsAutoMinorVersionUpgradeEnabled", + "description": "RDS Instance Auto Minor Version Upgrade flag disabled", + "rule_id": "AC_AWS_0056", + "severity": "HIGH", + "category": "Data Protection", + "resource_name": "weak_db", + "resource_type": "aws_db_instance", + "module_name": "root", + "file": "database.tf", + "plan_root": "./", + "line": 40 + }, + { + "rule_name": "s3PublicAclNoAccessBlock", + "description": "Ensure S3 buckets do not have, a both public ACL on the bucket and a public access block.", + "rule_id": "AC_AWS_0496", + "severity": "HIGH", + "category": "Identity and Access Management", + "resource_name": "public_data", + "resource_type": "aws_s3_bucket", + "module_name": "root", + "file": "main.tf", + "plan_root": "./", + "line": 13 + } + ], + "skipped_violations": null, + "scan_summary": { + "file/folder": "/iac", + "iac_type": "terraform", + "scanned_at": "2025-10-06 09:27:43.382652293 +0000 UTC", + "policies_validated": 167, + "violated_policies": 22, + "low": 0, + "medium": 8, + "high": 14 + } + } +} diff --git a/labs/lab6/analysis/tfsec-report.txt b/labs/lab6/analysis/tfsec-report.txt new file mode 100644 index 00000000..f3e6200b --- /dev/null +++ b/labs/lab6/analysis/tfsec-report.txt @@ -0,0 +1,1099 @@ + +Result #1 CRITICAL Instance is exposed publicly. +──────────────────────────────────────────────────────────────────────────────── + database.tf:17 +──────────────────────────────────────────────────────────────────────────────── + 5 resource "aws_db_instance" "unencrypted_db" { + . + 17 [ publicly_accessible = true # SECURITY ISSUE #10 - Public access! (true) + .. + 37 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-rds-no-public-db-access + Impact The database instance is publicly accessible + Resolution Set the database to not be publicly accessible + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/no-public-db-access/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance +──────────────────────────────────────────────────────────────────────────────── + + +Result #2 CRITICAL Security group rule allows ingress from public internet. +──────────────────────────────────────────────────────────────────────────────── + security_groups.tf:15 +──────────────────────────────────────────────────────────────────────────────── + 5 resource "aws_security_group" "allow_all" { + . + 15 [ cidr_blocks = ["0.0.0.0/0"] # From anywhere! + .. + 28 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-ec2-no-public-ingress-sgr + Impact Your port exposed to the internet + Resolution Set a more restrictive cidr range + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-ingress-sgr/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks +──────────────────────────────────────────────────────────────────────────────── + + +Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses. +──────────────────────────────────────────────────────────────────────────────── + security_groups.tf:22 +──────────────────────────────────────────────────────────────────────────────── + 5 resource "aws_security_group" "allow_all" { + . + 22 [ cidr_blocks = ["0.0.0.0/0"] + .. + 28 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-ec2-no-public-egress-sgr + Impact Your port is egressing data to the internet + Resolution Set a more restrictive cidr range + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-egress-sgr/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group +──────────────────────────────────────────────────────────────────────────────── + + +Result #4 CRITICAL Security group rule allows ingress from public internet. +──────────────────────────────────────────────────────────────────────────────── + security_groups.tf:41 +──────────────────────────────────────────────────────────────────────────────── + 31 resource "aws_security_group" "ssh_open" { + .. + 41 [ cidr_blocks = ["0.0.0.0/0"] # SSH from anywhere! + .. + 62 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-ec2-no-public-ingress-sgr + Impact Your port exposed to the internet + Resolution Set a more restrictive cidr range + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-ingress-sgr/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks +──────────────────────────────────────────────────────────────────────────────── + + +Result #5 CRITICAL Security group rule allows ingress from public internet. +──────────────────────────────────────────────────────────────────────────────── + security_groups.tf:49 +──────────────────────────────────────────────────────────────────────────────── + 31 resource "aws_security_group" "ssh_open" { + .. + 49 [ cidr_blocks = ["0.0.0.0/0"] # RDP from anywhere! + .. + 62 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-ec2-no-public-ingress-sgr + Impact Your port exposed to the internet + Resolution Set a more restrictive cidr range + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-ingress-sgr/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks +──────────────────────────────────────────────────────────────────────────────── + + +Result #6 CRITICAL Security group rule allows egress to multiple public internet addresses. +──────────────────────────────────────────────────────────────────────────────── + security_groups.tf:56 +──────────────────────────────────────────────────────────────────────────────── + 31 resource "aws_security_group" "ssh_open" { + .. + 56 [ cidr_blocks = ["0.0.0.0/0"] + .. + 62 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-ec2-no-public-egress-sgr + Impact Your port is egressing data to the internet + Resolution Set a more restrictive cidr range + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-egress-sgr/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group +──────────────────────────────────────────────────────────────────────────────── + + +Result #7 CRITICAL Security group rule allows ingress from public internet. +──────────────────────────────────────────────────────────────────────────────── + security_groups.tf:75 +──────────────────────────────────────────────────────────────────────────────── + 65 resource "aws_security_group" "database_exposed" { + .. + 75 [ cidr_blocks = ["0.0.0.0/0"] # Database exposed! + .. + 92 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-ec2-no-public-ingress-sgr + Impact Your port exposed to the internet + Resolution Set a more restrictive cidr range + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-ingress-sgr/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks +──────────────────────────────────────────────────────────────────────────────── + + +Result #8 CRITICAL Security group rule allows ingress from public internet. +──────────────────────────────────────────────────────────────────────────────── + security_groups.tf:83 +──────────────────────────────────────────────────────────────────────────────── + 65 resource "aws_security_group" "database_exposed" { + .. + 83 [ cidr_blocks = ["0.0.0.0/0"] # Database exposed! + .. + 92 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-ec2-no-public-ingress-sgr + Impact Your port exposed to the internet + Resolution Set a more restrictive cidr range + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-ingress-sgr/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks +──────────────────────────────────────────────────────────────────────────────── + + +Result #9 CRITICAL Security group rule allows egress to multiple public internet addresses. +──────────────────────────────────────────────────────────────────────────────── + security_groups.tf:90 +──────────────────────────────────────────────────────────────────────────────── + 65 resource "aws_security_group" "database_exposed" { + .. + 90 [ cidr_blocks = ["0.0.0.0/0"] + .. + 92 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-ec2-no-public-egress-sgr + Impact Your port is egressing data to the internet + Resolution Set a more restrictive cidr range + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-egress-sgr/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group +──────────────────────────────────────────────────────────────────────────────── + + +Result #10 HIGH Instance does not have storage encryption enabled. +──────────────────────────────────────────────────────────────────────────────── + database.tf:15 +──────────────────────────────────────────────────────────────────────────────── + 5 resource "aws_db_instance" "unencrypted_db" { + . + 15 [ storage_encrypted = false # No encryption! (false) + .. + 37 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-rds-encrypt-instance-storage-data + Impact Data can be read from RDS instances if compromised + Resolution Enable encryption for RDS instances + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/encrypt-instance-storage-data/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance +──────────────────────────────────────────────────────────────────────────────── + + +Result #11 HIGH Instance has Public Access enabled +──────────────────────────────────────────────────────────────────────────────── + database.tf:17 +──────────────────────────────────────────────────────────────────────────────── + 17 publicly_accessible = true # SECURITY ISSUE #10 - Public access! +──────────────────────────────────────────────────────────────────────────────── + Rego Package builtin.aws.rds.aws0180 + Rego Rule deny +──────────────────────────────────────────────────────────────────────────────── + + +Result #12 HIGH Table encryption is not enabled. +──────────────────────────────────────────────────────────────────────────────── + database.tf:72-92 +──────────────────────────────────────────────────────────────────────────────── + 72 ┌ resource "aws_dynamodb_table" "unencrypted_table" { + 73 │ name = "my-table" + 74 │ billing_mode = "PAY_PER_REQUEST" + 75 │ hash_key = "id" + 76 │ + 77 │ attribute { + 78 │ name = "id" + 79 │ type = "S" + 80 └ } + .. +──────────────────────────────────────────────────────────────────────────────── + ID aws-dynamodb-enable-at-rest-encryption + Impact Data can be freely read if compromised + Resolution Enable encryption at rest for DAX Cluster + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/dynamodb/enable-at-rest-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dax_cluster#server_side_encryption +──────────────────────────────────────────────────────────────────────────────── + + +Result #13 HIGH IAM policy document uses sensitive action 'iam:CreatePolicy' on wildcarded resource '*' +──────────────────────────────────────────────────────────────────────────────── + iam.tf:109 +──────────────────────────────────────────────────────────────────────────────── + 104 resource "aws_iam_policy" "privilege_escalation" { + ... + 109 [ Version = "2012-10-17" + ... + 125 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-iam-no-policy-wildcards + Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +──────────────────────────────────────────────────────────────────────────────── + + +Results #14-15 HIGH IAM policy document uses wildcarded action '*' (2 similar results) +──────────────────────────────────────────────────────────────────────────────── + iam.tf:10 +──────────────────────────────────────────────────────────────────────────────── + 5 resource "aws_iam_policy" "admin_policy" { + . + 10 [ Version = "2012-10-17" + .. + 19 } +──────────────────────────────────────────────────────────────────────────────── + Individual Causes + - iam.tf:5-19 (aws_iam_policy.admin_policy) 2 instances +──────────────────────────────────────────────────────────────────────────────── + ID aws-iam-no-policy-wildcards + Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +──────────────────────────────────────────────────────────────────────────────── + + +Results #16-17 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource '*' (2 similar results) +──────────────────────────────────────────────────────────────────────────────── + iam.tf:44 +──────────────────────────────────────────────────────────────────────────────── + 39 resource "aws_iam_role_policy" "s3_full_access" { + .. + 44 [ Version = "2012-10-17" + .. + 55 } +──────────────────────────────────────────────────────────────────────────────── + Individual Causes + - iam.tf:39-55 (aws_iam_role_policy.s3_full_access) 2 instances +──────────────────────────────────────────────────────────────────────────────── + ID aws-iam-no-policy-wildcards + Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +──────────────────────────────────────────────────────────────────────────────── + + +Results #18-21 HIGH IAM policy document uses wildcarded action 'ec2:*' (4 similar results) +──────────────────────────────────────────────────────────────────────────────── + iam.tf:72 +──────────────────────────────────────────────────────────────────────────────── + 67 resource "aws_iam_user_policy" "service_policy" { + .. + 72 [ Version = "2012-10-17" + .. + 85 } +──────────────────────────────────────────────────────────────────────────────── + Individual Causes + - iam.tf:67-85 (aws_iam_user_policy.service_policy) 4 instances +──────────────────────────────────────────────────────────────────────────────── + ID aws-iam-no-policy-wildcards + Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +──────────────────────────────────────────────────────────────────────────────── + + +Result #22 HIGH Bucket does not have encryption enabled +──────────────────────────────────────────────────────────────────────────────── + main.tf:13-21 +──────────────────────────────────────────────────────────────────────────────── + 13 resource "aws_s3_bucket" "public_data" { + 14 bucket = "my-public-bucket-lab6" + 15 acl = "public-read" # Public access enabled! + 16 + 17 tags = { + 18 Name = "Public Data Bucket" + 19 # Missing required tags: Environment, Owner, CostCenter + 20 } + 21 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-enable-bucket-encryption + Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +──────────────────────────────────────────────────────────────────────────────── + + +Result #23 HIGH Bucket does not encrypt data with a customer managed key. +──────────────────────────────────────────────────────────────────────────────── + main.tf:13-21 +──────────────────────────────────────────────────────────────────────────────── + 13 resource "aws_s3_bucket" "public_data" { + 14 bucket = "my-public-bucket-lab6" + 15 acl = "public-read" # Public access enabled! + 16 + 17 tags = { + 18 Name = "Public Data Bucket" + 19 # Missing required tags: Environment, Owner, CostCenter + 20 } + 21 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-encryption-customer-key + Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +──────────────────────────────────────────────────────────────────────────────── + + +Result #24 HIGH Bucket has a public ACL: 'public-read'. +──────────────────────────────────────────────────────────────────────────────── + main.tf:15 +──────────────────────────────────────────────────────────────────────────────── + 13 resource "aws_s3_bucket" "public_data" { + 14 bucket = "my-public-bucket-lab6" + 15 [ acl = "public-read" # Public access enabled! ("public-read") + 16 + 17 tags = { + 18 Name = "Public Data Bucket" + 19 # Missing required tags: Environment, Owner, CostCenter + 20 } + 21 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-no-public-access-with-acl + Impact Public access to the bucket can lead to data leakage + Resolution Don't use canned ACLs or switch to private acl + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/no-public-access-with-acl/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +──────────────────────────────────────────────────────────────────────────────── + + +Result #25 HIGH No public access block so not blocking public acls +──────────────────────────────────────────────────────────────────────────────── + main.tf:24-33 +──────────────────────────────────────────────────────────────────────────────── + 24 resource "aws_s3_bucket" "unencrypted_data" { + 25 bucket = "my-unencrypted-bucket-lab6" + 26 acl = "private" + 27 + 28 # No server_side_encryption_configuration! + 29 + 30 versioning { + 31 enabled = false # Versioning disabled + 32 } + 33 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-block-public-acls + Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +──────────────────────────────────────────────────────────────────────────────── + + +Result #26 HIGH No public access block so not blocking public policies +──────────────────────────────────────────────────────────────────────────────── + main.tf:24-33 +──────────────────────────────────────────────────────────────────────────────── + 24 resource "aws_s3_bucket" "unencrypted_data" { + 25 bucket = "my-unencrypted-bucket-lab6" + 26 acl = "private" + 27 + 28 # No server_side_encryption_configuration! + 29 + 30 versioning { + 31 enabled = false # Versioning disabled + 32 } + 33 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-block-public-policy + Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +──────────────────────────────────────────────────────────────────────────────── + + +Result #27 HIGH Bucket does not have encryption enabled +──────────────────────────────────────────────────────────────────────────────── + main.tf:24-33 +──────────────────────────────────────────────────────────────────────────────── + 24 resource "aws_s3_bucket" "unencrypted_data" { + 25 bucket = "my-unencrypted-bucket-lab6" + 26 acl = "private" + 27 + 28 # No server_side_encryption_configuration! + 29 + 30 versioning { + 31 enabled = false # Versioning disabled + 32 } + 33 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-enable-bucket-encryption + Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +──────────────────────────────────────────────────────────────────────────────── + + +Result #28 HIGH No public access block so not ignoring public acls +──────────────────────────────────────────────────────────────────────────────── + main.tf:24-33 +──────────────────────────────────────────────────────────────────────────────── + 24 resource "aws_s3_bucket" "unencrypted_data" { + 25 bucket = "my-unencrypted-bucket-lab6" + 26 acl = "private" + 27 + 28 # No server_side_encryption_configuration! + 29 + 30 versioning { + 31 enabled = false # Versioning disabled + 32 } + 33 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-ignore-public-acls + Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +──────────────────────────────────────────────────────────────────────────────── + + +Result #29 HIGH No public access block so not restricting public buckets +──────────────────────────────────────────────────────────────────────────────── + main.tf:24-33 +──────────────────────────────────────────────────────────────────────────────── + 24 resource "aws_s3_bucket" "unencrypted_data" { + 25 bucket = "my-unencrypted-bucket-lab6" + 26 acl = "private" + 27 + 28 # No server_side_encryption_configuration! + 29 + 30 versioning { + 31 enabled = false # Versioning disabled + 32 } + 33 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-no-public-buckets + Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡ +──────────────────────────────────────────────────────────────────────────────── + + +Result #30 HIGH Bucket does not encrypt data with a customer managed key. +──────────────────────────────────────────────────────────────────────────────── + main.tf:24-33 +──────────────────────────────────────────────────────────────────────────────── + 24 resource "aws_s3_bucket" "unencrypted_data" { + 25 bucket = "my-unencrypted-bucket-lab6" + 26 acl = "private" + 27 + 28 # No server_side_encryption_configuration! + 29 + 30 versioning { + 31 enabled = false # Versioning disabled + 32 } + 33 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-encryption-customer-key + Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +──────────────────────────────────────────────────────────────────────────────── + + +Result #31 HIGH Public access block does not block public ACLs +──────────────────────────────────────────────────────────────────────────────── + main.tf:39 +──────────────────────────────────────────────────────────────────────────────── + 36 resource "aws_s3_bucket_public_access_block" "bad_config" { + 37 bucket = aws_s3_bucket.public_data.id + 38 + 39 [ block_public_acls = false # Should be true (false) + 40 block_public_policy = false # Should be true + 41 ignore_public_acls = false # Should be true + 42 restrict_public_buckets = false # Should be true + 43 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-block-public-acls + Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +──────────────────────────────────────────────────────────────────────────────── + + +Result #32 HIGH Public access block does not block public policies +──────────────────────────────────────────────────────────────────────────────── + main.tf:40 +──────────────────────────────────────────────────────────────────────────────── + 36 resource "aws_s3_bucket_public_access_block" "bad_config" { + 37 bucket = aws_s3_bucket.public_data.id + 38 + 39 block_public_acls = false # Should be true + 40 [ block_public_policy = false # Should be true (false) + 41 ignore_public_acls = false # Should be true + 42 restrict_public_buckets = false # Should be true + 43 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-block-public-policy + Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +──────────────────────────────────────────────────────────────────────────────── + + +Result #33 HIGH Public access block does not ignore public ACLs +──────────────────────────────────────────────────────────────────────────────── + main.tf:41 +──────────────────────────────────────────────────────────────────────────────── + 36 resource "aws_s3_bucket_public_access_block" "bad_config" { + 37 bucket = aws_s3_bucket.public_data.id + 38 + 39 block_public_acls = false # Should be true + 40 block_public_policy = false # Should be true + 41 [ ignore_public_acls = false # Should be true (false) + 42 restrict_public_buckets = false # Should be true + 43 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-ignore-public-acls + Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +──────────────────────────────────────────────────────────────────────────────── + + +Result #34 HIGH Public access block does not restrict public buckets +──────────────────────────────────────────────────────────────────────────────── + main.tf:42 +──────────────────────────────────────────────────────────────────────────────── + 36 resource "aws_s3_bucket_public_access_block" "bad_config" { + 37 bucket = aws_s3_bucket.public_data.id + 38 + 39 block_public_acls = false # Should be true + 40 block_public_policy = false # Should be true + 41 ignore_public_acls = false # Should be true + 42 [ restrict_public_buckets = false # Should be true (false) + 43 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-no-public-buckets + Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡ +──────────────────────────────────────────────────────────────────────────────── + + +Result #35 MEDIUM Instance has very low backup retention period. +──────────────────────────────────────────────────────────────────────────────── + database.tf:22 +──────────────────────────────────────────────────────────────────────────────── + 5 resource "aws_db_instance" "unencrypted_db" { + . + 22 [ backup_retention_period = 0 # SECURITY ISSUE #11 - No backups! (0) + .. + 37 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-rds-specify-backup-retention + Impact Potential loss of data and short opportunity for recovery + Resolution Explicitly set the retention period to greater than the default + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/specify-backup-retention/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period +──────────────────────────────────────────────────────────────────────────────── + + +Result #36 MEDIUM Instance does not have Deletion Protection enabled +──────────────────────────────────────────────────────────────────────────────── + database.tf:28 +──────────────────────────────────────────────────────────────────────────────── + 28 deletion_protection = false # SECURITY ISSUE #12 +──────────────────────────────────────────────────────────────────────────────── + Rego Package builtin.aws.rds.aws0177 + Rego Rule deny +──────────────────────────────────────────────────────────────────────────────── + + +Result #37 MEDIUM Instance has very low backup retention period. +──────────────────────────────────────────────────────────────────────────────── + database.tf:40-69 +──────────────────────────────────────────────────────────────────────────────── + 40 ┌ resource "aws_db_instance" "weak_db" { + 41 │ identifier = "mydb-weak" + 42 │ engine = "mysql" + 43 │ engine_version = "5.7.38" # Old version with known vulnerabilities + 44 │ instance_class = "db.t3.micro" + 45 │ allocated_storage = 20 + 46 │ + 47 │ username = "root" # Using default admin username + 48 └ password = "password123" # Weak password! + .. +──────────────────────────────────────────────────────────────────────────────── + ID aws-rds-specify-backup-retention + Impact Potential loss of data and short opportunity for recovery + Resolution Explicitly set the retention period to greater than the default + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/specify-backup-retention/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period +──────────────────────────────────────────────────────────────────────────────── + + +Result #38 MEDIUM Instance does not have IAM Authentication enabled +──────────────────────────────────────────────────────────────────────────────── + database.tf:40-69 +──────────────────────────────────────────────────────────────────────────────── + 40 ┌ resource "aws_db_instance" "weak_db" { + 41 │ identifier = "mydb-weak" + 42 │ engine = "mysql" + 43 │ engine_version = "5.7.38" # Old version with known vulnerabilities + 44 │ instance_class = "db.t3.micro" + 45 │ allocated_storage = 20 + 46 │ + 47 │ username = "root" # Using default admin username + 48 └ password = "password123" # Weak password! + .. +──────────────────────────────────────────────────────────────────────────────── + Rego Package builtin.aws.rds.aws0176 + Rego Rule deny +──────────────────────────────────────────────────────────────────────────────── + + +Result #39 MEDIUM Instance does not have Deletion Protection enabled +──────────────────────────────────────────────────────────────────────────────── + database.tf:40-69 +──────────────────────────────────────────────────────────────────────────────── + 40 ┌ resource "aws_db_instance" "weak_db" { + 41 │ identifier = "mydb-weak" + 42 │ engine = "mysql" + 43 │ engine_version = "5.7.38" # Old version with known vulnerabilities + 44 │ instance_class = "db.t3.micro" + 45 │ allocated_storage = 20 + 46 │ + 47 │ username = "root" # Using default admin username + 48 └ password = "password123" # Weak password! + .. +──────────────────────────────────────────────────────────────────────────────── + Rego Package builtin.aws.rds.aws0177 + Rego Rule deny +──────────────────────────────────────────────────────────────────────────────── + + +Result #40 MEDIUM Instance does not have IAM Authentication enabled +──────────────────────────────────────────────────────────────────────────────── + database.tf:5-37 +──────────────────────────────────────────────────────────────────────────────── + 5 ┌ resource "aws_db_instance" "unencrypted_db" { + 6 │ identifier = "mydb-unencrypted" + 7 │ engine = "postgres" + 8 │ engine_version = "13.7" + 9 │ instance_class = "db.t3.micro" + 10 │ allocated_storage = 20 + 11 │ + 12 │ username = "admin" + 13 └ password = "SuperSecretPassword123!" # SECURITY ISSUE #9 - Hardcoded password! + .. +──────────────────────────────────────────────────────────────────────────────── + Rego Package builtin.aws.rds.aws0176 + Rego Rule deny +──────────────────────────────────────────────────────────────────────────────── + + +Result #41 MEDIUM Point-in-time recovery is not enabled. +──────────────────────────────────────────────────────────────────────────────── + database.tf:86 +──────────────────────────────────────────────────────────────────────────────── + 72 resource "aws_dynamodb_table" "unencrypted_table" { + .. + 86 [ enabled = false # SECURITY ISSUE #17 (false) + .. + 92 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-dynamodb-enable-recovery + Impact Accidental or malicious writes and deletes can't be rolled back + Resolution Enable point in time recovery + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/dynamodb/enable-recovery/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#point_in_time_recovery +──────────────────────────────────────────────────────────────────────────────── + + +Result #42 MEDIUM Bucket does not have logging enabled +──────────────────────────────────────────────────────────────────────────────── + main.tf:13-21 +──────────────────────────────────────────────────────────────────────────────── + 13 resource "aws_s3_bucket" "public_data" { + 14 bucket = "my-public-bucket-lab6" + 15 acl = "public-read" # Public access enabled! + 16 + 17 tags = { + 18 Name = "Public Data Bucket" + 19 # Missing required tags: Environment, Owner, CostCenter + 20 } + 21 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-enable-bucket-logging + Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +──────────────────────────────────────────────────────────────────────────────── + + +Result #43 MEDIUM Bucket does not have versioning enabled +──────────────────────────────────────────────────────────────────────────────── + main.tf:13-21 +──────────────────────────────────────────────────────────────────────────────── + 13 resource "aws_s3_bucket" "public_data" { + 14 bucket = "my-public-bucket-lab6" + 15 acl = "public-read" # Public access enabled! + 16 + 17 tags = { + 18 Name = "Public Data Bucket" + 19 # Missing required tags: Environment, Owner, CostCenter + 20 } + 21 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-enable-versioning + Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +──────────────────────────────────────────────────────────────────────────────── + + +Result #44 MEDIUM Bucket does not have logging enabled +──────────────────────────────────────────────────────────────────────────────── + main.tf:24-33 +──────────────────────────────────────────────────────────────────────────────── + 24 resource "aws_s3_bucket" "unencrypted_data" { + 25 bucket = "my-unencrypted-bucket-lab6" + 26 acl = "private" + 27 + 28 # No server_side_encryption_configuration! + 29 + 30 versioning { + 31 enabled = false # Versioning disabled + 32 } + 33 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-enable-bucket-logging + Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +──────────────────────────────────────────────────────────────────────────────── + + +Result #45 MEDIUM Bucket does not have versioning enabled +──────────────────────────────────────────────────────────────────────────────── + main.tf:31 +──────────────────────────────────────────────────────────────────────────────── + 24 resource "aws_s3_bucket" "unencrypted_data" { + 25 bucket = "my-unencrypted-bucket-lab6" + 26 acl = "private" + 27 + 28 # No server_side_encryption_configuration! + 29 + 30 versioning { + 31 [ enabled = false # Versioning disabled (false) + 32 } + 33 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-enable-versioning + Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +──────────────────────────────────────────────────────────────────────────────── + + +Result #46 LOW Instance does not have performance insights enabled. +──────────────────────────────────────────────────────────────────────────────── + database.tf:5-37 +──────────────────────────────────────────────────────────────────────────────── + 5 ┌ resource "aws_db_instance" "unencrypted_db" { + 6 │ identifier = "mydb-unencrypted" + 7 │ engine = "postgres" + 8 │ engine_version = "13.7" + 9 │ instance_class = "db.t3.micro" + 10 │ allocated_storage = 20 + 11 │ + 12 │ username = "admin" + 13 └ password = "SuperSecretPassword123!" # SECURITY ISSUE #9 - Hardcoded password! + .. +──────────────────────────────────────────────────────────────────────────────── + ID aws-rds-enable-performance-insights + Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise. + Resolution Enable performance insights + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/enable-performance-insights/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id +──────────────────────────────────────────────────────────────────────────────── + + +Result #47 LOW Instance does not have performance insights enabled. +──────────────────────────────────────────────────────────────────────────────── + database.tf:62 +──────────────────────────────────────────────────────────────────────────────── + 40 resource "aws_db_instance" "weak_db" { + .. + 62 [ performance_insights_enabled = false (false) + .. + 69 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-rds-enable-performance-insights + Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise. + Resolution Enable performance insights + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/enable-performance-insights/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id +──────────────────────────────────────────────────────────────────────────────── + + +Result #48 LOW Table encryption does not use a customer-managed KMS key. +──────────────────────────────────────────────────────────────────────────────── + database.tf:72-92 +──────────────────────────────────────────────────────────────────────────────── + 72 ┌ resource "aws_dynamodb_table" "unencrypted_table" { + 73 │ name = "my-table" + 74 │ billing_mode = "PAY_PER_REQUEST" + 75 │ hash_key = "id" + 76 │ + 77 │ attribute { + 78 │ name = "id" + 79 │ type = "S" + 80 └ } + .. +──────────────────────────────────────────────────────────────────────────────── + ID aws-dynamodb-table-customer-key + Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable server side encryption with a customer managed key + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/dynamodb/table-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#server_side_encryption +──────────────────────────────────────────────────────────────────────────────── + + +Result #49 LOW One or more policies are attached directly to a user +──────────────────────────────────────────────────────────────────────────────── + iam.tf:58-65 +──────────────────────────────────────────────────────────────────────────────── + 58 resource "aws_iam_user" "service_account" { + 59 name = "service-account" + 60 path = "/system/" + 61 + 62 tags = { + 63 Name = "Service Account" + 64 } + 65 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-iam-no-user-attached-policies + Impact Complex access control is difficult to manage and maintain. + Resolution Grant policies at the group level instead. + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/iam/no-user-attached-policies/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user +──────────────────────────────────────────────────────────────────────────────── + + +Result #50 LOW Bucket does not have a corresponding public access block. +──────────────────────────────────────────────────────────────────────────────── + main.tf:24-33 +──────────────────────────────────────────────────────────────────────────────── + 24 resource "aws_s3_bucket" "unencrypted_data" { + 25 bucket = "my-unencrypted-bucket-lab6" + 26 acl = "private" + 27 + 28 # No server_side_encryption_configuration! + 29 + 30 versioning { + 31 enabled = false # Versioning disabled + 32 } + 33 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-s3-specify-public-access-block + Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +──────────────────────────────────────────────────────────────────────────────── + + +Result #51 LOW Security group rule does not have a description. +──────────────────────────────────────────────────────────────────────────────── + security_groups.tf:18-23 +──────────────────────────────────────────────────────────────────────────────── + 5 resource "aws_security_group" "allow_all" { + . + 18 ┌ egress { + 19 │ from_port = 0 + 20 │ to_port = 0 + 21 │ protocol = "-1" + 22 │ cidr_blocks = ["0.0.0.0/0"] + 23 └ } + .. + 28 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-ec2-add-description-to-security-group-rule + Impact Descriptions provide context for the firewall rule reasons + Resolution Add descriptions for all security groups rules + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/add-description-to-security-group-rule/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule +──────────────────────────────────────────────────────────────────────────────── + + +Result #52 LOW Security group rule does not have a description. +──────────────────────────────────────────────────────────────────────────────── + security_groups.tf:52-57 +──────────────────────────────────────────────────────────────────────────────── + 31 resource "aws_security_group" "ssh_open" { + .. + 52 ┌ egress { + 53 │ from_port = 0 + 54 │ to_port = 0 + 55 │ protocol = "-1" + 56 │ cidr_blocks = ["0.0.0.0/0"] + 57 └ } + .. + 62 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-ec2-add-description-to-security-group-rule + Impact Descriptions provide context for the firewall rule reasons + Resolution Add descriptions for all security groups rules + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/add-description-to-security-group-rule/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule +──────────────────────────────────────────────────────────────────────────────── + + +Result #53 LOW Security group rule does not have a description. +──────────────────────────────────────────────────────────────────────────────── + security_groups.tf:86-91 +──────────────────────────────────────────────────────────────────────────────── + 65 resource "aws_security_group" "database_exposed" { + .. + 86 ┌ egress { + 87 │ from_port = 0 + 88 │ to_port = 0 + 89 │ protocol = "-1" + 90 │ cidr_blocks = ["0.0.0.0/0"] + 91 └ } + 92 } +──────────────────────────────────────────────────────────────────────────────── + ID aws-ec2-add-description-to-security-group-rule + Impact Descriptions provide context for the firewall rule reasons + Resolution Add descriptions for all security groups rules + + More Information + - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/add-description-to-security-group-rule/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule +──────────────────────────────────────────────────────────────────────────────── + + + timings + ────────────────────────────────────────── + disk i/o 722.417µs + parsing 1.371459ms + adaptation 662.459µs + checks 12.781334ms + total 15.537669ms + + counts + ────────────────────────────────────────── + modules downloaded 0 + modules processed 1 + blocks processed 29 + files read 5 + + results + ────────────────────────────────────────── + passed 18 + ignored 0 + critical 9 + high 25 + medium 11 + low 8 + + 18 passed, 53 potential problem(s) detected. + diff --git a/labs/lab6/analysis/tfsec-results.json b/labs/lab6/analysis/tfsec-results.json new file mode 100644 index 00000000..a0d7826d --- /dev/null +++ b/labs/lab6/analysis/tfsec-results.json @@ -0,0 +1,1225 @@ +{ + "results": [ + { + "rule_id": "AVD-AWS-0023", + "long_id": "aws-dynamodb-enable-at-rest-encryption", + "rule_description": "DAX Cluster and tables should always encrypt data at rest", + "rule_provider": "aws", + "rule_service": "dynamodb", + "impact": "Data can be freely read if compromised", + "resolution": "Enable encryption at rest for DAX Cluster", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/dynamodb/enable-at-rest-encryption/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dax_cluster#server_side_encryption" + ], + "description": "Table encryption is not enabled.", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_dynamodb_table.unencrypted_table", + "location": { + "filename": "/src/database.tf", + "start_line": 72, + "end_line": 92 + } + }, + { + "rule_id": "AVD-AWS-0024", + "long_id": "aws-dynamodb-enable-recovery", + "rule_description": "Point in time recovery should be enabled to protect DynamoDB table", + "rule_provider": "aws", + "rule_service": "dynamodb", + "impact": "Accidental or malicious writes and deletes can't be rolled back", + "resolution": "Enable point in time recovery", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/dynamodb/enable-recovery/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#point_in_time_recovery" + ], + "description": "Point-in-time recovery is not enabled.", + "severity": "MEDIUM", + "warning": false, + "status": 0, + "resource": "aws_dynamodb_table.unencrypted_table", + "location": { + "filename": "/src/database.tf", + "start_line": 86, + "end_line": 86 + } + }, + { + "rule_id": "AVD-AWS-0025", + "long_id": "aws-dynamodb-table-customer-key", + "rule_description": "DynamoDB tables should use at rest encryption with a Customer Managed Key", + "rule_provider": "aws", + "rule_service": "dynamodb", + "impact": "Using AWS managed keys does not allow for fine grained control", + "resolution": "Enable server side encryption with a customer managed key", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/dynamodb/table-customer-key/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#server_side_encryption" + ], + "description": "Table encryption does not use a customer-managed KMS key.", + "severity": "LOW", + "warning": false, + "status": 0, + "resource": "aws_dynamodb_table.unencrypted_table", + "location": { + "filename": "/src/database.tf", + "start_line": 72, + "end_line": 92 + } + }, + { + "rule_id": "AVD-AWS-0124", + "long_id": "aws-ec2-add-description-to-security-group-rule", + "rule_description": "Missing description for security group rule.", + "rule_provider": "aws", + "rule_service": "ec2", + "impact": "Descriptions provide context for the firewall rule reasons", + "resolution": "Add descriptions for all security groups rules", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/add-description-to-security-group-rule/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule" + ], + "description": "Security group rule does not have a description.", + "severity": "LOW", + "warning": false, + "status": 0, + "resource": "aws_security_group.database_exposed", + "location": { + "filename": "/src/security_groups.tf", + "start_line": 86, + "end_line": 91 + } + }, + { + "rule_id": "AVD-AWS-0124", + "long_id": "aws-ec2-add-description-to-security-group-rule", + "rule_description": "Missing description for security group rule.", + "rule_provider": "aws", + "rule_service": "ec2", + "impact": "Descriptions provide context for the firewall rule reasons", + "resolution": "Add descriptions for all security groups rules", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/add-description-to-security-group-rule/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule" + ], + "description": "Security group rule does not have a description.", + "severity": "LOW", + "warning": false, + "status": 0, + "resource": "aws_security_group.ssh_open", + "location": { + "filename": "/src/security_groups.tf", + "start_line": 52, + "end_line": 57 + } + }, + { + "rule_id": "AVD-AWS-0124", + "long_id": "aws-ec2-add-description-to-security-group-rule", + "rule_description": "Missing description for security group rule.", + "rule_provider": "aws", + "rule_service": "ec2", + "impact": "Descriptions provide context for the firewall rule reasons", + "resolution": "Add descriptions for all security groups rules", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/add-description-to-security-group-rule/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule" + ], + "description": "Security group rule does not have a description.", + "severity": "LOW", + "warning": false, + "status": 0, + "resource": "aws_security_group.allow_all", + "location": { + "filename": "/src/security_groups.tf", + "start_line": 18, + "end_line": 23 + } + }, + { + "rule_id": "AVD-AWS-0104", + "long_id": "aws-ec2-no-public-egress-sgr", + "rule_description": "An egress security group rule allows traffic to /0.", + "rule_provider": "aws", + "rule_service": "ec2", + "impact": "Your port is egressing data to the internet", + "resolution": "Set a more restrictive cidr range", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-egress-sgr/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group" + ], + "description": "Security group rule allows egress to multiple public internet addresses.", + "severity": "CRITICAL", + "warning": false, + "status": 0, + "resource": "aws_security_group.database_exposed", + "location": { + "filename": "/src/security_groups.tf", + "start_line": 90, + "end_line": 90 + } + }, + { + "rule_id": "AVD-AWS-0104", + "long_id": "aws-ec2-no-public-egress-sgr", + "rule_description": "An egress security group rule allows traffic to /0.", + "rule_provider": "aws", + "rule_service": "ec2", + "impact": "Your port is egressing data to the internet", + "resolution": "Set a more restrictive cidr range", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-egress-sgr/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group" + ], + "description": "Security group rule allows egress to multiple public internet addresses.", + "severity": "CRITICAL", + "warning": false, + "status": 0, + "resource": "aws_security_group.ssh_open", + "location": { + "filename": "/src/security_groups.tf", + "start_line": 56, + "end_line": 56 + } + }, + { + "rule_id": "AVD-AWS-0104", + "long_id": "aws-ec2-no-public-egress-sgr", + "rule_description": "An egress security group rule allows traffic to /0.", + "rule_provider": "aws", + "rule_service": "ec2", + "impact": "Your port is egressing data to the internet", + "resolution": "Set a more restrictive cidr range", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-egress-sgr/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group" + ], + "description": "Security group rule allows egress to multiple public internet addresses.", + "severity": "CRITICAL", + "warning": false, + "status": 0, + "resource": "aws_security_group.allow_all", + "location": { + "filename": "/src/security_groups.tf", + "start_line": 22, + "end_line": 22 + } + }, + { + "rule_id": "AVD-AWS-0107", + "long_id": "aws-ec2-no-public-ingress-sgr", + "rule_description": "An ingress security group rule allows traffic from /0.", + "rule_provider": "aws", + "rule_service": "ec2", + "impact": "Your port exposed to the internet", + "resolution": "Set a more restrictive cidr range", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-ingress-sgr/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks" + ], + "description": "Security group rule allows ingress from public internet.", + "severity": "CRITICAL", + "warning": false, + "status": 0, + "resource": "aws_security_group.database_exposed", + "location": { + "filename": "/src/security_groups.tf", + "start_line": 83, + "end_line": 83 + } + }, + { + "rule_id": "AVD-AWS-0107", + "long_id": "aws-ec2-no-public-ingress-sgr", + "rule_description": "An ingress security group rule allows traffic from /0.", + "rule_provider": "aws", + "rule_service": "ec2", + "impact": "Your port exposed to the internet", + "resolution": "Set a more restrictive cidr range", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-ingress-sgr/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks" + ], + "description": "Security group rule allows ingress from public internet.", + "severity": "CRITICAL", + "warning": false, + "status": 0, + "resource": "aws_security_group.database_exposed", + "location": { + "filename": "/src/security_groups.tf", + "start_line": 75, + "end_line": 75 + } + }, + { + "rule_id": "AVD-AWS-0107", + "long_id": "aws-ec2-no-public-ingress-sgr", + "rule_description": "An ingress security group rule allows traffic from /0.", + "rule_provider": "aws", + "rule_service": "ec2", + "impact": "Your port exposed to the internet", + "resolution": "Set a more restrictive cidr range", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-ingress-sgr/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks" + ], + "description": "Security group rule allows ingress from public internet.", + "severity": "CRITICAL", + "warning": false, + "status": 0, + "resource": "aws_security_group.ssh_open", + "location": { + "filename": "/src/security_groups.tf", + "start_line": 49, + "end_line": 49 + } + }, + { + "rule_id": "AVD-AWS-0107", + "long_id": "aws-ec2-no-public-ingress-sgr", + "rule_description": "An ingress security group rule allows traffic from /0.", + "rule_provider": "aws", + "rule_service": "ec2", + "impact": "Your port exposed to the internet", + "resolution": "Set a more restrictive cidr range", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-ingress-sgr/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks" + ], + "description": "Security group rule allows ingress from public internet.", + "severity": "CRITICAL", + "warning": false, + "status": 0, + "resource": "aws_security_group.ssh_open", + "location": { + "filename": "/src/security_groups.tf", + "start_line": 41, + "end_line": 41 + } + }, + { + "rule_id": "AVD-AWS-0107", + "long_id": "aws-ec2-no-public-ingress-sgr", + "rule_description": "An ingress security group rule allows traffic from /0.", + "rule_provider": "aws", + "rule_service": "ec2", + "impact": "Your port exposed to the internet", + "resolution": "Set a more restrictive cidr range", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-ingress-sgr/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks" + ], + "description": "Security group rule allows ingress from public internet.", + "severity": "CRITICAL", + "warning": false, + "status": 0, + "resource": "aws_security_group.allow_all", + "location": { + "filename": "/src/security_groups.tf", + "start_line": 15, + "end_line": 15 + } + }, + { + "rule_id": "AVD-AWS-0057", + "long_id": "aws-iam-no-policy-wildcards", + "rule_description": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege", + "rule_provider": "aws", + "rule_service": "iam", + "impact": "Overly permissive policies may grant access to sensitive resources", + "resolution": "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/iam/no-policy-wildcards/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document" + ], + "description": "IAM policy document uses wildcarded action 'ec2:*'", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_iam_user_policy.service_policy", + "location": { + "filename": "/src/iam.tf", + "start_line": 72, + "end_line": 72 + } + }, + { + "rule_id": "AVD-AWS-0057", + "long_id": "aws-iam-no-policy-wildcards", + "rule_description": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege", + "rule_provider": "aws", + "rule_service": "iam", + "impact": "Overly permissive policies may grant access to sensitive resources", + "resolution": "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/iam/no-policy-wildcards/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document" + ], + "description": "IAM policy document uses sensitive action 'ec2:*' on wildcarded resource '*'", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_iam_user_policy.service_policy", + "location": { + "filename": "/src/iam.tf", + "start_line": 72, + "end_line": 72 + } + }, + { + "rule_id": "AVD-AWS-0057", + "long_id": "aws-iam-no-policy-wildcards", + "rule_description": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege", + "rule_provider": "aws", + "rule_service": "iam", + "impact": "Overly permissive policies may grant access to sensitive resources", + "resolution": "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/iam/no-policy-wildcards/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document" + ], + "description": "IAM policy document uses wildcarded action 'ec2:*'", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_iam_user_policy.service_policy", + "location": { + "filename": "/src/iam.tf", + "start_line": 72, + "end_line": 72 + } + }, + { + "rule_id": "AVD-AWS-0057", + "long_id": "aws-iam-no-policy-wildcards", + "rule_description": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege", + "rule_provider": "aws", + "rule_service": "iam", + "impact": "Overly permissive policies may grant access to sensitive resources", + "resolution": "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/iam/no-policy-wildcards/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document" + ], + "description": "IAM policy document uses wildcarded action 'ec2:*'", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_iam_user_policy.service_policy", + "location": { + "filename": "/src/iam.tf", + "start_line": 72, + "end_line": 72 + } + }, + { + "rule_id": "AVD-AWS-0057", + "long_id": "aws-iam-no-policy-wildcards", + "rule_description": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege", + "rule_provider": "aws", + "rule_service": "iam", + "impact": "Overly permissive policies may grant access to sensitive resources", + "resolution": "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/iam/no-policy-wildcards/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document" + ], + "description": "IAM policy document uses sensitive action 's3:*' on wildcarded resource '*'", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_iam_role_policy.s3_full_access", + "location": { + "filename": "/src/iam.tf", + "start_line": 44, + "end_line": 44 + } + }, + { + "rule_id": "AVD-AWS-0057", + "long_id": "aws-iam-no-policy-wildcards", + "rule_description": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege", + "rule_provider": "aws", + "rule_service": "iam", + "impact": "Overly permissive policies may grant access to sensitive resources", + "resolution": "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/iam/no-policy-wildcards/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document" + ], + "description": "IAM policy document uses wildcarded action 's3:*'", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_iam_role_policy.s3_full_access", + "location": { + "filename": "/src/iam.tf", + "start_line": 44, + "end_line": 44 + } + }, + { + "rule_id": "AVD-AWS-0057", + "long_id": "aws-iam-no-policy-wildcards", + "rule_description": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege", + "rule_provider": "aws", + "rule_service": "iam", + "impact": "Overly permissive policies may grant access to sensitive resources", + "resolution": "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/iam/no-policy-wildcards/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document" + ], + "description": "IAM policy document uses sensitive action 'iam:CreatePolicy' on wildcarded resource '*'", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_iam_policy.privilege_escalation", + "location": { + "filename": "/src/iam.tf", + "start_line": 109, + "end_line": 109 + } + }, + { + "rule_id": "AVD-AWS-0057", + "long_id": "aws-iam-no-policy-wildcards", + "rule_description": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege", + "rule_provider": "aws", + "rule_service": "iam", + "impact": "Overly permissive policies may grant access to sensitive resources", + "resolution": "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/iam/no-policy-wildcards/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document" + ], + "description": "IAM policy document uses sensitive action '*' on wildcarded resource '*'", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_iam_policy.admin_policy", + "location": { + "filename": "/src/iam.tf", + "start_line": 10, + "end_line": 10 + } + }, + { + "rule_id": "AVD-AWS-0057", + "long_id": "aws-iam-no-policy-wildcards", + "rule_description": "IAM policy should avoid use of wildcards and instead apply the principle of least privilege", + "rule_provider": "aws", + "rule_service": "iam", + "impact": "Overly permissive policies may grant access to sensitive resources", + "resolution": "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/iam/no-policy-wildcards/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document" + ], + "description": "IAM policy document uses wildcarded action '*'", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_iam_policy.admin_policy", + "location": { + "filename": "/src/iam.tf", + "start_line": 10, + "end_line": 10 + } + }, + { + "rule_id": "AVD-AWS-0143", + "long_id": "aws-iam-no-user-attached-policies", + "rule_description": "IAM policies should not be granted directly to users.", + "rule_provider": "aws", + "rule_service": "iam", + "impact": "Complex access control is difficult to manage and maintain.", + "resolution": "Grant policies at the group level instead.", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/iam/no-user-attached-policies/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user" + ], + "description": "One or more policies are attached directly to a user", + "severity": "LOW", + "warning": false, + "status": 0, + "resource": "aws_iam_user.service_account", + "location": { + "filename": "/src/iam.tf", + "start_line": 58, + "end_line": 65 + } + }, + { + "rule_id": "AVD-AWS-0177", + "long_id": "aws-rds-enable-deletion-protection", + "rule_description": "RDS Deletion Protection Disabled", + "rule_provider": "aws", + "rule_service": "rds", + "impact": "", + "resolution": "Modify the RDS instances to enable deletion protection.", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/enable-deletion-protection/" + ], + "description": "Instance does not have Deletion Protection enabled", + "severity": "MEDIUM", + "warning": false, + "status": 0, + "resource": "aws_db_instance.weak_db", + "location": { + "filename": "/src/database.tf", + "start_line": 40, + "end_line": 69 + } + }, + { + "rule_id": "AVD-AWS-0177", + "long_id": "aws-rds-enable-deletion-protection", + "rule_description": "RDS Deletion Protection Disabled", + "rule_provider": "aws", + "rule_service": "rds", + "impact": "", + "resolution": "Modify the RDS instances to enable deletion protection.", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/enable-deletion-protection/" + ], + "description": "Instance does not have Deletion Protection enabled", + "severity": "MEDIUM", + "warning": false, + "status": 0, + "resource": "aws_db_instance.unencrypted_db.deletion_protection", + "location": { + "filename": "/src/database.tf", + "start_line": 28, + "end_line": 28 + } + }, + { + "rule_id": "AVD-AWS-0176", + "long_id": "aws-rds-enable-iam-auth", + "rule_description": "RDS IAM Database Authentication Disabled", + "rule_provider": "aws", + "rule_service": "rds", + "impact": "", + "resolution": "Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/enable-iam-auth/" + ], + "description": "Instance does not have IAM Authentication enabled", + "severity": "MEDIUM", + "warning": false, + "status": 0, + "resource": "aws_db_instance.unencrypted_db", + "location": { + "filename": "/src/database.tf", + "start_line": 5, + "end_line": 37 + } + }, + { + "rule_id": "AVD-AWS-0176", + "long_id": "aws-rds-enable-iam-auth", + "rule_description": "RDS IAM Database Authentication Disabled", + "rule_provider": "aws", + "rule_service": "rds", + "impact": "", + "resolution": "Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/enable-iam-auth/" + ], + "description": "Instance does not have IAM Authentication enabled", + "severity": "MEDIUM", + "warning": false, + "status": 0, + "resource": "aws_db_instance.weak_db", + "location": { + "filename": "/src/database.tf", + "start_line": 40, + "end_line": 69 + } + }, + { + "rule_id": "AVD-AWS-0133", + "long_id": "aws-rds-enable-performance-insights", + "rule_description": "Enable Performance Insights to detect potential problems", + "rule_provider": "aws", + "rule_service": "rds", + "impact": "Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.", + "resolution": "Enable performance insights", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/enable-performance-insights/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id" + ], + "description": "Instance does not have performance insights enabled.", + "severity": "LOW", + "warning": false, + "status": 0, + "resource": "aws_db_instance.weak_db", + "location": { + "filename": "/src/database.tf", + "start_line": 62, + "end_line": 62 + } + }, + { + "rule_id": "AVD-AWS-0133", + "long_id": "aws-rds-enable-performance-insights", + "rule_description": "Enable Performance Insights to detect potential problems", + "rule_provider": "aws", + "rule_service": "rds", + "impact": "Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.", + "resolution": "Enable performance insights", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/enable-performance-insights/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id" + ], + "description": "Instance does not have performance insights enabled.", + "severity": "LOW", + "warning": false, + "status": 0, + "resource": "aws_db_instance.unencrypted_db", + "location": { + "filename": "/src/database.tf", + "start_line": 5, + "end_line": 37 + } + }, + { + "rule_id": "AVD-AWS-0180", + "long_id": "aws-rds-enable-public-access", + "rule_description": "RDS Publicly Accessible", + "rule_provider": "aws", + "rule_service": "rds", + "impact": "", + "resolution": "Remove the public endpoint from the RDS instance'", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/enable-public-access/" + ], + "description": "Instance has Public Access enabled", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_db_instance.unencrypted_db.publicly_accessible", + "location": { + "filename": "/src/database.tf", + "start_line": 17, + "end_line": 17 + } + }, + { + "rule_id": "AVD-AWS-0080", + "long_id": "aws-rds-encrypt-instance-storage-data", + "rule_description": "RDS encryption has not been enabled at a DB Instance level.", + "rule_provider": "aws", + "rule_service": "rds", + "impact": "Data can be read from RDS instances if compromised", + "resolution": "Enable encryption for RDS instances", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/encrypt-instance-storage-data/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance" + ], + "description": "Instance does not have storage encryption enabled.", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_db_instance.unencrypted_db", + "location": { + "filename": "/src/database.tf", + "start_line": 15, + "end_line": 15 + } + }, + { + "rule_id": "AVD-AWS-0082", + "long_id": "aws-rds-no-public-db-access", + "rule_description": "A database resource is marked as publicly accessible.", + "rule_provider": "aws", + "rule_service": "rds", + "impact": "The database instance is publicly accessible", + "resolution": "Set the database to not be publicly accessible", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/no-public-db-access/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance" + ], + "description": "Instance is exposed publicly.", + "severity": "CRITICAL", + "warning": false, + "status": 0, + "resource": "aws_db_instance.unencrypted_db", + "location": { + "filename": "/src/database.tf", + "start_line": 17, + "end_line": 17 + } + }, + { + "rule_id": "AVD-AWS-0077", + "long_id": "aws-rds-specify-backup-retention", + "rule_description": "RDS Cluster and RDS instance should have backup retention longer than default 1 day", + "rule_provider": "aws", + "rule_service": "rds", + "impact": "Potential loss of data and short opportunity for recovery", + "resolution": "Explicitly set the retention period to greater than the default", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/specify-backup-retention/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period" + ], + "description": "Instance has very low backup retention period.", + "severity": "MEDIUM", + "warning": false, + "status": 0, + "resource": "aws_db_instance.weak_db", + "location": { + "filename": "/src/database.tf", + "start_line": 40, + "end_line": 69 + } + }, + { + "rule_id": "AVD-AWS-0077", + "long_id": "aws-rds-specify-backup-retention", + "rule_description": "RDS Cluster and RDS instance should have backup retention longer than default 1 day", + "rule_provider": "aws", + "rule_service": "rds", + "impact": "Potential loss of data and short opportunity for recovery", + "resolution": "Explicitly set the retention period to greater than the default", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/rds/specify-backup-retention/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period" + ], + "description": "Instance has very low backup retention period.", + "severity": "MEDIUM", + "warning": false, + "status": 0, + "resource": "aws_db_instance.unencrypted_db", + "location": { + "filename": "/src/database.tf", + "start_line": 22, + "end_line": 22 + } + }, + { + "rule_id": "AVD-AWS-0086", + "long_id": "aws-s3-block-public-acls", + "rule_description": "S3 Access block should block public ACL", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "PUT calls with public ACLs specified can make objects public", + "resolution": "Enable blocking any PUT calls with a public ACL specified", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/block-public-acls/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls" + ], + "description": "Public access block does not block public ACLs", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket_public_access_block.bad_config", + "location": { + "filename": "/src/main.tf", + "start_line": 39, + "end_line": 39 + } + }, + { + "rule_id": "AVD-AWS-0086", + "long_id": "aws-s3-block-public-acls", + "rule_description": "S3 Access block should block public ACL", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "PUT calls with public ACLs specified can make objects public", + "resolution": "Enable blocking any PUT calls with a public ACL specified", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/block-public-acls/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls" + ], + "description": "No public access block so not blocking public acls", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket.unencrypted_data", + "location": { + "filename": "/src/main.tf", + "start_line": 24, + "end_line": 33 + } + }, + { + "rule_id": "AVD-AWS-0087", + "long_id": "aws-s3-block-public-policy", + "rule_description": "S3 Access block should block public policy", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "Users could put a policy that allows public access", + "resolution": "Prevent policies that allow public access being PUT", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/block-public-policy/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy" + ], + "description": "Public access block does not block public policies", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket_public_access_block.bad_config", + "location": { + "filename": "/src/main.tf", + "start_line": 40, + "end_line": 40 + } + }, + { + "rule_id": "AVD-AWS-0087", + "long_id": "aws-s3-block-public-policy", + "rule_description": "S3 Access block should block public policy", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "Users could put a policy that allows public access", + "resolution": "Prevent policies that allow public access being PUT", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/block-public-policy/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy" + ], + "description": "No public access block so not blocking public policies", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket.unencrypted_data", + "location": { + "filename": "/src/main.tf", + "start_line": 24, + "end_line": 33 + } + }, + { + "rule_id": "AVD-AWS-0088", + "long_id": "aws-s3-enable-bucket-encryption", + "rule_description": "Unencrypted S3 bucket.", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "The bucket objects could be read if compromised", + "resolution": "Configure bucket encryption", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/enable-bucket-encryption/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption" + ], + "description": "Bucket does not have encryption enabled", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket.unencrypted_data", + "location": { + "filename": "/src/main.tf", + "start_line": 24, + "end_line": 33 + } + }, + { + "rule_id": "AVD-AWS-0088", + "long_id": "aws-s3-enable-bucket-encryption", + "rule_description": "Unencrypted S3 bucket.", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "The bucket objects could be read if compromised", + "resolution": "Configure bucket encryption", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/enable-bucket-encryption/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption" + ], + "description": "Bucket does not have encryption enabled", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket.public_data", + "location": { + "filename": "/src/main.tf", + "start_line": 13, + "end_line": 21 + } + }, + { + "rule_id": "AVD-AWS-0089", + "long_id": "aws-s3-enable-bucket-logging", + "rule_description": "S3 Bucket does not have logging enabled.", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "There is no way to determine the access to this bucket", + "resolution": "Add a logging block to the resource to enable access logging", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/enable-bucket-logging/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket" + ], + "description": "Bucket does not have logging enabled", + "severity": "MEDIUM", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket.unencrypted_data", + "location": { + "filename": "/src/main.tf", + "start_line": 24, + "end_line": 33 + } + }, + { + "rule_id": "AVD-AWS-0089", + "long_id": "aws-s3-enable-bucket-logging", + "rule_description": "S3 Bucket does not have logging enabled.", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "There is no way to determine the access to this bucket", + "resolution": "Add a logging block to the resource to enable access logging", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/enable-bucket-logging/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket" + ], + "description": "Bucket does not have logging enabled", + "severity": "MEDIUM", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket.public_data", + "location": { + "filename": "/src/main.tf", + "start_line": 13, + "end_line": 21 + } + }, + { + "rule_id": "AVD-AWS-0090", + "long_id": "aws-s3-enable-versioning", + "rule_description": "S3 Data should be versioned", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "Deleted or modified data would not be recoverable", + "resolution": "Enable versioning to protect against accidental/malicious removal or modification", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/enable-versioning/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning" + ], + "description": "Bucket does not have versioning enabled", + "severity": "MEDIUM", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket.unencrypted_data", + "location": { + "filename": "/src/main.tf", + "start_line": 31, + "end_line": 31 + } + }, + { + "rule_id": "AVD-AWS-0090", + "long_id": "aws-s3-enable-versioning", + "rule_description": "S3 Data should be versioned", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "Deleted or modified data would not be recoverable", + "resolution": "Enable versioning to protect against accidental/malicious removal or modification", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/enable-versioning/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning" + ], + "description": "Bucket does not have versioning enabled", + "severity": "MEDIUM", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket.public_data", + "location": { + "filename": "/src/main.tf", + "start_line": 13, + "end_line": 21 + } + }, + { + "rule_id": "AVD-AWS-0132", + "long_id": "aws-s3-encryption-customer-key", + "rule_description": "S3 encryption should use Customer Managed Keys", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "Using AWS managed keys does not allow for fine grained control", + "resolution": "Enable encryption using customer managed keys", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/encryption-customer-key/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption" + ], + "description": "Bucket does not encrypt data with a customer managed key.", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket.unencrypted_data", + "location": { + "filename": "/src/main.tf", + "start_line": 24, + "end_line": 33 + } + }, + { + "rule_id": "AVD-AWS-0132", + "long_id": "aws-s3-encryption-customer-key", + "rule_description": "S3 encryption should use Customer Managed Keys", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "Using AWS managed keys does not allow for fine grained control", + "resolution": "Enable encryption using customer managed keys", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/encryption-customer-key/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption" + ], + "description": "Bucket does not encrypt data with a customer managed key.", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket.public_data", + "location": { + "filename": "/src/main.tf", + "start_line": 13, + "end_line": 21 + } + }, + { + "rule_id": "AVD-AWS-0091", + "long_id": "aws-s3-ignore-public-acls", + "rule_description": "S3 Access Block should Ignore Public Acl", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "PUT calls with public ACLs specified can make objects public", + "resolution": "Enable ignoring the application of public ACLs in PUT calls", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/ignore-public-acls/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls" + ], + "description": "Public access block does not ignore public ACLs", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket_public_access_block.bad_config", + "location": { + "filename": "/src/main.tf", + "start_line": 41, + "end_line": 41 + } + }, + { + "rule_id": "AVD-AWS-0091", + "long_id": "aws-s3-ignore-public-acls", + "rule_description": "S3 Access Block should Ignore Public Acl", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "PUT calls with public ACLs specified can make objects public", + "resolution": "Enable ignoring the application of public ACLs in PUT calls", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/ignore-public-acls/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls" + ], + "description": "No public access block so not ignoring public acls", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket.unencrypted_data", + "location": { + "filename": "/src/main.tf", + "start_line": 24, + "end_line": 33 + } + }, + { + "rule_id": "AVD-AWS-0092", + "long_id": "aws-s3-no-public-access-with-acl", + "rule_description": "S3 Buckets not publicly accessible through ACL.", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "Public access to the bucket can lead to data leakage", + "resolution": "Don't use canned ACLs or switch to private acl", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/no-public-access-with-acl/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket" + ], + "description": "Bucket has a public ACL: 'public-read'.", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket.public_data", + "location": { + "filename": "/src/main.tf", + "start_line": 15, + "end_line": 15 + } + }, + { + "rule_id": "AVD-AWS-0093", + "long_id": "aws-s3-no-public-buckets", + "rule_description": "S3 Access block should restrict public bucket to limit access", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "Public buckets can be accessed by anyone", + "resolution": "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/no-public-buckets/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡" + ], + "description": "Public access block does not restrict public buckets", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket_public_access_block.bad_config", + "location": { + "filename": "/src/main.tf", + "start_line": 42, + "end_line": 42 + } + }, + { + "rule_id": "AVD-AWS-0093", + "long_id": "aws-s3-no-public-buckets", + "rule_description": "S3 Access block should restrict public bucket to limit access", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "Public buckets can be accessed by anyone", + "resolution": "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/no-public-buckets/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡" + ], + "description": "No public access block so not restricting public buckets", + "severity": "HIGH", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket.unencrypted_data", + "location": { + "filename": "/src/main.tf", + "start_line": 24, + "end_line": 33 + } + }, + { + "rule_id": "AVD-AWS-0094", + "long_id": "aws-s3-specify-public-access-block", + "rule_description": "S3 buckets should each define an aws_s3_bucket_public_access_block", + "rule_provider": "aws", + "rule_service": "s3", + "impact": "Public access policies may be applied to sensitive data buckets", + "resolution": "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies", + "links": [ + "https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/s3/specify-public-access-block/", + "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket" + ], + "description": "Bucket does not have a corresponding public access block.", + "severity": "LOW", + "warning": false, + "status": 0, + "resource": "aws_s3_bucket.unencrypted_data", + "location": { + "filename": "/src/main.tf", + "start_line": 24, + "end_line": 33 + } + } + ] +} diff --git a/labs/lab6/analysis/tool-comparison.txt b/labs/lab6/analysis/tool-comparison.txt new file mode 100644 index 00000000..f870afd4 --- /dev/null +++ b/labs/lab6/analysis/tool-comparison.txt @@ -0,0 +1,8 @@ +=== Comprehensive Tool Comparison === +Terraform Scanning Results: + - tfsec: 53 findings + - Checkov: 78 findings + - Terrascan: 22 findings + +Pulumi Scanning Results (KICS): 6 findings +Ansible Scanning Results (KICS): 9 findings diff --git a/labs/lab6/submission6.md b/labs/lab6/submission6.md new file mode 100644 index 00000000..8d66b6af --- /dev/null +++ b/labs/lab6/submission6.md @@ -0,0 +1,380 @@ +# Task 1 — Terraform & Pulumi Security Scanning + +## Terraform Tool Comparison + +**Terraform Scanning Results:** + +- **tfsec**: 53 findings +- **Checkov**: 78 findings +- **Terrascan**: 22 findings + +## Pulumi Security Analysis: + +**Pulumi Scanning Results (KICS)**: 6 findings +- **HIGH severity**: 2 +- **MEDIUM severity**: 2 +- **LOW severity**: 0 + +## Terraform vs. Pulumi: + +**Terraform (HCL - declarative):** + +- Easier for static analysis +- Predictable resource structure +- The security of the state file is critical +- Secrets require external solutions + +**Pulumi (YAML - programmatic):** + +- Difficult to analyze because of the dynamic logic +- Built-in state encryption +- Best work with secrets +- Complex dependencies are possible + +## KICS Pulumi Support: + +**Successfully detected KICS:** + +- S3 Bucket Security Issues +- Security Group Misconfigurations +- RDS Security Issues +- IAM Policy Issues +- Secrets in Configuration + +**Gaps in KICS detection:** + +- Secrets in User Data +- EBS Volume Encryption +- CloudWatch Log Issues +- EKS Cluster Security +- Secrets in Outputs + +## Critical Findings: + +1. Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion +2. Ensure S3 buckets do not have, a both public ACL on the bucket and a public access block. +3. RDS Instance Auto Minor Version Upgrade flag disabled. +4. RDS Instance publicly_accessible flag is true +5. Security Groups - Unrestricted Specific Ports - (SSH,22) + +## Tool Strengths: + +**tfsec Strengths:** + +- **Terraform-specific patterns**: Deep understanding of Terraform HCL +- **AWS best practices**: Comprehensive AWS security checks +- **Fast feedback**: Quick scan times ideal for developer workflow +- **Low false positives**: Accurate results with good precision + +**Checkov Strengths:** + +- **Multi-cloud coverage**: AWS, Azure, GCP, Kubernetes support +- **Compliance frameworks**: CIS, PCI-DSS, HIPAA checks +- **Custom policies**: Extensive customization capabilities +- **Infrastructure breadth**: Largest rule set (700+ policies) + +**Terrascan Strengths**: + +- **Compliance focus**: Strong regulatory requirement coverage +- **Policy accuracy**: Well-tested policies with good documentation +- **Enterprise features**: Integration with Tenable ecosystem +- **Resource relationships**: Understanding resource dependencies + +**KICS Pulumi Strengths:** + +- Multi-format support: Terraform, CloudFormation, Pulumi, Ansible, Docker +- Pulumi specialization: Best Pulumi support among scanners +- Open source focus: Community-driven development +- CI/CD integration: Easy pipeline integration + +--- + +# Task 2 — Ansible Security Scanning with KICS + +## Ansible Security Issues + +**KICS Ansible findings**: 9 findings +- **HIGH severity**: 8 +- **MEDIUM severity**: 0 +- **LOW severity**: 1 + +## Best Practice Violations + +1. **RedundantAttribute** - Hardcoded secret key should not appear in source +2. **IncorrectValue** - State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true' +3. **RedundantAttribute** - Hardcoded secret key should not appear in source + +## KICS Ansible Queries and Remediation Steps: + +1. **Permissive sudo configuration** - Prevent allowing passwordless sudo for all commands! + +Remediation Code: + +```bash +# SECURE: Configure restricted sudo access +- name: Configure secure sudo for app user + copy: + content: | + # Application user sudo permissions + appuser ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart myapp + appuser ALL=(ALL) NOPASSWD: /usr/bin/systemctl status myapp + appuser ALL=(ALL) NOPASSWD: /usr/bin/logrotate /etc/logrotate.d/myapp + # Specific commands only, require password for others + appuser ALL=(ALL) ALL + dest: /etc/sudoers.d/appuser + mode: '0440' + validate: '/usr/sbin/visudo -cf %s' + +# Alternative: Use ansible built-in module +- name: Configure sudo using ansible module + user: + name: appuser + groups: wheel + append: yes + +- name: Configure sudoers with password requirement + lineinfile: + path: /etc/sudoers + line: '%wheel ALL=(ALL) ALL' + validate: '/usr/sbin/visudo -cf %s' +``` + +2. **Installing unnecessary packages** - Development tools should not be used on production server! + +Remediation Code: + +```bash +# SECURE: Install only required production packages +- name: Install production packages only + apt: + name: + - nginx + - certbot + - fail2ban + - logrotate + state: present + update_cache: yes + +# If debugging tools are absolutely needed, restrict access +- name: Install minimal debugging tools with restrictions + apt: + name: + - tcpdump + state: present + when: ansible_env.DEBUG_MODE | default(false) + +- name: Set capabilities for tcpdump (non-root usage) + command: setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/sbin/tcpdump + when: ansible_env.DEBUG_MODE | default(false) + +# Remove development packages if present +- name: Remove development packages + apt: + name: + - build-essential + - gcc + - g++ + - gdb + state: absent + purge: yes +``` + +3. **Exposing application on all interfaces** - Should bind to specific interface or localhost. + +Remediation Code: + +```bash +# SECURE: Bind to localhost only +- name: Configure application to listen on localhost only + lineinfile: + path: /etc/myapp/config.yml + regexp: '^listen:' + line: 'listen: 127.0.0.1:8080' + backup: yes + +# Or use template with secure defaults +- name: Deploy secure application configuration + template: + src: secure_app_config.j2 + dest: /etc/myapp/config.yml + mode: '0640' + owner: appuser + group: appuser + backup: yes + notify: restart application + +# With firewall configuration +- name: Configure firewall to restrict access + ufw: + rule: allow + port: '8080' + src: '10.0.0.0/8' # Only internal network + state: enabled + +# Alternative: Use reverse proxy +- name: Configure nginx as reverse proxy + template: + src: nginx_proxy.j2 + dest: /etc/nginx/sites-available/myapp + mode: '0644' + backup: yes +``` + +4. **Fetching files without encryption** - Prevent transferring sensitive config in plaintext! + +Remediation Code: + +```bash +# SECURE: Encrypt files before transfer +- name: Encrypt configuration before backup + command: gpg --batch --yes --passphrase "{{ backup_encryption_key }}" --symmetric --cipher-algo AES256 /etc/myapp/config.env + args: + creates: /etc/myapp/config.env.gpg + +- name: Fetch encrypted configuration + fetch: + src: /etc/myapp/config.env.gpg + dest: "{{ backup_dir }}/{{ inventory_hostname }}-config.env.gpg" + flat: yes + +# Or use ansible-vault for sensitive data +- name: Create encrypted backup with ansible-vault + slurp: + src: /etc/myapp/config.env + register: config_content + +- name: Save encrypted backup locally + copy: + content: "{{ config_content.content | b64decode | ansible.vault.encrypt(vault_secret) }}" + dest: "{{ backup_dir }}/{{ inventory_hostname }}-config.env.vault" + mode: '0600' + +# Alternative: Use secure copy with SSH encryption only +- name: Secure fetch with validation + fetch: + src: /etc/myapp/config.env + dest: "{{ backup_dir }}/" + flat: yes + validate: 'test -s %s && file %s | grep -q "text"' +``` + +5. **No checksum validation for templates** - Need to backup and validation before deployment. + +Remediation Code: + +```bash +# SECURE: Template deployment with validation and backup +- name: Create backup of current configuration + copy: + src: /etc/nginx/sites-available/app.conf + dest: "/etc/nginx/sites-available/app.conf.backup-{{ ansible_date_time.epoch }}" + remote_src: yes + mode: '0644' + when: ansible_check_mode | default(false) == false + +- name: Deploy configuration template with validation + template: + src: app.conf.j2 + dest: /etc/nginx/sites-available/app.conf + mode: '0644' + backup: yes + validate: '/usr/sbin/nginx -t -c %s' + +- name: Verify configuration checksum + stat: + path: /etc/nginx/sites-available/app.conf + register: config_stat + +- name: Validate configuration syntax + command: nginx -t + register: nginx_validation + changed_when: false + failed_when: nginx_validation.rc != 0 + +- name: Rollback if validation fails + copy: + src: "/etc/nginx/sites-available/app.conf.backup-{{ ansible_date_time.epoch }}" + dest: /etc/nginx/sites-available/app.conf + remote_src: yes + mode: '0644' + when: nginx_validation.rc != 0 + +# Enhanced version with pre-deployment checks +- name: Check current config checksum + stat: + path: /etc/nginx/sites-available/app.conf + register: current_config + changed_when: false + +- name: Deploy only if template changed + template: + src: app.conf.j2 + dest: /etc/nginx/sites-available/app.conf + mode: '0644' + backup: yes + validate: '/usr/sbin/nginx -t -c %s' + when: current_config.stat.checksum != (lookup('template', 'app.conf.j2') | hash('sha256')) +``` + +etc. + +--- + +# Task 3 — Comparative Tool Analysis & Security Insights + +## Tool Comparison Matrix: + +| **Criterion** | **tfsec** | **Checkov** | **Terrascan** | **KICS (Pulumi + Ansible)** | +|-----------------------------|-----------:|-------------:|---------------:|-----------------------------:| +| **Total Findings** | 53 | 78 | 22 | 15 (Pulumi 6 + Ansible 9) | +| **Scan Speed** | Fast | Medium | Medium | Slow | +| **False Positives** | Low | Medium | Medium | High | +| **Report Quality** | ⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐ | +| **Ease of Use** | ⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐ | ⭐⭐ | +| **Documentation** | ⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐ | +| **Platform Support** | Terraform only | Multiple | Multiple | Multiple | +| **Output Formats** | JSON, text, SARIF | JSON, JUnit, CSV, SARIF | JSON, CSV, SARIF | JSON, SARIF, HTML | +| **CI/CD Integration** | Easy | Easy | Medium | Medium | +| **Unique Strengths** | Easy installation, high accuracy of Terraform scans | Large IaC coverage, flexible policies | Powerful Policy-as-Code engine, good integration with CI | Pulumi and Ansible support, a single engine for different IaCs | + +## Category Analysis: + +| **Security Category** | **tfsec** | **Checkov** | **Terrascan** | **KICS (Pulumi)** | **KICS (Ansible)** | **Best Tool** | +|-------------------------------|-----------:|-------------:|---------------:|-------------------:|-------------------:|----------------| +| **Encryption Issues** | 8 | 9 | 3 | 1 | 0 | Checkov | +| **Network Security** | 9 | 17 | 6 | 0 | 0 | Checkov | +| **Secrets Management** | 0 | 1 | 1 | 1 | 8 | KICS (Ansible) | +| **IAM / Permissions** | 11 | 21 | 2 | 0 | 0 | Checkov | +| **Access Control** | 10 | 10 | 3 | 1 | 0 | tfsec/Checkov | +| **Compliance / Best Practices** | 15 | 20 | 7 | 3 | 1 | Checkov | + +## Lessons Learned: + +**Key insights**: + +- No single tool covers everything. +- False positives are inevitable, especially in complex IAM policies. +- The tools specialize: tfsec for speed, Checkov for completeness, Terrascan for compliance +- Pulumi security ecosystem provides only basic coverage +- Ansible security requires specialized checks, only good for secrets + +## CI/CD Integration Strategy: + +### For small teams: + +1. **Pre-commit:** `tfsec` — a quick feedback +2. **PR Check:** `Checkov` — a basic security +3. **Release:** `Checkov` + `Terrascan` — a full pre-release check + +### For enterprise + +1. **Developer:** `tfsec` + `KICS` — a verification during local development +2. **PR Gate:** `Checkov` + `Terrascan` — an utomatic pre-merge verification +3. **Release:** `Checkov` - a verification of compliance with security policies (Compliance validation) + manual approval (Security approval) + +### For mixed environments + +1. **Terraform:** `Checkov` + `tfsec` +2. **Pulumi:** `KICS` +3. **Ansible:** `KICS` +4. **Kubernetes:** `Checkov` From 9dd107eb3c0c59acbe228c2e4814820576d40812 Mon Sep 17 00:00:00 2001 From: scruffyscarf Date: Mon, 13 Oct 2025 11:04:13 +0300 Subject: [PATCH 2/2] docs: add lab6 submission - IaC security scanning and comparative analysis --- labs/{lab6 => }/submission6.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename labs/{lab6 => }/submission6.md (100%) diff --git a/labs/lab6/submission6.md b/labs/submission6.md similarity index 100% rename from labs/lab6/submission6.md rename to labs/submission6.md