Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update version,tf and fix tflint #31

Closed
wants to merge 6 commits into from
Closed

Update version,tf and fix tflint #31

wants to merge 6 commits into from

Conversation

theprashantyadav
Copy link
Contributor

what

  • added new github-action
  • update terraform and aws version
  • update readme and added github action latest version

why

  • need to update terrform and aws latest version
  • need to update github-action
  • need to fix tflint

@clouddrove-ci clouddrove-ci self-assigned this Sep 28, 2023
@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 HIGH No public access block so not ignoring public acls 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-ignore-public-acls
      Impact PUT calls with public ACLs specified can make objects public
  Resolution Enable ignoring the application of public ACLs in PUT calls

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH No public access block so not restricting public buckets 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-no-public-buckets
      Impact Public buckets can be accessed by anyone
  Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────


Result #3 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Result #5 MEDIUM Password policy allows a maximum password age of greater than 90 days. 
────────────────────────────────────────────────────────────────────────────────
  modules/iam/main.tf:28
   via main.tf:227-248 (module.aws-iam-baseline)
────────────────────────────────────────────────────────────────────────────────
   19    resource "aws_iam_account_password_policy" "default" {
   20      count                          = var.aws_iam_account_password_policy ? 1 : 0
   21      minimum_password_length        = var.minimum_password_length
   22      password_reuse_prevention      = var.password_reuse_prevention
   23      require_lowercase_characters   = var.require_lowercase_characters
   24      require_numbers                = var.require_numbers
   25      require_uppercase_characters   = var.require_uppercase_characters
   26      require_symbols                = var.require_symbols
   27      allow_users_to_change_password = var.allow_users_to_change_password
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-set-max-password-age
      Impact Long life password increase the likelihood of a password eventually being compromised
  Resolution Limit the password duration with an expiry in the policy

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/set-max-password-age/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy
────────────────────────────────────────────────────────────────────────────────


Result #6 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  modules/cloudtrail/main.tf:135-140
   via main.tf:5-28 (module.cloudtrail)
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_cloudwatch_log_group" "cloudtrail_events" {
  136      count             = var.enabled ? 1 : 0
  137      name              = var.cloudwatch_logs_group_name
  138      retention_in_days = var.cloudwatch_logs_retention_in_days
  139      tags              = module.labels.tags
  140    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #7 LOW Bucket does not have a corresponding public access block. 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-specify-public-access-block
      Impact Public access policies may be applied to sensitive data buckets
  Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             1.442704ms
  parsing              496.014263ms
  adaptation           3.219719ms
  checks               22.183128ms
  total                522.859814ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    11
  blocks processed     471
  files read           42

  results
  ──────────────────────────────────────────
  passed               11
  ignored              4
  critical             0
  high                 2
  medium               3
  low                  2

  11 passed, 4 ignored, 7 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 HIGH No public access block so not ignoring public acls 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-ignore-public-acls
      Impact PUT calls with public ACLs specified can make objects public
  Resolution Enable ignoring the application of public ACLs in PUT calls

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH No public access block so not restricting public buckets 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-no-public-buckets
      Impact Public buckets can be accessed by anyone
  Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────


Result #3 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Result #5 MEDIUM Password policy allows a maximum password age of greater than 90 days. 
────────────────────────────────────────────────────────────────────────────────
  modules/iam/main.tf:28
   via main.tf:227-248 (module.aws-iam-baseline)
────────────────────────────────────────────────────────────────────────────────
   19    resource "aws_iam_account_password_policy" "default" {
   20      count                          = var.aws_iam_account_password_policy ? 1 : 0
   21      minimum_password_length        = var.minimum_password_length
   22      password_reuse_prevention      = var.password_reuse_prevention
   23      require_lowercase_characters   = var.require_lowercase_characters
   24      require_numbers                = var.require_numbers
   25      require_uppercase_characters   = var.require_uppercase_characters
   26      require_symbols                = var.require_symbols
   27      allow_users_to_change_password = var.allow_users_to_change_password
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-set-max-password-age
      Impact Long life password increase the likelihood of a password eventually being compromised
  Resolution Limit the password duration with an expiry in the policy

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/set-max-password-age/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy
────────────────────────────────────────────────────────────────────────────────


Result #6 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  modules/cloudtrail/main.tf:135-140
   via main.tf:5-28 (module.cloudtrail)
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_cloudwatch_log_group" "cloudtrail_events" {
  136      count             = var.enabled ? 1 : 0
  137      name              = var.cloudwatch_logs_group_name
  138      retention_in_days = var.cloudwatch_logs_retention_in_days
  139      tags              = module.labels.tags
  140    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #7 LOW Bucket does not have a corresponding public access block. 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-specify-public-access-block
      Impact Public access policies may be applied to sensitive data buckets
  Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             976.403µs
  parsing              784.74808ms
  adaptation           1.828909ms
  checks               7.704436ms
  total                795.257828ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    11
  blocks processed     471
  files read           42

  results
  ──────────────────────────────────────────
  passed               11
  ignored              4
  critical             0
  high                 2
  medium               3
  low                  2

  11 passed, 4 ignored, 7 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 HIGH No public access block so not ignoring public acls 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-ignore-public-acls
      Impact PUT calls with public ACLs specified can make objects public
  Resolution Enable ignoring the application of public ACLs in PUT calls

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH No public access block so not restricting public buckets 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-no-public-buckets
      Impact Public buckets can be accessed by anyone
  Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────


Result #3 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Result #5 MEDIUM Password policy allows a maximum password age of greater than 90 days. 
────────────────────────────────────────────────────────────────────────────────
  modules/iam/main.tf:28
   via main.tf:227-248 (module.aws-iam-baseline)
────────────────────────────────────────────────────────────────────────────────
   19    resource "aws_iam_account_password_policy" "default" {
   20      count                          = var.aws_iam_account_password_policy ? 1 : 0
   21      minimum_password_length        = var.minimum_password_length
   22      password_reuse_prevention      = var.password_reuse_prevention
   23      require_lowercase_characters   = var.require_lowercase_characters
   24      require_numbers                = var.require_numbers
   25      require_uppercase_characters   = var.require_uppercase_characters
   26      require_symbols                = var.require_symbols
   27      allow_users_to_change_password = var.allow_users_to_change_password
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-set-max-password-age
      Impact Long life password increase the likelihood of a password eventually being compromised
  Resolution Limit the password duration with an expiry in the policy

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/set-max-password-age/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy
────────────────────────────────────────────────────────────────────────────────


Result #6 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  modules/cloudtrail/main.tf:135-140
   via main.tf:5-28 (module.cloudtrail)
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_cloudwatch_log_group" "cloudtrail_events" {
  136      count             = var.enabled ? 1 : 0
  137      name              = var.cloudwatch_logs_group_name
  138      retention_in_days = var.cloudwatch_logs_retention_in_days
  139      tags              = module.labels.tags
  140    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #7 LOW Bucket does not have a corresponding public access block. 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-specify-public-access-block
      Impact Public access policies may be applied to sensitive data buckets
  Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             799.399µs
  parsing              976.378888ms
  adaptation           1.808698ms
  checks               7.429492ms
  total                986.416477ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    11
  blocks processed     471
  files read           42

  results
  ──────────────────────────────────────────
  passed               11
  ignored              4
  critical             0
  high                 2
  medium               3
  low                  2

  11 passed, 4 ignored, 7 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 HIGH No public access block so not ignoring public acls 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-ignore-public-acls
      Impact PUT calls with public ACLs specified can make objects public
  Resolution Enable ignoring the application of public ACLs in PUT calls

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH No public access block so not restricting public buckets 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-no-public-buckets
      Impact Public buckets can be accessed by anyone
  Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────


Result #3 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Result #5 MEDIUM Password policy allows a maximum password age of greater than 90 days. 
────────────────────────────────────────────────────────────────────────────────
  modules/iam/main.tf:28
   via main.tf:227-248 (module.aws-iam-baseline)
────────────────────────────────────────────────────────────────────────────────
   19    resource "aws_iam_account_password_policy" "default" {
   20      count                          = var.aws_iam_account_password_policy ? 1 : 0
   21      minimum_password_length        = var.minimum_password_length
   22      password_reuse_prevention      = var.password_reuse_prevention
   23      require_lowercase_characters   = var.require_lowercase_characters
   24      require_numbers                = var.require_numbers
   25      require_uppercase_characters   = var.require_uppercase_characters
   26      require_symbols                = var.require_symbols
   27      allow_users_to_change_password = var.allow_users_to_change_password
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-set-max-password-age
      Impact Long life password increase the likelihood of a password eventually being compromised
  Resolution Limit the password duration with an expiry in the policy

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/set-max-password-age/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy
────────────────────────────────────────────────────────────────────────────────


Result #6 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  modules/cloudtrail/main.tf:135-140
   via main.tf:5-28 (module.cloudtrail)
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_cloudwatch_log_group" "cloudtrail_events" {
  136      count             = var.enabled ? 1 : 0
  137      name              = var.cloudwatch_logs_group_name
  138      retention_in_days = var.cloudwatch_logs_retention_in_days
  139      tags              = module.labels.tags
  140    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #7 LOW Bucket does not have a corresponding public access block. 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-specify-public-access-block
      Impact Public access policies may be applied to sensitive data buckets
  Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             1.201097ms
  parsing              1.297030511s
  adaptation           2.615693ms
  checks               22.931344ms
  total                1.323778645s

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    11
  blocks processed     471
  files read           42

  results
  ──────────────────────────────────────────
  passed               11
  ignored              4
  critical             0
  high                 2
  medium               3
  low                  2

  11 passed, 4 ignored, 7 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 HIGH No public access block so not ignoring public acls 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-ignore-public-acls
      Impact PUT calls with public ACLs specified can make objects public
  Resolution Enable ignoring the application of public ACLs in PUT calls

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH No public access block so not restricting public buckets 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-no-public-buckets
      Impact Public buckets can be accessed by anyone
  Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────


Result #3 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Result #5 MEDIUM Password policy allows a maximum password age of greater than 90 days. 
────────────────────────────────────────────────────────────────────────────────
  modules/iam/main.tf:28
   via main.tf:227-248 (module.aws-iam-baseline)
────────────────────────────────────────────────────────────────────────────────
   19    resource "aws_iam_account_password_policy" "default" {
   20      count                          = var.aws_iam_account_password_policy ? 1 : 0
   21      minimum_password_length        = var.minimum_password_length
   22      password_reuse_prevention      = var.password_reuse_prevention
   23      require_lowercase_characters   = var.require_lowercase_characters
   24      require_numbers                = var.require_numbers
   25      require_uppercase_characters   = var.require_uppercase_characters
   26      require_symbols                = var.require_symbols
   27      allow_users_to_change_password = var.allow_users_to_change_password
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-set-max-password-age
      Impact Long life password increase the likelihood of a password eventually being compromised
  Resolution Limit the password duration with an expiry in the policy

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/set-max-password-age/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy
────────────────────────────────────────────────────────────────────────────────


Result #6 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  modules/cloudtrail/main.tf:135-140
   via main.tf:5-28 (module.cloudtrail)
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_cloudwatch_log_group" "cloudtrail_events" {
  136      count             = var.enabled ? 1 : 0
  137      name              = var.cloudwatch_logs_group_name
  138      retention_in_days = var.cloudwatch_logs_retention_in_days
  139      tags              = module.labels.tags
  140    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #7 LOW Bucket does not have a corresponding public access block. 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:22-26
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_s3_bucket" "bucket" {
   23      count         = var.enabled ? 1 : 0
   24      bucket        = var.bucket_name
   25      force_destroy = true
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-specify-public-access-block
      Impact Public access policies may be applied to sensitive data buckets
  Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             1.033527ms
  parsing              2.902980441s
  adaptation           2.379757ms
  checks               10.256447ms
  total                2.916650172s

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    11
  blocks processed     471
  files read           42

  results
  ──────────────────────────────────────────
  passed               11
  ignored              4
  critical             0
  high                 2
  medium               3
  low                  2

  11 passed, 4 ignored, 7 potential problem(s) detected.

@clouddrove-ci
Copy link
Member

Terraform Security Scan Failed

Show Output 
Result #1 HIGH No public access block so not restricting public buckets 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:24-28
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_s3_bucket" "bucket" {
   25      count         = var.enabled ? 1 : 0
   26      bucket        = var.bucket_name
   27      force_destroy = true
   28    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-no-public-buckets
      Impact Public buckets can be accessed by anyone
  Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────


Result #2 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:24-28
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_s3_bucket" "bucket" {
   25      count         = var.enabled ? 1 : 0
   26      bucket        = var.bucket_name
   27      force_destroy = true
   28    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #3 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  modules/guardduty/main.tf:24-28
   via main.tf:114-136 (module.guardduty)
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_s3_bucket" "bucket" {
   25      count         = var.enabled ? 1 : 0
   26      bucket        = var.bucket_name
   27      force_destroy = true
   28    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             844.411µs
  parsing              1.259175361s
  adaptation           2.154719ms
  checks               8.459172ms
  total                1.270633663s

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    11
  blocks processed     471
  files read           42

  results
  ──────────────────────────────────────────
  passed               11
  ignored              8
  critical             0
  high                 1
  medium               2
  low                  0

  11 passed, 8 ignored, 3 potential problem(s) detected.

d4kverma
d4kverma approved these changes Sep 29, 2023
View reviewed changes
Copy link
Member

@d4kverma d4kverma left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fix conflicts and tflint error

@d4kverma d4kverma self-requested a review September 29, 2023 07:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nikitadugar nikitadugar Awaiting requested review from nikitadugar

@themaniskshah themaniskshah Awaiting requested review from themaniskshah

@d4kverma d4kverma Awaiting requested review from d4kverma

Assignees

@clouddrove-ci clouddrove-ci

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@theprashantyadav @clouddrove-ci @d4kverma @themaniskshah