Skip to content

Create ec2v3.tf #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
caswalker wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Create ec2v3.tf #7

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b500196
Create ec2v3.tf
caswalker Feb 14, 2022
d9b97e2
Bridgecrew bot fix for ec2v3.tf
bridgecrew[bot] Feb 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
309 changes: 309 additions & 0 deletions ec2v3.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,309 @@
resource "aws_instance" "web_host" {
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
resource "aws_instance" "web_host" {
*_block_device {
encrypted = true
}
}
HIGH   EBS volumes do not have encrypted launch configurations
    Resource: aws_instance.web_host | ID: BC_AWS_GENERAL_13

Description

Amazon Elastic Block Store (EBS) volumes allow you to create encrypted launch configurations when creating EC2 instances and auto scaling. When the entire EBS volume is encrypted, data stored at rest on the volume, disk I/O, snapshots created from the volume, and data in-transit between EBS and EC2 are all encrypted.

Benchmarks

  • PCI-DSS V3.2 3

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
resource "aws_instance" "web_host" {
ebs_optimized = true
}
LOW   EC2 EBS is not optimized
    Resource: aws_instance.web_host | ID: BC_AWS_GENERAL_68

Description

TBA

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Instance Metadata Service version 1 is enabled
    Resource: aws_instance.web_host | ID: BC_AWS_GENERAL_31

How to Fix

resource "aws_instance" "example" {
  ...
  instance_type     = "t2.micro"
+   metadata_options {
        ...
+       http_endpoint = "enabled"
+       http_tokens   = "required"
+  }
  ...
}

Description

The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata. You can access instance metadata from a running instance using one of the following methods: * Instance Metadata Service Version 1 (IMDSv1) – a request/response method * Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method

As a request/response method IMDSv1 is prone to local misconfigurations:

  • Open proxies, open NATs and routers, server-side reflection vulnerabilities.
  • One way or another, local software might access local-only data.

Benchmarks

  • FEDRAMP (MODERATE) AC-6

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   EC2 user data exposes secrets
    Resource: aws_instance.web_host | ID: BC_AWS_SECRETS_1

How to Fix

resource "aws_instance" "web" {
    ...
    instance_type = "t3.micro"
-    user_data = "access_key=123456ABCDEFGHIJZTLA and secret_key=AAAaa+Aa4AAaAA6aAkA0Ad+Aa8aA1aaaAAAaAaA"
}

Description

**User Data** is a metadata field of an EC2 instance that allows custom code to run after the instance is launched. It contains code exposed to any entity which has the most basic access to EC2, even read-only configurations. This code is not encrypted.

Removing secrets from easily-accessed unencrypted places reduces the risk of passwords, private keys and more from being exposed to third parties.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   EC2 user data exposes secrets
    Resource: aws_instance.web_host | ID: BC_AWS_SECRETS_1

How to Fix

resource "aws_instance" "web" {
    ...
    instance_type = "t3.micro"
-    user_data = "access_key=123456ABCDEFGHIJZTLA and secret_key=AAAaa+Aa4AAaAA6aAkA0Ad+Aa8aA1aaaAAAaAaA"
}

Description

**User Data** is a metadata field of an EC2 instance that allows custom code to run after the instance is launched. It contains code exposed to any entity which has the most basic access to EC2, even read-only configurations. This code is not encrypted.

Removing secrets from easily-accessed unencrypted places reduces the risk of passwords, private keys and more from being exposed to third parties.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Instance Metadata Service version 1 is enabled
    Resource: aws_instance.web_host | ID: BC_AWS_GENERAL_31

How to Fix

resource "aws_instance" "example" {
  ...
  instance_type     = "t2.micro"
+   metadata_options {
        ...
+       http_endpoint = "enabled"
+       http_tokens   = "required"
+  }
  ...
}

Description

The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata. You can access instance metadata from a running instance using one of the following methods: * Instance Metadata Service Version 1 (IMDSv1) – a request/response method * Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method

As a request/response method IMDSv1 is prone to local misconfigurations:

  • Open proxies, open NATs and routers, server-side reflection vulnerabilities.
  • One way or another, local software might access local-only data.

Benchmarks

  • FEDRAMP (MODERATE) AC-6

# ec2 have plain text secrets in user data
ami = "${var.ami}"
instance_type = "t2.nano"

vpc_security_group_ids = [
"${aws_security_group.web-node.id}"]
subnet_id = "${aws_subnet.web_subnet.id}"
user_data = <<EOF
#! /bin/bash
sudo apt-get update
sudo apt-get install -y apache2
sudo systemctl start apache2
sudo systemctl enable apache2
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA
export AWS_SECRET_ACCESS_KEY=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
export AWS_DEFAULT_REGION=us-west-2
echo "<h1>Deployed via Terraform</h1>" | sudo tee /var/www/html/index.html
EOF
tags = merge({
Name = "${local.resource_prefix.value}-ec2"
}, {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_file = "terraform/aws/ec2.tf"
git_last_modified_at = "2020-06-16 14:46:24"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "347af3cd-4f70-4632-aca3-4d5e30ffc0b6"
})
}
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
monitoring = true
}
MEDIUM   Detailed monitoring for EC2 instances is disabled
    Resource: aws_instance.web_host | ID: BC_AWS_LOGGING_26

Description

TBA

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
ebs_optimized = true
}
LOW   EC2 EBS is not optimized
    Resource: aws_instance.web_host | ID: BC_AWS_GENERAL_68

Description

TBA

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
monitoring = true
}
MEDIUM   Detailed monitoring for EC2 instances is disabled
    Resource: aws_instance.web_host | ID: BC_AWS_LOGGING_26

Description

TBA

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
*_block_device {
encrypted = true
}
HIGH   EBS volumes do not have encrypted launch configurations
    Resource: aws_instance.web_host | ID: BC_AWS_GENERAL_13

Description

Amazon Elastic Block Store (EBS) volumes allow you to create encrypted launch configurations when creating EC2 instances and auto scaling. When the entire EBS volume is encrypted, data stored at rest on the volume, disk I/O, snapshots created from the volume, and data in-transit between EBS and EC2 are all encrypted.

Benchmarks

  • PCI-DSS V3.2 3


resource "aws_ebs_volume" "web_host_storage" {
Copy link

@bridgecrew bridgecrew bot Feb 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
    Resource: aws_ebs_volume.web_host_storage | ID: BC_AWS_GENERAL_109

How to Fix

resource "aws_ebs_volume" "example" {
  availability_zone = "us-west-2a"
  size              = 40
+ kms_key_id = "ckv_kms"
  tags = {
    Name = "HelloWorld"
  }
}

Description

Amazon EBS automatically creates a unique AWS managed key in each Region where you store AWS resources. This KMS key has the alias alias/aws/ebs. By default, Amazon EBS uses this KMS key for encryption. Alternatively, you can specify a symmetric customer managed key that you created as the default KMS key for EBS encryption. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable KMS keys.

Dependent Resources



Calculating...

🎉   Fixed by commit b500196 - Create ec2v3.tf

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
    Resource: aws_ebs_volume.web_host_storage | ID: BC_AWS_GENERAL_109

How to Fix

resource "aws_ebs_volume" "example" {
  availability_zone = "us-west-2a"
  size              = 40
+ kms_key_id = "ckv_kms"
  tags = {
    Name = "HelloWorld"
  }
}

Description

Amazon EBS automatically creates a unique AWS managed key in each Region where you store AWS resources. This KMS key has the alias alias/aws/ebs. By default, Amazon EBS uses this KMS key for encryption. Alternatively, you can specify a symmetric customer managed key that you created as the default KMS key for EBS encryption. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable KMS keys.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
    Resource: aws_ebs_volume.web_host_storage | ID: BC_AWS_GENERAL_109

How to Fix

resource "aws_ebs_volume" "example" {
  availability_zone = "us-west-2a"
  size              = 40
+ kms_key_id = "ckv_kms"
  tags = {
    Name = "HelloWorld"
  }
}

Description

Amazon EBS automatically creates a unique AWS managed key in each Region where you store AWS resources. This KMS key has the alias alias/aws/ebs. By default, Amazon EBS uses this KMS key for encryption. Alternatively, you can specify a symmetric customer managed key that you created as the default KMS key for EBS encryption. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable KMS keys.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Not only encrypted EBS volumes are attached to EC2 instances
    Resource: aws_ebs_volume.web_host_storage | ID: BC_AWS_GENERAL_60

How to Fix

resource "aws_instance" "web" {
  ami               = "ami-21f78e11"
  availability_zone = "us-west-2a"
  instance_type     = "t2.micro"

  tags = {
    Name = "HelloWorld"
  }
}

resource "aws_volume_attachment" "ok_attachment1" {
  device_name = "/dev/sdh3"
  volume_id   = aws_ebs_volume.ok_ebs2.id
  instance_id = aws_instance.web.id
}


resource "aws_ebs_volume" "ok_ebs2" {
  availability_zone = ""
  encrypted = true
}

Description

TBA

Dependent Resources



Calculating...

# unencrypted volume
availability_zone = "${var.region}a"
#encrypted = false # Setting this causes the volume to be recreated on apply
size = 1
tags = merge({
Name = "${local.resource_prefix.value}-ebs"
}, {
git_commit = "d3439f0f2af62f6fa3521e14d6c27819ef8f12e1"
git_file = "terraform/aws/ec2.tf"
git_last_modified_at = "2021-05-02 11:17:26"
git_last_modified_by = "nimrodkor@users.noreply.github.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "c5509daf-10f0-46af-9e03-41989212521d"
})
encrypted = true
}
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
encrypted = true
}
HIGH   AWS EBS volumes are not encrypted
    Resource: aws_ebs_volume.web_host_storage | ID: BC_AWS_GENERAL_3

Description

Encrypting EBS volumes ensures that replicated copies of your images are secure even if they are accidentally exposed. AWS EBS encryption uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots. Storing EBS volumes in their encrypted state reduces the risk of data exposure or data loss. We recommend you encrypt all data stored in the EBS.

Benchmarks

  • PCI-DSS V3.2.1 3.4
  • PCI-DSS V3.2 3
  • NIST-800-53 SC-2
  • FEDRAMP (MODERATE) SC-28
Dependent Resources

Calculating...


resource "aws_ebs_snapshot" "example_snapshot" {
# ebs snapshot without encryption
volume_id = "${aws_ebs_volume.web_host_storage.id}"
description = "${local.resource_prefix.value}-ebs-snapshot"
tags = merge({
Name = "${local.resource_prefix.value}-ebs-snapshot"
}, {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_file = "terraform/aws/ec2.tf"
git_last_modified_at = "2020-06-16 14:46:24"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "c1008080-ec2f-4512-a0d0-2e9330aa58f0"
})
}

resource "aws_volume_attachment" "ebs_att" {
device_name = "/dev/sdh"
volume_id = "${aws_ebs_volume.web_host_storage.id}"
instance_id = "${aws_instance.web_host.id}"
}

resource "aws_security_group" "web-node" {
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Not every Security Group rule has a description
    Resource: aws_security_group.web-node | ID: BC_AWS_NETWORKING_31

Description

Descriptions can be up to 255 characters long and can be set and viewed from the AWS Management Console, AWS Command Line Interface (CLI), and the AWS APIs.

We recommend you add descriptive text to each of your Security Group Rules clarifying each rule's goals, this helps prevent developer errors.

Benchmarks

  • SOC2 CC6.3.3
  • ISO27001 A.10.1.1

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   AWS Security Group allows all traffic on SSH port 22
    Resource: aws_security_group.web-node | ID: BC_AWS_NETWORKING_1

Description

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

Benchmarks

  • SOC2 CC6.3.3
  • PCI-DSS V3.2.1 1.2.1, 1.3, 2.2.2
  • PCI-DSS V3.2 2
  • HIPAA 164.312(E)(1)
  • NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
  • ISO27001 A.10.1.1
  • CIS AWS V1.2 4.1
  • CIS AWS V1.3 5.2
  • FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   AWS Security Group allows all traffic on SSH port 22
    Resource: aws_security_group.web-node | ID: BC_AWS_NETWORKING_1

Description

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

Benchmarks

  • SOC2 CC6.3.3
  • PCI-DSS V3.2.1 1.2.1, 1.3, 2.2.2
  • PCI-DSS V3.2 2
  • HIPAA 164.312(E)(1)
  • NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
  • ISO27001 A.10.1.1
  • CIS AWS V1.2 4.1
  • CIS AWS V1.3 5.2
  • FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Not every Security Group rule has a description
    Resource: aws_security_group.web-node | ID: BC_AWS_NETWORKING_31

Description

Descriptions can be up to 255 characters long and can be set and viewed from the AWS Management Console, AWS Command Line Interface (CLI), and the AWS APIs.

We recommend you add descriptive text to each of your Security Group Rules clarifying each rule's goals, this helps prevent developer errors.

Benchmarks

  • SOC2 CC6.3.3
  • ISO27001 A.10.1.1

# security group is open to the world in SSH port
name = "${local.resource_prefix.value}-sg"
description = "${local.resource_prefix.value} Security Group"
vpc_id = aws_vpc.web_vpc.id

ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [
"0.0.0.0/0"]
}
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [
"0.0.0.0/0"]
}
depends_on = [aws_vpc.web_vpc]
tags = {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_file = "terraform/aws/ec2.tf"
git_last_modified_at = "2020-06-16 14:46:24"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "b7af1b40-64eb-4519-a1a0-ab198db4b193"
}
}

resource "aws_vpc" "web_vpc" {
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   AWS Default Security Group does not restrict all traffic
    Resource: aws_vpc.web_vpc | ID: BC_AWS_NETWORKING_4

How to Fix

resource "aws_default_security_group" "default" {
  vpc_id = aws_vpc.ok_vpc.id
}

Description

A VPC comes with a default security group that has an initial setting denying all inbound traffic, allowing all outbound traffic, and allowing all traffic between instances assigned to the security group. If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources.

We recommend that your default security group restricts all inbound and outbound traffic. The default VPC in every region should have its default security group updated to comply with this recommendation. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.

Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups. This in-turn reduces the exposure of those resources.

Benchmarks

  • SOC2 CC6.3.3
  • PCI-DSS V3.2.1 1.3, 2.1
  • PCI-DSS V3.2 2
  • HIPAA 164.312(E)(1)
  • NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
  • ISO27001 A.13.1.3
  • CIS AWS V1.2 4.4
  • FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   AWS Default Security Group does not restrict all traffic
    Resource: aws_vpc.web_vpc | ID: BC_AWS_NETWORKING_4

How to Fix

resource "aws_default_security_group" "default" {
  vpc_id = aws_vpc.ok_vpc.id
}

Description

A VPC comes with a default security group that has an initial setting denying all inbound traffic, allowing all outbound traffic, and allowing all traffic between instances assigned to the security group. If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources.

We recommend that your default security group restricts all inbound and outbound traffic. The default VPC in every region should have its default security group updated to comply with this recommendation. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.

Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups. This in-turn reduces the exposure of those resources.

Benchmarks

  • SOC2 CC6.3.3
  • PCI-DSS V3.2.1 1.3, 2.1
  • PCI-DSS V3.2 2
  • HIPAA 164.312(E)(1)
  • NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
  • ISO27001 A.13.1.3
  • CIS AWS V1.2 4.4
  • FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)

cidr_block = "172.16.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = merge({
Name = "${local.resource_prefix.value}-vpc"
}, {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_file = "terraform/aws/ec2.tf"
git_last_modified_at = "2020-06-16 14:46:24"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "9bf2359b-952e-4570-9595-52eba4c20473"
})
}

resource "aws_subnet" "web_subnet" {
Copy link

@bridgecrew bridgecrew bot Feb 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   Ensure VPC subnets do not assign public IP by default
    Resource: aws_subnet.web_subnet | ID: BC_AWS_NETWORKING_53

How to Fix

resource "aws_subnet" "test" {
 ...
+ map_public_ip_on_launch = false
  }

Description

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

Dependent Resources



Calculating...

🎉   Fixed by commit b500196 - Create ec2v3.tf

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
resource "aws_subnet" "web_subnet" {
MEDIUM   VPC subnets should not allow automatic public IP assignment
    Resource: aws_subnet.web_subnet | ID: BC_AWS_NETWORKING_53

Description

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

vpc_id = aws_vpc.web_vpc.id
cidr_block = "172.16.10.0/24"
availability_zone = "${var.region}a"
map_public_ip_on_launch = true
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
map_public_ip_on_launch = true
MEDIUM   VPC subnets should not allow automatic public IP assignment
    Resource: aws_subnet.web_subnet | ID: BC_AWS_NETWORKING_53

Description

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.


tags = merge({
Name = "${local.resource_prefix.value}-subnet"
}, {
git_commit = "6e62522d2ab8f63740e53752b84a6e99cd65696a"
git_file = "terraform/aws/ec2.tf"
git_last_modified_at = "2021-05-02 11:16:31"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "0345f650-d280-4ca8-86c9-c71c38c0eda8"
})
}

resource "aws_subnet" "web_subnet2" {
Copy link

@bridgecrew bridgecrew bot Feb 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   Ensure VPC subnets do not assign public IP by default
    Resource: aws_subnet.web_subnet2 | ID: BC_AWS_NETWORKING_53

How to Fix

resource "aws_subnet" "test" {
 ...
+ map_public_ip_on_launch = false
  }

Description

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

Dependent Resources



Calculating...

🎉   Fixed by commit b500196 - Create ec2v3.tf

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
resource "aws_subnet" "web_subnet2" {
MEDIUM   VPC subnets should not allow automatic public IP assignment
    Resource: aws_subnet.web_subnet2 | ID: BC_AWS_NETWORKING_53

Description

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

vpc_id = aws_vpc.web_vpc.id
cidr_block = "172.16.11.0/24"
availability_zone = "${var.region}b"
map_public_ip_on_launch = true
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
map_public_ip_on_launch = true
MEDIUM   VPC subnets should not allow automatic public IP assignment
    Resource: aws_subnet.web_subnet2 | ID: BC_AWS_NETWORKING_53

Description

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.


tags = merge({
Name = "${local.resource_prefix.value}-subnet2"
}, {
git_commit = "6e62522d2ab8f63740e53752b84a6e99cd65696a"
git_file = "terraform/aws/ec2.tf"
git_last_modified_at = "2021-05-02 11:16:31"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "224af03a-00e0-4981-be30-14965833c2db"
})
}


resource "aws_internet_gateway" "web_igw" {
vpc_id = aws_vpc.web_vpc.id

tags = merge({
Name = "${local.resource_prefix.value}-igw"
}, {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_file = "terraform/aws/ec2.tf"
git_last_modified_at = "2020-06-16 14:46:24"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "d8e63cb4-2fb5-4726-9c86-5fd05ef03674"
})
}

resource "aws_route_table" "web_rtb" {
vpc_id = aws_vpc.web_vpc.id

tags = merge({
Name = "${local.resource_prefix.value}-rtb"
}, {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_file = "terraform/aws/ec2.tf"
git_last_modified_at = "2020-06-16 14:46:24"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "5e4fee6e-a6aa-4b61-a741-47c5efb463e1"
})
}

resource "aws_route_table_association" "rtbassoc" {
subnet_id = aws_subnet.web_subnet.id
route_table_id = aws_route_table.web_rtb.id
}

resource "aws_route_table_association" "rtbassoc2" {
subnet_id = aws_subnet.web_subnet2.id
route_table_id = aws_route_table.web_rtb.id
}

resource "aws_route" "public_internet_gateway" {
route_table_id = aws_route_table.web_rtb.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.web_igw.id

timeouts {
create = "5m"
}
}


resource "aws_network_interface" "web-eni" {
subnet_id = aws_subnet.web_subnet.id
private_ips = ["172.16.10.100"]

tags = merge({
Name = "${local.resource_prefix.value}-primary_network_interface"
}, {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_file = "terraform/aws/ec2.tf"
git_last_modified_at = "2020-06-16 14:46:24"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "7e2ffea8-739f-467d-b57b-53cbc0d7ccbe"
})
}

# VPC Flow Logs to S3
resource "aws_flow_log" "vpcflowlogs" {
log_destination = aws_s3_bucket.flowbucket.arn
log_destination_type = "s3"
traffic_type = "ALL"
vpc_id = aws_vpc.web_vpc.id

tags = merge({
Name = "${local.resource_prefix.value}-flowlogs"
Environment = local.resource_prefix.value
}, {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_file = "terraform/aws/ec2.tf"
git_last_modified_at = "2020-06-16 14:46:24"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "6808d4b7-45bc-4d1d-9523-96757a3add3a"
})
}

resource "aws_s3_bucket" "flowbucket" {
Copy link

@bridgecrew bridgecrew bot Feb 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure S3 buckets are encrypted with KMS by default
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_GENERAL_56

How to Fix

resource "aws_s3_bucket" "mybucket" {
  ...
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.mykey.arn
 +      sse_algorithm     = "aws:kms"
      }
    }
  }
}

Description

TBA

Dependent Resources



Calculating...

🎉   Fixed by commit b500196 - Create ec2v3.tf

Copy link

@bridgecrew bridgecrew bot Feb 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure S3 bucket has cross-region replication enabled
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_GENERAL_72

How to Fix

resource "aws_s3_bucket" "test" {
  ...
+  replication_configuration {
+    role = aws_iam_role.replication.arn
+    rules {
+      id     = "foobar"
+      prefix = "foo"
+      status = "Enabled"
+
+      destination {
+        bucket        = aws_s3_bucket.destination.arn
+        storage_class = "STANDARD"
+      }
+    }
+  }
}

Description

Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets. By default, replication supports copying new S3 objects after it is enabled. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.

Dependent Resources



Calculating...

🎉   Fixed by commit b500196 - Create ec2v3.tf

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
resource "aws_s3_bucket" "flowbucket" {
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
}
LOW   S3 buckets are not encrypted with KMS
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_GENERAL_56

Description

TBA

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
resource "aws_s3_bucket" "flowbucket" {
versioning {
enabled = true
}
}
HIGH   AWS S3 object versioning is disabled
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_S3_16

Description

S3 versioning is a managed data backup and recovery service provided by AWS. When enabled it allows users to retrieve and restore previous versions of their buckets.

S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten.

Benchmarks

  • PCI-DSS V3.2.1 10.5.3
  • FEDRAMP (MODERATE) CP-10, SI-12

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   S3 bucket cross-region replication disabled
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_GENERAL_72

How to Fix

resource "aws_s3_bucket" "test" {
  ...
+  replication_configuration {
+    role = aws_iam_role.replication.arn
+    rules {
+      id     = "foobar"
+      prefix = "foo"
+      status = "Enabled"
+
+      destination {
+        bucket        = aws_s3_bucket.destination.arn
+        storage_class = "STANDARD"
+      }
+    }
+  }
}

Description

Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets. By default, replication supports copying new S3 objects after it is enabled. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   terraform build demo
    Resource: aws_s3_bucket.flowbucket | ID: 807152304871829504_AWS_1643881781204

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   S3 Bucket does not have public access blocks
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_NETWORKING_52

How to Fix

resource "aws_s3_bucket" "bucket_good_1" {
  bucket = "bucket_good"
}

resource "aws_s3_bucket_public_access_block" "access_good_1" {
  bucket = aws_s3_bucket.bucket_good_1.id

  block_public_acls   = true
  block_public_policy = true
}

Description

When you create an S3 bucket, it is good practice to set the additional resource **aws_s3_bucket_public_access_block** to ensure the bucket is never accidentally public.

We recommend you ensure S3 bucket has public access blocks. If the public access block is not attached it defaults to False.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   All S3 Buckets must have a tag with key Classification and have versioning enabled
    Resource: aws_s3_bucket.flowbucket | ID: 807152304871829504_AWS_1643813941482

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   AWS access logging not enabled on S3 buckets
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_S3_13

How to Fix

resource "aws_s3_bucket" "bucket" {
  acl    = var.s3_bucket_acl
  bucket = var.s3_bucket_name
  policy = var.s3_bucket_policy

  force_destroy = var.s3_bucket_force_destroy
  versioning {
    enabled    = var.versioning
    mfa_delete = var.mfa_delete
  }

+  dynamic "logging" {
+    for_each = var.logging
+    content {
+      target_bucket = logging.value["target_bucket"]
+      target_prefix = "log/${var.s3_bucket_name}"
+    }
+  }
}

Description

Access logging provides detailed audit logging for all objects and folders in an S3 bucket.

Benchmarks

  • HIPAA 164.312(B) Audit controls

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
resource "aws_s3_bucket" "flowbucket" {
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
}
HIGH   Data stored in the S3 bucket is not securely encrypted at rest
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_S3_14

Description

SSE helps prevent unauthorized access to S3 buckets. Encrypting and decrypting data at the S3 bucket level is transparent to users when accessing data.

Benchmarks

  • PCI-DSS V3.2.1 3.4
  • PCI-DSS V3.2 3
  • NIST-800-53 AC-17, SC-2
  • CIS AWS V1.3 2.1.1
  • FEDRAMP (MODERATE) SC-28

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   S3 bucket cross-region replication disabled
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_GENERAL_72

How to Fix

resource "aws_s3_bucket" "test" {
  ...
+  replication_configuration {
+    role = aws_iam_role.replication.arn
+    rules {
+      id     = "foobar"
+      prefix = "foo"
+      status = "Enabled"
+
+      destination {
+        bucket        = aws_s3_bucket.destination.arn
+        storage_class = "STANDARD"
+      }
+    }
+  }
}

Description

Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets. By default, replication supports copying new S3 objects after it is enabled. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   terraform build demo
    Resource: aws_s3_bucket.flowbucket | ID: 807152304871829504_AWS_1643881781204

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   AWS access logging not enabled on S3 buckets
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_S3_13

How to Fix

resource "aws_s3_bucket" "bucket" {
  acl    = var.s3_bucket_acl
  bucket = var.s3_bucket_name
  policy = var.s3_bucket_policy

  force_destroy = var.s3_bucket_force_destroy
  versioning {
    enabled    = var.versioning
    mfa_delete = var.mfa_delete
  }

+  dynamic "logging" {
+    for_each = var.logging
+    content {
+      target_bucket = logging.value["target_bucket"]
+      target_prefix = "log/${var.s3_bucket_name}"
+    }
+  }
}

Description

Access logging provides detailed audit logging for all objects and folders in an S3 bucket.

Benchmarks

  • HIPAA 164.312(B) Audit controls

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   All S3 Buckets must have a tag with key Classification and have versioning enabled
    Resource: aws_s3_bucket.flowbucket | ID: 807152304871829504_AWS_1643813941482

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   S3 Bucket does not have public access blocks
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_NETWORKING_52

How to Fix

resource "aws_s3_bucket" "bucket_good_1" {
  bucket = "bucket_good"
}

resource "aws_s3_bucket_public_access_block" "access_good_1" {
  bucket = aws_s3_bucket.bucket_good_1.id

  block_public_acls   = true
  block_public_policy = true
}

Description

When you create an S3 bucket, it is good practice to set the additional resource **aws_s3_bucket_public_access_block** to ensure the bucket is never accidentally public.

We recommend you ensure S3 bucket has public access blocks. If the public access block is not attached it defaults to False.

bucket = "${local.resource_prefix.value}-flowlogs"
force_destroy = true

tags = merge({
Name = "${local.resource_prefix.value}-flowlogs"
Environment = local.resource_prefix.value
}, {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_file = "terraform/aws/ec2.tf"
git_last_modified_at = "2020-06-16 14:46:24"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "f058838a-b1e0-4383-b965-7e06e987ffb1"
})
}
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
}
LOW   S3 buckets are not encrypted with KMS
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_GENERAL_56

Description

TBA

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
}
HIGH   Data stored in the S3 bucket is not securely encrypted at rest
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_S3_14

Description

SSE helps prevent unauthorized access to S3 buckets. Encrypting and decrypting data at the S3 bucket level is transparent to users when accessing data.

Benchmarks

  • PCI-DSS V3.2.1 3.4
  • PCI-DSS V3.2 3
  • NIST-800-53 AC-17, SC-2
  • CIS AWS V1.3 2.1.1
  • FEDRAMP (MODERATE) SC-28

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
versioning {
enabled = true
}
}
HIGH   AWS S3 object versioning is disabled
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_S3_16

Description

S3 versioning is a managed data backup and recovery service provided by AWS. When enabled it allows users to retrieve and restore previous versions of their buckets.

S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten.

Benchmarks

  • PCI-DSS V3.2.1 10.5.3
  • FEDRAMP (MODERATE) CP-10, SI-12


output "ec2_public_dns" {
description = "Web Host Public DNS name"
value = aws_instance.web_host.public_dns
}

output "vpc_id" {
description = "The ID of the VPC"
value = aws_vpc.web_vpc.id
}

output "public_subnet" {
description = "The ID of the Public subnet"
value = aws_subnet.web_subnet.id
}

output "public_subnet2" {
description = "The ID of the Public subnet"
value = aws_subnet.web_subnet2.id
}