Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

another onev12 #19

Merged
merged 1 commit into from
Mar 7, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions terraform/aws/s3.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" {
# bucket is not encrypted

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  Weibeler - Public S3 Buckets
    Resource: aws_s3_bucket.data | Bridgecrew ID: 1043237819080398848_AWS_1668813444422

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  Weib Test S3
    Resource: aws_s3_bucket.data | Bridgecrew ID: 1043237819080398848_AWS_1673630255979

Description

Remove public access

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM  AWS Access logging not enabled on S3 buckets
    Resource: aws_s3_bucket.data | Bridgecrew ID: BC_AWS_S3_13 | Checkov ID: CKV_AWS_18

How to Fix

resource "aws_s3_bucket" "bucket" {
  acl    = var.s3_bucket_acl
  bucket = var.s3_bucket_name
  policy = var.s3_bucket_policy

  force_destroy = var.s3_bucket_force_destroy
  versioning {
    enabled    = var.versioning
    mfa_delete = var.mfa_delete
  }

+  dynamic "logging" {
+    for_each = var.logging
+    content {
+      target_bucket = logging.value["target_bucket"]
+      target_prefix = "log/${var.s3_bucket_name}"
+    }
+  }
}

Description

Access logging provides detailed audit logging for all objects and folders in an S3 bucket.

Benchmarks

  • HIPAA 164.312(B) Audit controls

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM  AWS S3 Object Versioning is disabled
    Resource: aws_s3_bucket.data | Bridgecrew ID: BC_AWS_S3_16 | Checkov ID: CKV_AWS_21

How to Fix

resource "aws_s3_bucket" "state_bucket" {
  bucket        = "${data.aws_caller_identity.current.account_id}-terraform-state"
  acl           = var.acl
  force_destroy = var.force_destroy

+  versioning {
+    enabled    = true
+  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = var.sse_algorithm
      }
    }
  }

  tags = var.common_tags
}

Description

S3 versioning is a managed data backup and recovery service provided by AWS. When enabled it allows users to retrieve and restore previous versions of their buckets.

S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten.

Benchmarks

  • PCI-DSS V3.2.1 10.5.3
  • FEDRAMP (MODERATE) CP-10, SI-12

# bucket does not have access logs
# bucket does not have versioning
# this is a change
bucket = "${local.resource_prefix.value}-data"
force_destroy = true
tags = merge({
Expand Down