Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

info only #25

Merged
merged 1 commit into from
Mar 7, 2023
Merged

info only #25

merged 1 commit into from
Mar 7, 2023

Conversation

jluevan13
Copy link
Owner

No description provided.

@jluevan13 jluevan13 merged commit 8c2330a into master Mar 7, 2023
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prisma Cloud has found errors in this PR ⬇️

@@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" {
# bucket is not encrypted

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  Weib Test S3
    Resource: aws_s3_bucket.data | Bridgecrew ID: 1043237819080398848_AWS_1673630255979

Description

Remove public access

@@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" {
# bucket is not encrypted

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  Weibeler - Public S3 Buckets
    Resource: aws_s3_bucket.data | Bridgecrew ID: 1043237819080398848_AWS_1668813444422

@@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" {
# bucket is not encrypted

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM  AWS Access logging not enabled on S3 buckets
    Resource: aws_s3_bucket.data | Bridgecrew ID: BC_AWS_S3_13 | Checkov ID: CKV_AWS_18

How to Fix

resource "aws_s3_bucket" "bucket" {
  acl    = var.s3_bucket_acl
  bucket = var.s3_bucket_name
  policy = var.s3_bucket_policy

  force_destroy = var.s3_bucket_force_destroy
  versioning {
    enabled    = var.versioning
    mfa_delete = var.mfa_delete
  }

+  dynamic "logging" {
+    for_each = var.logging
+    content {
+      target_bucket = logging.value["target_bucket"]
+      target_prefix = "log/${var.s3_bucket_name}"
+    }
+  }
}

Description

Access logging provides detailed audit logging for all objects and folders in an S3 bucket.

Benchmarks

  • HIPAA 164.312(B) Audit controls

@@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" {
# bucket is not encrypted

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM  AWS S3 Object Versioning is disabled
    Resource: aws_s3_bucket.data | Bridgecrew ID: BC_AWS_S3_16 | Checkov ID: CKV_AWS_21

How to Fix

resource "aws_s3_bucket" "state_bucket" {
  bucket        = "${data.aws_caller_identity.current.account_id}-terraform-state"
  acl           = var.acl
  force_destroy = var.force_destroy

+  versioning {
+    enabled    = true
+  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = var.sse_algorithm
      }
    }
  }

  tags = var.common_tags
}

Description

S3 versioning is a managed data backup and recovery service provided by AWS. When enabled it allows users to retrieve and restore previous versions of their buckets.

S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten.

Benchmarks

  • PCI-DSS V3.2.1 10.5.3
  • FEDRAMP (MODERATE) CP-10, SI-12

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant