-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
this is a change2 #32
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prisma Cloud has found errors in this PR ⬇️
@@ -3,6 +3,7 @@ resource "aws_s3_bucket" "data" { | |||
# bucket is not encrypted |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Weibeler - Public S3 Buckets
Resource: aws_s3_bucket.data | Bridgecrew ID: 1043237819080398848_AWS_1668813444422
@@ -3,6 +3,7 @@ | |||
# bucket is not encrypted |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Weib Test S3
Resource: aws_s3_bucket.data | Bridgecrew ID: 1043237819080398848_AWS_1673630255979
Description
Remove public access@@ -3,6 +3,7 @@ | |||
# bucket is not encrypted |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AWS Access logging not enabled on S3 buckets
Resource: aws_s3_bucket.data | Bridgecrew ID: BC_AWS_S3_13
| Checkov ID: CKV_AWS_18
How to Fix
resource "aws_s3_bucket" "bucket" {
acl = var.s3_bucket_acl
bucket = var.s3_bucket_name
policy = var.s3_bucket_policy
force_destroy = var.s3_bucket_force_destroy
versioning {
enabled = var.versioning
mfa_delete = var.mfa_delete
}
+ dynamic "logging" {
+ for_each = var.logging
+ content {
+ target_bucket = logging.value["target_bucket"]
+ target_prefix = "log/${var.s3_bucket_name}"
+ }
+ }
}
Description
Access logging provides detailed audit logging for all objects and folders in an S3 bucket.Benchmarks
- HIPAA 164.312(B) Audit controls
@@ -3,6 +3,7 @@ | |||
# bucket is not encrypted |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AWS S3 Object Versioning is disabled
Resource: aws_s3_bucket.data | Bridgecrew ID: BC_AWS_S3_16
| Checkov ID: CKV_AWS_21
How to Fix
resource "aws_s3_bucket" "state_bucket" {
bucket = "${data.aws_caller_identity.current.account_id}-terraform-state"
acl = var.acl
force_destroy = var.force_destroy
+ versioning {
+ enabled = true
+ }
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = var.sse_algorithm
}
}
}
tags = var.common_tags
}
Description
S3 versioning is a managed data backup and recovery service provided by AWS. When enabled it allows users to retrieve and restore previous versions of their buckets.S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten.
Benchmarks
- PCI-DSS V3.2.1 10.5.3
- FEDRAMP (MODERATE) CP-10, SI-12
No description provided.