Azure storage updates #47
Conversation
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| @@ -82,6 +82,7 @@ resource "azurerm_storage_account" "example" { | |||
| } | |||
|
|
|||
| resource "azurerm_storage_container" "example" { | |||
| # this blob container is public | |||
There was a problem hiding this comment.
Azure storage account has a blob container that is publicly accessible
Resource: azurerm_storage_container.example | Checkov ID: CKV_AZURE_34
How to Fix
resource "azurerm_storage_container" "example" {
...
+ container_access_type = "private"
}Description
Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage.
It grants read-only access to these resources without sharing the account key or requiring a shared access signature.
We recommend you do not provide anonymous access to blob containers until, and unless, it is strongly desired.
A shared access signature token should be used for providing controlled and timed access to blob containers.
| @@ -49,8 +50,12 @@ resource "aws_ebs_volume" "web_host_storage" { | |||
| git_repo = "terragoat" | |||
| yor_trace = "c5509daf-10f0-46af-9e03-41989212521d" | |||
| }) | |||
|
|
|||
There was a problem hiding this comment.
AWS EBS volumes are not encrypted
Resource: aws_ebs_volume.web_host_storage | Checkov ID: CKV_AWS_3
How to Fix
resource "aws_ebs_volume" "example" {
...
availability_zone = "${var.availability_zone}"
+ encrypted = true
...
}Description
Encrypting EBS volumes ensures that replicated copies of your images are secure even if they are accidentally exposed.
AWS EBS encryption uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.
Storing EBS volumes in their encrypted state reduces the risk of data exposure or data loss.
We recommend you encrypt all data stored in the EBS.
No description provided.