Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Azure storage updates #47

Merged
merged 2 commits into from
Dec 13, 2023
Merged

Azure storage updates #47

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3b328c2
comment public blob container
jluevan13 Jun 6, 2023
1226bd1
update ebs volume
jluevan13 Dec 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions terraform/aws/ec2.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ EOF
})
}


resource "aws_ebs_volume" "web_host_storage" {
# unencrypted volume
availability_zone = "${var.region}a"
Expand All @@ -49,8 +50,12 @@ resource "aws_ebs_volume" "web_host_storage" {
git_repo = "terragoat"
yor_trace = "c5509daf-10f0-46af-9e03-41989212521d"
})

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  AWS EBS volumes are not encrypted
    Resource: aws_ebs_volume.web_host_storage | Checkov ID: CKV_AWS_3

How to Fix

resource "aws_ebs_volume" "example" {
  ...
  availability_zone = "${var.availability_zone}"
+ encrypted         = true
  ...
}

Description

Encrypting EBS volumes ensures that replicated copies of your images are secure even if they are accidentally exposed.
AWS EBS encryption uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots.
Storing EBS volumes in their encrypted state reduces the risk of data exposure or data loss.
We recommend you encrypt all data stored in the EBS.


}



resource "aws_ebs_snapshot" "example_snapshot" {
# ebs snapshot without encryption
volume_id = aws_ebs_volume.web_host_storage.id
Expand Down
1 change: 1 addition & 0 deletions terraform/azure/storage.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ resource "azurerm_storage_account" "example" {
}

resource "azurerm_storage_container" "example" {
# this blob container is public
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  Azure storage account has a blob container that is publicly accessible
    Resource: azurerm_storage_container.example | Checkov ID: CKV_AZURE_34

How to Fix

resource "azurerm_storage_container" "example" {
    ...
+   container_access_type = "private"
}

Description

Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage.
It grants read-only access to these resources without sharing the account key or requiring a shared access signature.
We recommend you do not provide anonymous access to blob containers until, and unless, it is strongly desired.
A shared access signature token should be used for providing controlled and timed access to blob containers.

name = "content"
storage_account_name = azurerm_storage_account.example.name
container_access_type = "public"
Expand Down
Loading