-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtfsec-scan-output.txt
147 lines (127 loc) · 9.53 KB
/
tfsec-scan-output.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
Result #1 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
main.tf:13-37
────────────────────────────────────────────────────────────────────────────────
13 ┌ resource "aws_s3_bucket" "foo-bucket" {
14 │ region = var.region
15 │ bucket = local.bucket_name
16 │ force_destroy = true
17 │
18 │ tags = {
19 │ Name = "foo-${data.aws_caller_identity.current.account_id}"
20 │ }
21 └ versioning {
..
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified
More Information
- https://aquasecurity.github.io/tfsec/v1.27.2/checks/aws/s3/block-public-acls/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
────────────────────────────────────────────────────────────────────────────────
Result #2 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
main.tf:13-37
────────────────────────────────────────────────────────────────────────────────
13 ┌ resource "aws_s3_bucket" "foo-bucket" {
14 │ region = var.region
15 │ bucket = local.bucket_name
16 │ force_destroy = true
17 │
18 │ tags = {
19 │ Name = "foo-${data.aws_caller_identity.current.account_id}"
20 │ }
21 └ versioning {
..
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT
More Information
- https://aquasecurity.github.io/tfsec/v1.27.2/checks/aws/s3/block-public-policy/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
────────────────────────────────────────────────────────────────────────────────
Result #3 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
main.tf:13-37
────────────────────────────────────────────────────────────────────────────────
13 ┌ resource "aws_s3_bucket" "foo-bucket" {
14 │ region = var.region
15 │ bucket = local.bucket_name
16 │ force_destroy = true
17 │
18 │ tags = {
19 │ Name = "foo-${data.aws_caller_identity.current.account_id}"
20 │ }
21 └ versioning {
..
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls
More Information
- https://aquasecurity.github.io/tfsec/v1.27.2/checks/aws/s3/ignore-public-acls/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────
Result #4 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
main.tf:13-37
────────────────────────────────────────────────────────────────────────────────
13 ┌ resource "aws_s3_bucket" "foo-bucket" {
14 │ region = var.region
15 │ bucket = local.bucket_name
16 │ force_destroy = true
17 │
18 │ tags = {
19 │ Name = "foo-${data.aws_caller_identity.current.account_id}"
20 │ }
21 └ versioning {
..
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)
More Information
- https://aquasecurity.github.io/tfsec/v1.27.2/checks/aws/s3/no-public-buckets/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────
Result #5 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
main.tf:13-37
────────────────────────────────────────────────────────────────────────────────
13 ┌ resource "aws_s3_bucket" "foo-bucket" {
14 │ region = var.region
15 │ bucket = local.bucket_name
16 │ force_destroy = true
17 │
18 │ tags = {
19 │ Name = "foo-${data.aws_caller_identity.current.account_id}"
20 │ }
21 └ versioning {
..
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies
More Information
- https://aquasecurity.github.io/tfsec/v1.27.2/checks/aws/s3/specify-public-access-block/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
────────────────────────────────────────────────────────────────────────────────
timings
──────────────────────────────────────────
counts
──────────────────────────────────────────
modules downloaded 0
modules processed 1
blocks processed 4
files read 1
results
──────────────────────────────────────────
passed 5
ignored 0
critical 0
high 4
medium 0
low 1
5 passed, 5 potential problem(s) detected.