Iac pr #2
Iac pr #2
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
checkov found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| } | ||
| } | ||
|
|
||
| resource linuxVm 'Microsoft.Compute/virtualMachines@2020-06-01' = { |
There was a problem hiding this comment.
Azure Virtual machine enables password authentication
Resource: Microsoft.Compute/virtualMachines.linuxVm | Checkov ID: CKV_AZURE_149
Description
Disabling password authentication for your Azure virtual machine (VM) can help improve the security of your VM.
Password authentication allows users to access the VM using a password, rather than an Azure Active Directory (Azure AD) account or other form of authentication.
By disabling password authentication, you can help prevent unauthorized access to your VM and protect it from potential security threats such as data breaches or unauthorized access.
Instead, you should use more secure forms of authentication such as Azure AD, SSH keys, or multi-factor authentication.
|
|
||
| var name = 'bicepgoat' | ||
|
|
||
| resource aksCluster 'Microsoft.ContainerService/managedClusters@2021-02-01' = { |
There was a problem hiding this comment.
Kubernetes dashboard is not disabled
Resource: Microsoft.ContainerService/managedClusters.aksCluster | Checkov ID: CKV_AZURE_8
Description
The Terraform provider for Azure provides the capability to disable the Kubernetes dashboard on an AKS cluster.
This is achieved by providing the Kubernetes dashboard as an AKS add-on like the Azure Monitor for containers integration, AKS virtual nodes, or HTTP application routing.
The dashboard add-on is disabled by default for all new clusters created on Kubernetes 1.18 or greater.
In mid-2019 Tesla was hacked and their Kubernetes dashboard was open to the internet.
Hackers browsed around and found credentials, eventually managing to deploy pods running bitcoin mining software.
We recommend you disable the Kubernetes dashboard to prevent the need to manage its individual access interface, eliminating it as an attack vector.
|
|
||
| var name = 'bicepgoat' | ||
|
|
||
| resource aksCluster 'Microsoft.ContainerService/managedClusters@2021-02-01' = { |
There was a problem hiding this comment.
Azure AKS cluster network policies are not enforced
Resource: Microsoft.ContainerService/managedClusters.aksCluster | Checkov ID: CKV_AZURE_7
Description
Network policy options in AKS include two ways to implement a network policy.
You can choose between Azure Network Policies or Calico Network Policies.
In both cases, the underlying controlling layer is based on Linux IPTables to enforce the specified policies.
Policies are translated into sets of allowed and disallowed IP pairs.
These pairs are then programmed as IPTable rules.
The principle of least privilege should be applied to how traffic can flow between pods in an AKS cluster.
We recommend you select a preferred network policy framework and enforce granular usage-based policies on the architecture and business logic of you applications.
| } | ||
| } | ||
|
|
||
| resource linuxVm 'Microsoft.Compute/virtualMachines@2020-06-01' = { |
There was a problem hiding this comment.
Azure Windows VM does not enable encryption
Resource: Microsoft.Compute/virtualMachines.linuxVm | Checkov ID: CKV_AZURE_151
Description
Enabling encryption for your Azure Windows virtual machine (VM) can help improve the security of your VM and its data.
Encryption helps protect data by encoding it in such a way that it can only be accessed by authorized users.
| } | ||
| } | ||
|
|
||
| resource linuxVm 'Microsoft.Compute/virtualMachines@2020-06-01' = { |
There was a problem hiding this comment.
Azure Virtual Machine (Linux) does not authenticate using SSH keys
Resource: Microsoft.Compute/virtualMachines.linuxVm | Checkov ID: CKV_AZURE_1
Description
SSH is an encrypted connection protocol that allows secure sign-ins over unsecured connections.
SSH is the default connection protocol for Linux VMs hosted in Azure.
Using secure shell (SSH) key pairs, it is possible to spin up a Linux virtual machine on Azure that defaults to using SSH keys for authentication, eliminating the need for passwords to sign in.
We recommend connecting to a VM using SSH keys.
Using basic authentication with SSH connections leaves VMs vulnerable to brute-force attacks or guessing of passwords.
| git_repo = "terragoat" | ||
| yor_trace = "f7999d4e-c983-43ee-bd88-7903a6f8483e" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| metadata_options { | |
| http_tokens = "required" | |
| } | |
| } |
AWS EC2 instance not configured with Instance Metadata Service v2 (IMDSv2)
Resource: aws_instance.db_app | Checkov ID: CKV_AWS_79
Description
The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata.
You can access instance metadata from a running instance using one of the following methods:
- Instance Metadata Service Version 1 (IMDSv1) -- a request/response method
- Instance Metadata Service Version 2 (IMDSv2) -- a session-oriented method
As a request/response method IMDSv1 is prone to local misconfigurations:
- Open proxies, open NATs and routers, server-side reflection vulnerabilities.
- One way or another, local software might access local-only data.
| lifecycle { | ||
| ignore_changes = ["password"] | ||
| } | ||
| } |
There was a problem hiding this comment.
| } | |
| iam_database_authentication_enabled = true | |
| } |
RDS database does not have IAM authentication enabled
Resource: aws_db_instance.default | Checkov ID: CKV_AWS_161
Description
IAM authentication uses AWS Identity and Access Management (IAM) to authenticate users and applications that connect to your RDS database.
This can be more secure than traditional password-based authentication, as it allows you to use IAM policies and multi-factor authentication to control access to your database.
| git_repo = "terragoat" | ||
| yor_trace = "7a3ec657-fa54-4aa2-8467-5d08d6c90bc2" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| encryption_configuration { | |
| encryption_type = "KMS" | |
| } | |
| } |
Unencrypted ECR repositories
Resource: aws_ecr_repository.repository | Checkov ID: CKV_AWS_136
Description
Encrypting your ECR repositories helps protect your data from unauthorized access or tampering.
That way, you can ensure that only authorized users can access and modify the contents of your repositories.
Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.
| git_repo = "terragoat" | ||
| yor_trace = "f7999d4e-c983-43ee-bd88-7903a6f8483e" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| monitoring = true | |
| } |
AWS EC2 instance detailed monitoring disabled
Resource: aws_instance.db_app | Checkov ID: CKV_AWS_126
Description
Enabling detailed monitoring for Amazon Elastic Compute Cloud (EC2) instances can provide you with additional data and insights about the performance and utilization of your instances.
: Detailed monitoring can provide you with more data about the utilization of your instances, which can be helpful for capacity planning and optimization.
| ProjectionType: KEYS_ONLY | ||
| ProvisionedThroughput: | ||
| ReadCapacityUnits: !Ref 'ReadCapacityUnits' | ||
| WriteCapacityUnits: !Ref 'WriteCapacityUnits' |
There was a problem hiding this comment.
| WriteCapacityUnits: !Ref 'WriteCapacityUnits' | |
| WriteCapacityUnits: !Ref 'WriteCapacityUnits' | |
| PointInTimeRecoverySpecification: | |
| PointInTimeRecoveryEnabled: True | |
| Outputs: |
DynamoDB PITR is disabled
Resource: AWS::DynamoDB::Table.TableOfBooks | Checkov ID: CKV_AWS_28
Description
DynamoDB Point-In-Time Recovery (PITR) is an automatic backup service for DynamoDB table data that helps protect your DynamoDB tables from accidental write or delete operations.
Once enabled, PITR provides continuous backups that can be controlled using various programmatic parameters.
PITR can also be used to restore table data from any point in time during the last 35 days, as well as any incremental backups of DynamoDB tables.
| lifecycle { | ||
| ignore_changes = ["password"] | ||
| } | ||
| } |
There was a problem hiding this comment.
| } | |
| performance_insights_kms_key_id = "CKV_ANY" | |
| } |
RDS Performance Insights are not encrypted using KMS CMKs
Resource: aws_db_instance.default | Checkov ID: CKV_AWS_354
| ProjectionType: KEYS_ONLY | ||
| ProvisionedThroughput: | ||
| ReadCapacityUnits: !Ref 'ReadCapacityUnits' | ||
| WriteCapacityUnits: !Ref 'WriteCapacityUnits' |
There was a problem hiding this comment.
| WriteCapacityUnits: !Ref 'WriteCapacityUnits' | |
| WriteCapacityUnits: !Ref 'WriteCapacityUnits' | |
| PointInTimeRecoverySpecification: | |
| PointInTimeRecoveryEnabled: True | |
| Outputs: |
DynamoDB PITR is disabled
Resource: AWS::DynamoDB::Table.TableOfBooks | Checkov ID: CKV_AWS_28
Description
DynamoDB Point-In-Time Recovery (PITR) is an automatic backup service for DynamoDB table data that helps protect your DynamoDB tables from accidental write or delete operations.
Once enabled, PITR provides continuous backups that can be controlled using various programmatic parameters.
PITR can also be used to restore table data from any point in time during the last 35 days, as well as any incremental backups of DynamoDB tables.
| git_repo = "terragoat" | ||
| yor_trace = "7a3ec657-fa54-4aa2-8467-5d08d6c90bc2" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| encryption_configuration { | |
| encryption_type = "KMS" | |
| } | |
| } |
Unencrypted ECR repositories
Resource: aws_ecr_repository.repository | Checkov ID: CKV_AWS_136
Description
Encrypting your ECR repositories helps protect your data from unauthorized access or tampering.
That way, you can ensure that only authorized users can access and modify the contents of your repositories.
Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.
| git_repo = "terragoat" | ||
| yor_trace = "7a3ec657-fa54-4aa2-8467-5d08d6c90bc2" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| image_scanning_configuration { | |
| scan_on_push = true | |
| } | |
| } |
ECR image scan on push is not enabled
Resource: aws_ecr_repository.repository | Checkov ID: CKV_AWS_163
Description
Amazon ECR is a fully managed container registry used to store, manage and deploy container images.
ECR Image Scanning assesses and identifies operating system vulnerabilities.
Using automated image scans you can ensure container image vulnerabilities are found before getting pushed to production.
ECR APIs notify if vulnerabilities were found when a scan completes.
| lifecycle { | ||
| ignore_changes = ["password"] | ||
| } | ||
| } |
There was a problem hiding this comment.
| } | |
| performance_insights_enabled = true | |
| } |
RDS instances have performance insights disabled
Resource: aws_db_instance.default | Checkov ID: CKV_AWS_353
| git_repo = "terragoat" | ||
| yor_trace = "f7999d4e-c983-43ee-bd88-7903a6f8483e" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| monitoring = true | |
| } |
AWS EC2 instance detailed monitoring disabled
Resource: aws_instance.db_app | Checkov ID: CKV_AWS_126
Description
Enabling detailed monitoring for Amazon Elastic Compute Cloud (EC2) instances can provide you with additional data and insights about the performance and utilization of your instances.
: Detailed monitoring can provide you with more data about the utilization of your instances, which can be helpful for capacity planning and optimization.
| git_repo = "terragoat" | ||
| yor_trace = "f7999d4e-c983-43ee-bd88-7903a6f8483e" | ||
| }) | ||
| } |
There was a problem hiding this comment.
| } | |
| metadata_options { | |
| http_tokens = "required" | |
| } | |
| } |
AWS EC2 instance not configured with Instance Metadata Service v2 (IMDSv2)
Resource: aws_instance.db_app | Checkov ID: CKV_AWS_79
Description
The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata.
You can access instance metadata from a running instance using one of the following methods:
- Instance Metadata Service Version 1 (IMDSv1) -- a request/response method
- Instance Metadata Service Version 2 (IMDSv2) -- a session-oriented method
As a request/response method IMDSv1 is prone to local misconfigurations:
- Open proxies, open NATs and routers, server-side reflection vulnerabilities.
- One way or another, local software might access local-only data.
| apply_immediately = true | ||
| multi_az = false | ||
| backup_retention_period = 0 | ||
| storage_encrypted = false |
There was a problem hiding this comment.
| storage_encrypted = false | |
| storage_encrypted = true |
AWS RDS DB cluster encryption is disabled
Resource: aws_db_instance.default | Checkov ID: CKV_AWS_16
Description
AWS RDS is a managed DB service enabling quick deployment and management of MySQL, MariaDB, PostgreSQL, Oracle, and Microsoft SQL Server DB engines.
Native RDS encryption helps protect your cloud applications and fulfils compliance requirements for data-at-rest encryption.
| lifecycle { | ||
| ignore_changes = ["password"] | ||
| } | ||
| } |
There was a problem hiding this comment.
| } | |
| iam_database_authentication_enabled = true | |
| } |
RDS database does not have IAM authentication enabled
Resource: aws_db_instance.default | Checkov ID: CKV_AWS_161
Description
IAM authentication uses AWS Identity and Access Management (IAM) to authenticate users and applications that connect to your RDS database.
This can be more secure than traditional password-based authentication, as it allows you to use IAM policies and multi-factor authentication to control access to your database.
| KeyType: HASH | ||
| ProvisionedThroughput: | ||
| ReadCapacityUnits: !Ref 'ReadCapacityUnits' | ||
| WriteCapacityUnits: !Ref 'WriteCapacityUnits' |
There was a problem hiding this comment.
| WriteCapacityUnits: !Ref 'WriteCapacityUnits' | |
| WriteCapacityUnits: !Ref 'WriteCapacityUnits' | |
| PointInTimeRecoverySpecification: | |
| PointInTimeRecoveryEnabled: True | |
| Outputs: |
DynamoDB PITR is disabled
Resource: AWS::DynamoDB::Table.myDynamoDBTable | Checkov ID: CKV_AWS_28
Description
DynamoDB Point-In-Time Recovery (PITR) is an automatic backup service for DynamoDB table data that helps protect your DynamoDB tables from accidental write or delete operations.
Once enabled, PITR provides continuous backups that can be controlled using various programmatic parameters.
PITR can also be used to restore table data from any point in time during the last 35 days, as well as any incremental backups of DynamoDB tables.
No description provided.