Skip to content

Iac pr #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jmagee70 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Iac pr #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bed4c4b
SAST Update PRFiles
jmagee70 Feb 6, 2024
52014b1
IAC Update PR Files
jmagee70 Feb 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions IAC/DynamoDB_Index.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
AWSTemplateFormatVersion: '2010-09-09'
Metadata:
License: Apache-2.0
Description: 'AWS CloudFormation Sample Template DynamoDB_Table: This template demonstrates
the creation of a DynamoDB table. **WARNING** This template creates an Amazon DynamoDB
table. You will be billed for the AWS resources used if you create a stack from
this template.'
Parameters:
HashKeyElementName:
Description: HashType PrimaryKey Name
Type: String
AllowedPattern: '[a-zA-Z0-9]*'
MinLength: '1'
MaxLength: '2048'
ConstraintDescription: must contain only alphanumberic characters
HashKeyElementType:
Description: HashType PrimaryKey Type
Type: String
Default: S
AllowedPattern: '[S|N]'
MinLength: '1'
MaxLength: '1'
ConstraintDescription: must be either S or N
ReadCapacityUnits:
Description: Provisioned read throughput
Type: Number
Default: '5'
MinValue: '5'
MaxValue: '10000'
ConstraintDescription: must be between 5 and 10000
WriteCapacityUnits:
Description: Provisioned write throughput
Type: Number
Default: '10'
MinValue: '5'
MaxValue: '10000'
ConstraintDescription: must be between 5 and 10000
Resources:
myDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: !Ref 'HashKeyElementName'
AttributeType: !Ref 'HashKeyElementType'
KeySchema:
- AttributeName: !Ref 'HashKeyElementName'
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: !Ref 'ReadCapacityUnits'
WriteCapacityUnits: !Ref 'WriteCapacityUnits'
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
WriteCapacityUnits: !Ref 'WriteCapacityUnits'
WriteCapacityUnits: !Ref 'WriteCapacityUnits'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: True
Outputs:
HIGH  DynamoDB PITR is disabled
    Resource: AWS::DynamoDB::Table.myDynamoDBTable | Checkov ID: CKV_AWS_28

Description

DynamoDB Point-In-Time Recovery (PITR) is an automatic backup service for DynamoDB table data that helps protect your DynamoDB tables from accidental write or delete operations.
Once enabled, PITR provides continuous backups that can be controlled using various programmatic parameters.
PITR can also be used to restore table data from any point in time during the last 35 days, as well as any incremental backups of DynamoDB tables.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
WriteCapacityUnits: !Ref 'WriteCapacityUnits'
WriteCapacityUnits: !Ref 'WriteCapacityUnits'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: True
Outputs:
HIGH  DynamoDB PITR is disabled
    Resource: AWS::DynamoDB::Table.myDynamoDBTable | Checkov ID: CKV_AWS_28

Description

DynamoDB Point-In-Time Recovery (PITR) is an automatic backup service for DynamoDB table data that helps protect your DynamoDB tables from accidental write or delete operations.
Once enabled, PITR provides continuous backups that can be controlled using various programmatic parameters.
PITR can also be used to restore table data from any point in time during the last 35 days, as well as any incremental backups of DynamoDB tables.

Outputs:
TableName:
Value: !Ref 'myDynamoDBTable'
Description: Table name of the newly created DynamoDB table
64 changes: 64 additions & 0 deletions IAC/DynamoDB_Secondary_Index.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
AWSTemplateFormatVersion: '2010-09-09'
Metadata:
License: Apache-2.0
Description: 'AWS CloudFormation Sample Template DynamoDB_Secondary_Indexes: Create
a DynamoDB table with local and global secondary indexes. **WARNING** This template
creates an Amazon DynamoDB table. You will be billed for the AWS resources used
if you create a stack from this template.'
Parameters:
ReadCapacityUnits:
Description: Provisioned read throughput
Type: Number
Default: '5'
MinValue: '5'
MaxValue: '10000'
ConstraintDescription: must be between 5 and 10000
WriteCapacityUnits:
Description: Provisioned write throughput
Type: Number
Default: '10'
MinValue: '5'
MaxValue: '10000'
ConstraintDescription: must be between 5 and 10000
Resources:
TableOfBooks:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: Title
AttributeType: S
- AttributeName: Category
AttributeType: S
- AttributeName: Language
AttributeType: S
KeySchema:
- AttributeName: Category
KeyType: HASH
- AttributeName: Title
KeyType: RANGE
ProvisionedThroughput:
ReadCapacityUnits: !Ref 'ReadCapacityUnits'
WriteCapacityUnits: !Ref 'WriteCapacityUnits'
LocalSecondaryIndexes:
- IndexName: LanguageIndex
KeySchema:
- AttributeName: Category
KeyType: HASH
- AttributeName: Language
KeyType: RANGE
Projection:
ProjectionType: KEYS_ONLY
GlobalSecondaryIndexes:
- IndexName: TitleIndex
KeySchema:
- AttributeName: Title
KeyType: HASH
Projection:
ProjectionType: KEYS_ONLY
ProvisionedThroughput:
ReadCapacityUnits: !Ref 'ReadCapacityUnits'
WriteCapacityUnits: !Ref 'WriteCapacityUnits'
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
WriteCapacityUnits: !Ref 'WriteCapacityUnits'
WriteCapacityUnits: !Ref 'WriteCapacityUnits'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: True
Outputs:
HIGH  DynamoDB PITR is disabled
    Resource: AWS::DynamoDB::Table.TableOfBooks | Checkov ID: CKV_AWS_28

Description

DynamoDB Point-In-Time Recovery (PITR) is an automatic backup service for DynamoDB table data that helps protect your DynamoDB tables from accidental write or delete operations.
Once enabled, PITR provides continuous backups that can be controlled using various programmatic parameters.
PITR can also be used to restore table data from any point in time during the last 35 days, as well as any incremental backups of DynamoDB tables.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
WriteCapacityUnits: !Ref 'WriteCapacityUnits'
WriteCapacityUnits: !Ref 'WriteCapacityUnits'
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: True
Outputs:
HIGH  DynamoDB PITR is disabled
    Resource: AWS::DynamoDB::Table.TableOfBooks | Checkov ID: CKV_AWS_28

Description

DynamoDB Point-In-Time Recovery (PITR) is an automatic backup service for DynamoDB table data that helps protect your DynamoDB tables from accidental write or delete operations.
Once enabled, PITR provides continuous backups that can be controlled using various programmatic parameters.
PITR can also be used to restore table data from any point in time during the last 35 days, as well as any incremental backups of DynamoDB tables.

Outputs:
TableName:
Value: !Ref 'TableOfBooks'
Description: Name of the newly created DynamoDB table
34 changes: 34 additions & 0 deletions IAC/aks.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
@description('Name of environment')
param env string = 'dev'

@description('Default location for all resources')
param location string = resourceGroup().location

var name = 'bicepgoat'

resource aksCluster 'Microsoft.ContainerService/managedClusters@2021-02-01' = {
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  Kubernetes dashboard is not disabled
    Resource: Microsoft.ContainerService/managedClusters.aksCluster | Checkov ID: CKV_AZURE_8

Description

The Terraform provider for Azure provides the capability to disable the Kubernetes dashboard on an AKS cluster.
This is achieved by providing the Kubernetes dashboard as an AKS add-on like the Azure Monitor for containers integration, AKS virtual nodes, or HTTP application routing.
The dashboard add-on is disabled by default for all new clusters created on Kubernetes 1.18 or greater.
In mid-2019 Tesla was hacked and their Kubernetes dashboard was open to the internet.
Hackers browsed around and found credentials, eventually managing to deploy pods running bitcoin mining software.
We recommend you disable the Kubernetes dashboard to prevent the need to manage its individual access interface, eliminating it as an attack vector.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  Azure AKS cluster network policies are not enforced
    Resource: Microsoft.ContainerService/managedClusters.aksCluster | Checkov ID: CKV_AZURE_7

Description

Network policy options in AKS include two ways to implement a network policy.
You can choose between Azure Network Policies or Calico Network Policies.
In both cases, the underlying controlling layer is based on Linux IPTables to enforce the specified policies.
Policies are translated into sets of allowed and disallowed IP pairs.
These pairs are then programmed as IPTable rules.
The principle of least privilege should be applied to how traffic can flow between pods in an AKS cluster.
We recommend you select a preferred network policy framework and enforce granular usage-based policies on the architecture and business logic of you applications.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  AKS API server does not define authorized IP ranges
    Resource: Microsoft.ContainerService/managedClusters.aksCluster | Checkov ID: CKV_AZURE_6

Description

The AKS API server receives requests to perform actions in the cluster , for example, to create resources, and scale the number of nodes.
The API server provides a secure way to manage a cluster.
To enhance cluster security and minimize attacks, the API server should only be accessible from a limited set of IP address ranges.
These IP ranges allow defined IP address ranges to communicate with the API server.
A request made to the API server from an IP address that is not part of these authorized IP ranges is blocked.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

INFO  Azure AKS cluster monitoring not enabled
    Resource: Microsoft.ContainerService/managedClusters.aksCluster | Checkov ID: CKV_AZURE_4

Description

The Azure Monitoring service collects and stores valuable telemetry reported by AKS.
This includes memory and processor metrics for controllers, nodes and containers logs, and logs from the individual containers.
This data is accessible through Azure Log Analytics for the AKS cluster and Azure Monitor instance.
We recommend storing memory and processor metrics from containers, nodes, and controllers.
This enables strong real-time and post-mortem analysis of unknown behaviors in AKS clusters.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM  Azure AKS enable role-based access control (RBAC) not enforced
    Resource: Microsoft.ContainerService/managedClusters.aksCluster | Checkov ID: CKV_AZURE_5

Description

AKS can be configured to use Azure Active Directory (AD) and Kubernetes Role-based Access Control (RBAC).
RBAC is designed to work on resources within your AKS clusters.
With RBAC, you can create a role definition that outlines the permissions to be applied.
A user or group is then assigned this role definition for a particular scope, which could be an individual resource, a resource group, or across the subscription.
We recommend you sign in to an AKS cluster using an Azure AD authentication token and configure Kubernetes RBAC.
This will limit access to cluster resources based a user's identity or group membership.

name: '${name}-aks-${env}'
location: location

identity: {
type: 'SystemAssigned'
}
properties: {
kubernetesVersion: '1.19.7'
dnsPrefix: '${name}-${env}'
enableRBAC: false

agentPoolProfiles: [
{
name: 'default'
count: 2
vmSize: 'Standard_D2_v2'
}
]
addonProfiles: {
omsagent: {
enabled: false
}
}
}
}
Loading