_ _ ___| |__ ___ ___| | _______ __ / __| '_ \ / _ \/ __| |/ / _ \ \ / / | (__| | | | __/ (__| < (_) \ V / \___|_| |_|\___|\___|_|\_\___/ \_/ By bridgecrew.io | version: 2.0.1215 Update available 2.0.1215 -> 2.0.1230 Run pip3 install -U checkov to update terraform scan results: Passed checks: 4, Failed checks: 4, Skipped checks: 0 Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22" PASSED for resource: aws_security_group.allow_tls File: /Terraform/main.tf:6-30 Guide: https://docs.bridgecrew.io/docs/networking_1-port-security Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389" PASSED for resource: aws_security_group.allow_tls File: /Terraform/main.tf:6-30 Guide: https://docs.bridgecrew.io/docs/networking_2 Check: CKV_AWS_41: "Ensure no hard coded AWS access key and secret key exists in provider" PASSED for resource: aws.spoke1-region1 File: /Terraform/provider.tf:1-7 Guide: https://docs.bridgecrew.io/docs/bc_aws_secrets_5 Check: CKV_AWS_41: "Ensure no hard coded AWS access key and secret key exists in provider" PASSED for resource: aws.default File: /Terraform/provider.tf:9-11 Guide: https://docs.bridgecrew.io/docs/bc_aws_secrets_5 Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.allow_tls File: /Terraform/main.tf:6-30 Guide: https://docs.bridgecrew.io/docs/networking_31 6 | resource "aws_security_group" "allow_tls" { 7 | provider = aws.spoke1-region1 8 | name = "allow_tls" 9 | description = "Allow TLS inbound traffic" 10 | vpc_id = aws_vpc.main.id 11 | 12 | ingress { 13 | description = "TLS from VPC" 14 | from_port = 443 15 | to_port = 443 16 | protocol = "tcp" 17 | cidr_blocks = [aws_vpc.main.cidr_block] 18 | } 19 | 20 | egress { 21 | from_port = 443 22 | to_port = 443 23 | protocol = "tcp" 24 | cidr_blocks = [aws_vpc.main.cidr_block] 25 | } 26 | 27 | tags = { 28 | Name = "allow_tls" 29 | } 30 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: aws_security_group.allow_tls File: /Terraform/main.tf:6-30 Guide: https://docs.bridgecrew.io/docs/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis 6 | resource "aws_security_group" "allow_tls" { 7 | provider = aws.spoke1-region1 8 | name = "allow_tls" 9 | description = "Allow TLS inbound traffic" 10 | vpc_id = aws_vpc.main.id 11 | 12 | ingress { 13 | description = "TLS from VPC" 14 | from_port = 443 15 | to_port = 443 16 | protocol = "tcp" 17 | cidr_blocks = [aws_vpc.main.cidr_block] 18 | } 19 | 20 | egress { 21 | from_port = 443 22 | to_port = 443 23 | protocol = "tcp" 24 | cidr_blocks = [aws_vpc.main.cidr_block] 25 | } 26 | 27 | tags = { 28 | Name = "allow_tls" 29 | } 30 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: aws_vpc.main File: /Terraform/main.tf:1-4 Guide: https://docs.bridgecrew.io/docs/networking_4 1 | resource "aws_vpc" "main" { 2 | provider = aws.spoke1-region1 3 | cidr_block = "10.0.0.0/16" 4 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: aws_vpc.main File: /Terraform/main.tf:1-4 Guide: https://docs.bridgecrew.io/docs/logging_9-enable-vpc-flow-logging 1 | resource "aws_vpc" "main" { 2 | provider = aws.spoke1-region1 3 | cidr_block = "10.0.0.0/16" 4 | } cloudformation scan results: Passed checks: 34, Failed checks: 7, Skipped checks: 0 Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration" PASSED for resource: AWS::IAM::Role.TerraformCloud9Role File: /Cloud9CFN.yaml:45-182 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration Check: CKV_AWS_63: "Ensure no IAM policies documents allow "*" as a statement's actions" PASSED for resource: AWS::IAM::Role.TerraformCloud9Role File: /Cloud9CFN.yaml:45-182 Guide: https://docs.bridgecrew.io/docs/iam_48 Check: CKV_AWS_61: "Ensure AWS IAM policy does not allow assume role permission across all services" PASSED for resource: AWS::IAM::Role.TerraformCloud9Role File: /Cloud9CFN.yaml:45-182 Guide: https://docs.bridgecrew.io/docs/bc_aws_iam_45 Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management without constraints" PASSED for resource: AWS::IAM::Role.TerraformCloud9Role File: /Cloud9CFN.yaml:45-182 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint Check: CKV_AWS_62: "Ensure no IAM policies that allow full "*-*" administrative privileges are not created" PASSED for resource: AWS::IAM::Role.TerraformCloud9Role File: /Cloud9CFN.yaml:45-182 Guide: https://docs.bridgecrew.io/docs/iam_47 Check: CKV_AWS_60: "Ensure IAM role allows only specific services or principals to assume it" PASSED for resource: AWS::IAM::Role.TerraformCloud9Role File: /Cloud9CFN.yaml:45-182 Guide: https://docs.bridgecrew.io/docs/bc_aws_iam_44 Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation" PASSED for resource: AWS::IAM::Role.TerraformCloud9Role File: /Cloud9CFN.yaml:45-182 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-does-not-allow-privilege-escalation Check: CKV_AWS_19: "Ensure the S3 bucket has server-side-encryption enabled" PASSED for resource: AWS::S3::Bucket.TerraformBackendS3Bucket File: /Cloud9CFN.yaml:195-210 Guide: https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest Check: CKV_AWS_20: "Ensure the S3 bucket does not allow READ permissions to everyone" PASSED for resource: AWS::S3::Bucket.TerraformBackendS3Bucket File: /Cloud9CFN.yaml:195-210 Guide: https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone Check: CKV_AWS_53: "Ensure S3 bucket has block public ACLS enabled" PASSED for resource: AWS::S3::Bucket.TerraformBackendS3Bucket File: /Cloud9CFN.yaml:195-210 Guide: https://docs.bridgecrew.io/docs/bc_aws_s3_19 Check: CKV_AWS_57: "Ensure the S3 bucket does not allow WRITE permissions to everyone" PASSED for resource: AWS::S3::Bucket.TerraformBackendS3Bucket File: /Cloud9CFN.yaml:195-210 Guide: https://docs.bridgecrew.io/docs/s3_2-acl-write-permissions-everyone Check: CKV_AWS_54: "Ensure S3 bucket has block public policy enabled" PASSED for resource: AWS::S3::Bucket.TerraformBackendS3Bucket File: /Cloud9CFN.yaml:195-210 Guide: https://docs.bridgecrew.io/docs/bc_aws_s3_20 Check: CKV_AWS_21: "Ensure the S3 bucket has versioning enabled" PASSED for resource: AWS::S3::Bucket.TerraformBackendS3Bucket File: /Cloud9CFN.yaml:195-210 Guide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning Check: CKV_AWS_55: "Ensure S3 bucket has ignore public ACLs enabled" PASSED for resource: AWS::S3::Bucket.TerraformBackendS3Bucket File: /Cloud9CFN.yaml:195-210 Guide: https://docs.bridgecrew.io/docs/bc_aws_s3_21 Check: CKV_AWS_56: "Ensure S3 bucket has 'restrict_public_bucket' enabled" PASSED for resource: AWS::S3::Bucket.TerraformBackendS3Bucket File: /Cloud9CFN.yaml:195-210 Guide: https://docs.bridgecrew.io/docs/bc_aws_s3_22 Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable" PASSED for resource: AWS::Lambda::Function.InstanceProfileAttachLambda File: /Cloud9CFN.yaml:251-353 Guide: https://docs.bridgecrew.io/docs/bc_aws_serverless_5 Check: CKV_AWS_45: "Ensure no hard-coded secrets exist in lambda environment" PASSED for resource: AWS::Lambda::Function.InstanceProfileAttachLambda File: /Cloud9CFN.yaml:251-353 Guide: https://docs.bridgecrew.io/docs/bc_aws_secrets_3 Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration" PASSED for resource: AWS::IAM::Role.LambdaExecutionRole File: /Cloud9CFN.yaml:354-389 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" PASSED for resource: AWS::IAM::Role.LambdaExecutionRole File: /Cloud9CFN.yaml:354-389 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure" PASSED for resource: AWS::IAM::Role.LambdaExecutionRole File: /Cloud9CFN.yaml:354-389 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure Check: CKV_AWS_63: "Ensure no IAM policies documents allow "*" as a statement's actions" PASSED for resource: AWS::IAM::Role.LambdaExecutionRole File: /Cloud9CFN.yaml:354-389 Guide: https://docs.bridgecrew.io/docs/iam_48 Check: CKV_AWS_61: "Ensure AWS IAM policy does not allow assume role permission across all services" PASSED for resource: AWS::IAM::Role.LambdaExecutionRole File: /Cloud9CFN.yaml:354-389 Guide: https://docs.bridgecrew.io/docs/bc_aws_iam_45 Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management without constraints" PASSED for resource: AWS::IAM::Role.LambdaExecutionRole File: /Cloud9CFN.yaml:354-389 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint Check: CKV_AWS_62: "Ensure no IAM policies that allow full "*-*" administrative privileges are not created" PASSED for resource: AWS::IAM::Role.LambdaExecutionRole File: /Cloud9CFN.yaml:354-389 Guide: https://docs.bridgecrew.io/docs/iam_47 Check: CKV_AWS_60: "Ensure IAM role allows only specific services or principals to assume it" PASSED for resource: AWS::IAM::Role.LambdaExecutionRole File: /Cloud9CFN.yaml:354-389 Guide: https://docs.bridgecrew.io/docs/bc_aws_iam_44 Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation" PASSED for resource: AWS::IAM::Role.LambdaExecutionRole File: /Cloud9CFN.yaml:354-389 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-does-not-allow-privilege-escalation Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration" PASSED for resource: AWS::IAM::Role.iamRole File: /SpokeCFN.yaml:5-39 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure" PASSED for resource: AWS::IAM::Role.iamRole File: /SpokeCFN.yaml:5-39 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure Check: CKV_AWS_63: "Ensure no IAM policies documents allow "*" as a statement's actions" PASSED for resource: AWS::IAM::Role.iamRole File: /SpokeCFN.yaml:5-39 Guide: https://docs.bridgecrew.io/docs/iam_48 Check: CKV_AWS_61: "Ensure AWS IAM policy does not allow assume role permission across all services" PASSED for resource: AWS::IAM::Role.iamRole File: /SpokeCFN.yaml:5-39 Guide: https://docs.bridgecrew.io/docs/bc_aws_iam_45 Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management without constraints" PASSED for resource: AWS::IAM::Role.iamRole File: /SpokeCFN.yaml:5-39 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint Check: CKV_AWS_62: "Ensure no IAM policies that allow full "*-*" administrative privileges are not created" PASSED for resource: AWS::IAM::Role.iamRole File: /SpokeCFN.yaml:5-39 Guide: https://docs.bridgecrew.io/docs/iam_47 Check: CKV_AWS_60: "Ensure IAM role allows only specific services or principals to assume it" PASSED for resource: AWS::IAM::Role.iamRole File: /SpokeCFN.yaml:5-39 Guide: https://docs.bridgecrew.io/docs/bc_aws_iam_44 Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation" PASSED for resource: AWS::IAM::Role.iamRole File: /SpokeCFN.yaml:5-39 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-does-not-allow-privilege-escalation Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: AWS::IAM::Role.TerraformCloud9Role File: /Cloud9CFN.yaml:45-182 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure" FAILED for resource: AWS::IAM::Role.TerraformCloud9Role File: /Cloud9CFN.yaml:45-182 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled" FAILED for resource: AWS::S3::Bucket.TerraformBackendS3Bucket File: /Cloud9CFN.yaml:195-210 Guide: https://docs.bridgecrew.io/docs/s3_13-enable-logging 195 | TerraformBackendS3Bucket: 196 | Type: AWS::S3::Bucket 197 | Properties: 198 | AccessControl: Private 199 | BucketName: !Ref TerraformBackendBucketName 200 | PublicAccessBlockConfiguration: 201 | BlockPublicAcls: True 202 | BlockPublicPolicy: True 203 | IgnorePublicAcls: True 204 | RestrictPublicBuckets: True 205 | VersioningConfiguration: 206 | Status: Enabled 207 | BucketEncryption: 208 | ServerSideEncryptionConfiguration: 209 | - ServerSideEncryptionByDefault: 210 | SSEAlgorithm: AES256 Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled" FAILED for resource: AWS::DynamoDB::Table.BackendDynamoDbTable File: /Cloud9CFN.yaml:228-241 Guide: https://docs.bridgecrew.io/docs/general_6 228 | BackendDynamoDbTable: 229 | Type: AWS::DynamoDB::Table 230 | Properties: 231 | TableName: TerraformLockDynamoDB 232 | BillingMode: PROVISIONED 233 | ProvisionedThroughput: 234 | ReadCapacityUnits: 1 235 | WriteCapacityUnits: 1 236 | KeySchema: 237 | - AttributeName: LockID 238 | KeyType: HASH 239 | AttributeDefinitions: 240 | - AttributeName: LockID 241 | AttributeType: S Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK" FAILED for resource: AWS::DynamoDB::Table.BackendDynamoDbTable File: /Cloud9CFN.yaml:228-241 Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted 228 | BackendDynamoDbTable: 229 | Type: AWS::DynamoDB::Table 230 | Properties: 231 | TableName: TerraformLockDynamoDB 232 | BillingMode: PROVISIONED 233 | ProvisionedThroughput: 234 | ReadCapacityUnits: 1 235 | WriteCapacityUnits: 1 236 | KeySchema: 237 | - AttributeName: LockID 238 | KeyType: HASH 239 | AttributeDefinitions: 240 | - AttributeName: LockID 241 | AttributeType: S Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)" FAILED for resource: AWS::Lambda::Function.InstanceProfileAttachLambda File: /Cloud9CFN.yaml:251-353 Guide: https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: AWS::IAM::Role.iamRole File: /SpokeCFN.yaml:5-39 Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint 5 | iamRole: 6 | Type: AWS::IAM::Role 7 | Properties: 8 | RoleName: TerraformSpokeRole 9 | Path: / 10 | AssumeRolePolicyDocument: 11 | Version: "2012-10-17" 12 | Statement: 13 | - Effect: Allow 14 | Principal: 15 | AWS: 16 | - !Sub arn:aws:iam::${CentralAccount}:role/CentralCloud9Role 17 | Action: 18 | - 'sts:AssumeRole' 19 | Policies: 20 | - 21 | PolicyName: "root" 22 | PolicyDocument: 23 | Version: "2012-10-17" 24 | Statement: 25 | - 26 | Effect: "Allow" 27 | Action: ["ec2:AuthorizeSecurityGroupEgress", 28 | "ec2:AuthorizeSecurityGroupIngress", 29 | "ec2:UpdateSecurityGroupRuleDescriptionsEgress", 30 | "ec2:CreateVpc", 31 | "ec2:ModifySecurityGroupRules", 32 | "ec2:Describe*", 33 | "ec2:UpdateSecurityGroupRuleDescriptionsIngress", 34 | "ec2:RevokeSecurityGroupIngress", 35 | "ec2:CreateSecurityGroup", 36 | "ec2:RevokeSecurityGroupEgress", 37 | "ec2:DeleteSecurityGroup", 38 | "ec2:DeleteVpc","ec2:CreateTags","ec2:DeleteTags"] 39 | Resource: "*"