-
Notifications
You must be signed in to change notification settings - Fork 0
Create infra.ts #6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
ZIJ
wants to merge
1
commit into
main
Choose a base branch
from
ZIJ-patch-5
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| // file: lib/insecure-stack.ts | ||
| import * as cdk from 'aws-cdk-lib'; | ||
| import { Construct } from 'constructs'; | ||
|
|
||
| import * as s3 from 'aws-cdk-lib/aws-s3'; | ||
| import * as ec2 from 'aws-cdk-lib/aws-ec2'; | ||
| import * as iam from 'aws-cdk-lib/aws-iam'; | ||
| import * as rds from 'aws-cdk-lib/aws-rds'; | ||
|
|
||
| export class InsecureStack extends cdk.Stack { | ||
| constructor(scope: Construct, id: string, props?: cdk.StackProps) { | ||
| super(scope, id, props); | ||
|
|
||
| /* 1️⃣ Public S3 bucket, all safeguards disabled */ | ||
| const bucket = new s3.Bucket(this, 'PublicBucket', { | ||
| bucketName: 'my-public-bucket-001', | ||
| publicReadAccess: true, | ||
| blockPublicAccess: s3.BlockPublicAccess.NONE, // 🔴 no block-public-access settings | ||
| versioned: false, | ||
| removalPolicy: cdk.RemovalPolicy.DESTROY, | ||
| autoDeleteObjects: true, | ||
| }); | ||
|
||
|
|
||
| /* 2️⃣ VPC with a security group open to the world */ | ||
| const vpc = new ec2.Vpc(this, 'MyVpc', { | ||
| subnetConfiguration: [ | ||
| { name: 'public', subnetType: ec2.SubnetType.PUBLIC }, | ||
|
Comment on lines
+23
to
+27
Check noticeCode scanning / Infrabase AI No raw resources when possible Note
In cdk-test/infra.ts (lines ~23-27), a VPC is created directly using ec2.Vpc. Your organization maintains an internal VPC module (git::https://github.com/diggerhq/common-modules//vpc) that enforces standard tagging, flow logging, and subnet layouts.
Recommendation: Use the internal VPC module to ensure consistency: e.g., new ModuleVPC(this, 'MyVpc', { source: 'git::https://github.com/diggerhq/common-modules//vpc', /* module inputs */ });
|
||
| ], | ||
| maxAzs: 2, | ||
|
Comment on lines
+26
to
+29
Check warningCode scanning / Infrabase AI No raw resources when possible Warning
In cdk-test/infra.ts (lines ~36-40), the IAM role "OverPermissiveRole" is assigned the AWS-managed AdministratorAccess policy, granting broad privileges across all services and resources.
Recommendation: Follow the principle of least privilege. Define a custom IAM policy or attach only the specific AWS-managed policies that grant the minimal set of actions and resources required by your workload.
|
||
| }); | ||
|
|
||
| const sg = new ec2.SecurityGroup(this, 'OpenSg', { | ||
| vpc, | ||
|
Comment on lines
+31
to
+33
Check failureCode scanning / Infrabase AI No raw resources when possible Error
In cdk-test/infra.ts (lines ~29-33), the security group "OpenSg" allows all inbound IPv4 traffic on all ports (0.0.0.0/0). This effectively exposes any resources in the VPC to the entire Internet.
Recommendation: Restrict ingress rules to only the required ports and trusted CIDR ranges. For example, replace ec2.Peer.anyIpv4() and ec2.Port.allTraffic() with specific Port.tcp(portNumber) and your organization’s IP ranges.
|
||
| description: 'Allow all inbound traffic', | ||
| allowAllOutbound: true, | ||
| }); | ||
| sg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.allTraffic(), 'Wide-open SG'); // 🔴 0.0.0.0/0 ALL | ||
|
|
||
| /* 3️⃣ Wild-card IAM permissions */ | ||
| const role = new iam.Role(this, 'OverPermissiveRole', { | ||
| assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'), | ||
| description: 'Wild-card role for demo', | ||
|
Comment on lines
+36
to
+42
Check failureCode scanning / Infrabase AI S3 Buckets Must Block Public Access Error
In cdk-test/infra.ts (lines ~43-50), an Amazon RDS instance is created with publiclyAccessible set to true, storageEncrypted disabled, and removalPolicy DESTROY. The database is exposed to the Internet and data at rest is unencrypted.
Recommendation: Set publiclyAccessible to false unless absolutely required. Enable storageEncrypted: true and specify a KMS key if you need customer-managed encryption keys. Consider setting removalPolicy to RETAIN or enabling deletionProtection in production environments.
|
||
| }); | ||
| role.addManagedPolicy( | ||
| iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess'), // 🔴 * | ||
| ); | ||
|
|
||
| /* 4️⃣ Public, unencrypted RDS instance */ | ||
| new rds.DatabaseInstance(this, 'InsecureDb', { | ||
| engine: rds.DatabaseInstanceEngine.postgres({ | ||
|
Comment on lines
+20
to
+50
Check noticeCode scanning / Infrabase AI No raw resources when possible Note
In cdk-test/infra.ts (lines ~20 and ~50), both the S3 bucket and the RDS instance use removalPolicy: DESTROY. This configuration causes permanent data loss upon stack deletion.
Recommendation: In non-development environments, use RemovalPolicy.RETAIN or enable snapshot/deletionProtection options to prevent accidental data loss.
|
||
| version: rds.PostgresEngineVersion.VER_15, | ||
| }), | ||
|
||
| vpc, | ||
| publiclyAccessible: true, // 🔴 internet-facing DB | ||
| storageEncrypted: false, // 🔴 no encryption at rest | ||
| allocatedStorage: 20, | ||
| credentials: rds.Credentials.fromGeneratedSecret('postgres'), | ||
| removalPolicy: cdk.RemovalPolicy.DESTROY, | ||
| }); | ||
| } | ||
| } | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Check failure
Code scanning / Infrabase AI
S3 Buckets Must Block Public Access Error