|
1 | 1 | We use GitHub Actions and [tfsec](https://github.com/aquasecurity/tfsec) to check our terraform code using static analysis to spot potential security issues. However, we needed to skip some checks. The list of those checks is below: |
2 | 2 |
|
3 | | -| Layer | Security issue | Description | Why skipped? | |
4 | | -| ---------------------------------------------- | -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | |
5 | | -| layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.cluster_egress_internet[0]' defines a fully open egress security group rule. | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) | |
6 | | -| layer1-aws/aws-eks.tf | aws-eks-enable-control-plane-logging | Resource 'module.eks:aws_eks_cluster.this[0]' is missing the control plane log type 'scheduler' | By default we enable only audit logs. Can be changed via variable eks_cluster_enabled_log_types | |
7 | | -| layer1-aws/aws-eks.tf | aws-eks-encrypt-secrets | Resource 'module.eks:aws_eks_cluster.this[0]' has no encryptionConfigBlock block | By default encryption is disabled, but can be enabled via setting *eks_cluster_encryption_config_enable = true* in your tfvars file. | |
8 | | -| layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access | Resource 'module.eks:aws_eks_cluster.this[0]' has public access is explicitly set to enabled | By default we create public accessible EKS cluster from anywhere | |
9 | | -| layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access-to-cidr | Resource 'module.eks:aws_eks_cluster.this[0]' has public access cidr explicitly set to wide open | By default we create public accessible EKS cluster from anywhere | |
10 | | -| layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.workers_egress_internet[0]' defines a fully open egress security group rule | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) | |
11 | | -| modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.egress_with_cidr_blocks[0]' defines a fully open egress security group rule. | This is a VPN server and it need to have egress traffic to anywhere by default | |
12 | | -| modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.ingress_with_cidr_blocks[1]' defines a fully open ingress security group rule. | This is a VPN server and by default it needs to have ingress traffic from anywhere | |
13 | | -| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_secrets[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources. | We use this policy for external-secrets and grant it access to all secrets. | |
14 | | -| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_autoscaler[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use condition to allow run actions only for certain autoscaling groups | |
15 | | -| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.eks_alb_ingress[0]:module.aws_iam_aws_loadbalancer_controller:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use recommended [policy](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json) | |
16 | | -| layer2-k8s/eks-elk.tf | general-secrets-sensitive-in-attribute-value | Block 'locals.' includes potentially sensitive data. Password literal text | tfsec complains on local.elk_metricbeat_values | |
17 | | -| layer2-k8s/eks-elk.tf | general-secrets-sensitive-in-attribute-value | Block 'locals.' includes potentially sensitive data. Password literal text | tfsec complains on local.elk_filebeat_values | |
18 | | -| layer2-k8s/eks-elk.tf | general-secrets-sensitive-in-attribute-value | Block 'locals.' includes potentially sensitive data. Password literal text | tfsec complains on local.elk_apm_values | |
19 | | -| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_dns[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use the policy from the [documentation](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy) | |
20 | | -| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_cert_manager[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | Certmanager uses Route53 to create DNS records and validate wildcard certificates. By default we allow it to manage all zones | |
| 3 | +| Layer | Security issue | Description | Why skipped? | |
| 4 | +| ------------------------------------ |----------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------| |
| 5 | +| layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.cluster_egress_internet[0]' defines a fully open egress security group rule. | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) | |
| 6 | +| layer1-aws/aws-eks.tf | aws-eks-enable-control-plane-logging | Resource 'module.eks:aws_eks_cluster.this[0]' is missing the control plane log type 'scheduler' | By default we enable only audit logs. Can be changed via variable eks_cluster_enabled_log_types | |
| 7 | +| layer1-aws/aws-eks.tf | aws-eks-encrypt-secrets | Resource 'module.eks:aws_eks_cluster.this[0]' has no encryptionConfigBlock block | By default encryption is disabled, but can be enabled via setting *eks_cluster_encryption_config_enable = true* in your tfvars file. | |
| 8 | +| layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access | Resource 'module.eks:aws_eks_cluster.this[0]' has public access is explicitly set to enabled | By default we create public accessible EKS cluster from anywhere | |
| 9 | +| layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access-to-cidr | Resource 'module.eks:aws_eks_cluster.this[0]' has public access cidr explicitly set to wide open | By default we create public accessible EKS cluster from anywhere | |
| 10 | +| layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.workers_egress_internet[0]' defines a fully open egress security group rule | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) | |
| 11 | +| layer1-aws/aws-cloudtrail.tf | aws-cloudtrail-enable-at-rest-encryption | Resource 'aws_cloudtrail' is missing kms key to use to encrypt the logs delivered by CloudTrail. | Since this is a paid service, and a lot of information can be written in the cloudtrail, we do not use this function | |
| 12 | +| layer1-aws/aws-cloudtrail.tf | aws-s3-enable-bucket-logging | Resource 'aws_s3_bucket' is missing the enabled logging for s3 cloudtrail bucket. | By default, s3 bucket logging for cloudtrail is disabled. Can be changed via resource aws_s3_bucket_logging | |
| 13 | +| layer1-aws/aws-cloudtrail.tf | aws-s3-enable-versioning | Resource 'aws_s3_bucket' is missing the enabled versioning for s3 cloudtrail bucket. | By default, s3 bucket versioning for cloudtrail is disabled. Can be changed via resource aws_s3_bucket_versioning | |
| 14 | +| layer1-aws/aws-cloudtrail.tf | aws-s3-encryption-customer-key | Resource 'aws_s3_bucket' is missing encryption customer-provided encryption keys. | By default, s3 bucket encryption for cloudtrail is disabled. Can be changed via resource aws_s3_bucket_server_side_encryption_configuration | |
| 15 | +| modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.egress_with_cidr_blocks[0]' defines a fully open egress security group rule. | This is a VPN server and it need to have egress traffic to anywhere by default | |
| 16 | +| modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.ingress_with_cidr_blocks[1]' defines a fully open ingress security group rule. | This is a VPN server and by default it needs to have ingress traffic from anywhere | |
| 17 | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_secrets[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources. | We use this policy for external-secrets and grant it access to all secrets. | |
| 18 | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_autoscaler[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use condition to allow run actions only for certain autoscaling groups | |
| 19 | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.eks_alb_ingress[0]:module.aws_iam_aws_loadbalancer_controller:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use recommended [policy](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json) | |
| 20 | +| layer2-k8s/eks-elk.tf | general-secrets-sensitive-in-attribute-value | Block 'locals.' includes potentially sensitive data. Password literal text | tfsec complains on local.elk_metricbeat_values | |
| 21 | +| layer2-k8s/eks-elk.tf | general-secrets-sensitive-in-attribute-value | Block 'locals.' includes potentially sensitive data. Password literal text | tfsec complains on local.elk_filebeat_values | |
| 22 | +| layer2-k8s/eks-elk.tf | general-secrets-sensitive-in-attribute-value | Block 'locals.' includes potentially sensitive data. Password literal text | tfsec complains on local.elk_apm_values | |
| 23 | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_dns[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use the policy from the [documentation](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy) | |
| 24 | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_cert_manager[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | Certmanager uses Route53 to create DNS records and validate wildcard certificates. By default we allow it to manage all zones | |
21 | 25 | | modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | |
22 | 26 | | modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[5]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | |
23 | 27 | | modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | |
|
0 commit comments