Skip to content

Pccs demo 202306#19

Open
rbaccus wants to merge 6 commits intomasterfrom
pccs_demo_202306
Open

Pccs demo 202306#19
rbaccus wants to merge 6 commits intomasterfrom
pccs_demo_202306

Conversation

@rbaccus
Copy link
Owner

@rbaccus rbaccus commented Jun 26, 2023

Updating the Yor values and the ebs_optimized = true fix to ec2.tf.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prisma Cloud has found errors in this PR ⬇️

Name = "${local.resource_prefix.value}-ec2"
}, {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_commit = "4bf3de88aaeb51927f7b2597160bdc72f4983108"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  AWS EC2 instance not configured with Instance Metadata Service v2 (IMDSv2)
    Resource: aws_instance.web_host | Bridgecrew ID: 1072680733040327680_AWS_1681470057361 | Checkov ID: CKV_AWS_79

Description

https://docs.bridgecrew.io/docs/bc_aws_general_31

Benchmarks

  • FEDRAMP (MODERATE) AC-6

Name = "${local.resource_prefix.value}-ec2"
}, {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_commit = "4bf3de88aaeb51927f7b2597160bdc72f4983108"
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Jun 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  EBS volumes do not have encrypted launch configurations
    Resource: aws_instance.web_host | Checkov ID: CKV_AWS_8

How to Fix

resource "aws_launch_configuration" "example" {
  ...
  instance_type = "t2.micro"
+ root_block_device {
+ encrypted     = true
+ }
  ...
}

Description

Amazon Elastic Block Store (EBS) volumes allow you to create encrypted launch configurations when creating EC2 instances and auto scaling.
When the entire EBS volume is encrypted, data stored at rest on the volume, disk I/O, snapshots created from the volume, and data in-transit between EBS and EC2 are all encrypted.

     🎉   Fixed by commit e6602ea - Adding EBS Encryption

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Jun 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
git_org = "rbaccus"
resource "aws_rds_cluster" "app9-rds-cluster" {
cluster_identifier = "app9-rds-cluster"
allocated_storage = 10
backup_retention_period = 25
tags = {
git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5"
git_file = "terraform/aws/rds.tf"
git_last_modified_at = "2021-12-08 23:26:32"
git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "rbaccus"
git_repo = "terragoat"
yor_trace = "a0c98536-c751-4743-92f1-a106ce750249"
yor_name = "app9-rds-cluster"
}
storage_encrypted = true
}
HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app9-rds-cluster | Bridgecrew ID: BC_AWS_GENERAL_38 | Checkov ID: CKV_AWS_96

How to Fix

resource "aws_rds_cluster" "example" {
  ...
  cluster_identifier      = "aurora-cluster-demo"
+ storage_encrypted       = true
  ...
}

Description

This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

🪄 Smart Fix -

Fix based on 100% past actions in this repository

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Jun 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
git_org = "rbaccus"
resource "aws_rds_cluster" "app2-rds-cluster" {
cluster_identifier = "app2-rds-cluster"
allocated_storage = 10
backup_retention_period = 1
tags = {
git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5"
git_file = "terraform/aws/rds.tf"
git_last_modified_at = "2021-12-08 23:26:32"
git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "rbaccus"
git_repo = "terragoat"
yor_trace = "d33c9292-952b-4c1f-9973-b6dbad519461"
yor_name = "app2-rds-cluster"
}
storage_encrypted = true
}
HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app2-rds-cluster | Bridgecrew ID: BC_AWS_GENERAL_38 | Checkov ID: CKV_AWS_96

How to Fix

resource "aws_rds_cluster" "example" {
  ...
  cluster_identifier      = "aurora-cluster-demo"
+ storage_encrypted       = true
  ...
}

Description

This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

🪄 Smart Fix -

Fix based on 100% past actions in this repository

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Jun 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
git_org = "rbaccus"
resource "aws_rds_cluster" "app3-rds-cluster" {
cluster_identifier = "app3-rds-cluster"
allocated_storage = 10
backup_retention_period = 15
tags = {
git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5"
git_file = "terraform/aws/rds.tf"
git_last_modified_at = "2021-12-08 23:26:32"
git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "rbaccus"
git_repo = "terragoat"
yor_trace = "2a8584b1-7e9d-4739-8e37-366620c92027"
yor_name = "app3-rds-cluster"
}
storage_encrypted = true
}
HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app3-rds-cluster | Bridgecrew ID: BC_AWS_GENERAL_38 | Checkov ID: CKV_AWS_96

How to Fix

resource "aws_rds_cluster" "example" {
  ...
  cluster_identifier      = "aurora-cluster-demo"
+ storage_encrypted       = true
  ...
}

Description

This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

🪄 Smart Fix -

Fix based on 100% past actions in this repository

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Jun 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
git_org = "rbaccus"
resource "aws_rds_cluster" "app8-rds-cluster" {
cluster_identifier = "app8-rds-cluster"
allocated_storage = 10
backup_retention_period = 25
tags = {
git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5"
git_file = "terraform/aws/rds.tf"
git_last_modified_at = "2021-12-08 23:26:32"
git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "rbaccus"
git_repo = "terragoat"
yor_trace = "af643747-0967-4251-8645-3b54882c2507"
yor_name = "app8-rds-cluster"
}
storage_encrypted = true
}
HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app8-rds-cluster | Bridgecrew ID: BC_AWS_GENERAL_38 | Checkov ID: CKV_AWS_96

How to Fix

resource "aws_rds_cluster" "example" {
  ...
  cluster_identifier      = "aurora-cluster-demo"
+ storage_encrypted       = true
  ...
}

Description

This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

🪄 Smart Fix -

Fix based on 100% past actions in this repository

Name = "${local.resource_prefix.value}-ec2"
}, {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_commit = "4bf3de88aaeb51927f7b2597160bdc72f4983108"
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Jun 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  EC2 user data exposes secrets
    Resource: aws_instance.web_host | Checkov ID: CKV_AWS_46

How to Fix

resource "aws_instance" "web" {
    ...
    instance_type = "t3.micro"
-    user_data = "access_key=123456ABCDEFGHIJZTLA and secret_key=AAAaa+Aa4AAaAA6aAkA0Ad+Aa8aA1aaaAAAaAaA"
}

Description

User Data is a metadata field of an EC2 instance that allows custom code to run after the instance is launched.
It contains code exposed to any entity which has the most basic access to EC2, even read-only configurations.
This code is not encrypted.
Removing secrets from easily-accessed unencrypted places reduces the risk of passwords, private keys and more from being exposed to third parties.

     🎉   Fixed by commit e6602ea - Adding EBS Encryption

🪄 Smart Fix -

Fix based on 100% passing policies across your account, click for more fix suggestions

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Jun 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
git_org = "rbaccus"
resource "aws_rds_cluster" "app4-rds-cluster" {
cluster_identifier = "app4-rds-cluster"
allocated_storage = 10
backup_retention_period = 15
tags = {
git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5"
git_file = "terraform/aws/rds.tf"
git_last_modified_at = "2021-12-08 23:26:32"
git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "rbaccus"
git_repo = "terragoat"
yor_trace = "284aaeed-fd3f-4b7a-b5f8-61a8457f4d83"
yor_name = "app4-rds-cluster"
}
storage_encrypted = true
}
HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app4-rds-cluster | Bridgecrew ID: BC_AWS_GENERAL_38 | Checkov ID: CKV_AWS_96

How to Fix

resource "aws_rds_cluster" "example" {
  ...
  cluster_identifier      = "aurora-cluster-demo"
+ storage_encrypted       = true
  ...
}

Description

This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

🪄 Smart Fix -

Fix based on 100% past actions in this repository

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
git_org = "rbaccus"
resource "aws_rds_cluster" "app1-rds-cluster" {
cluster_identifier = "app1-rds-cluster"
allocated_storage = 10
backup_retention_period = 0
tags = {
git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5"
git_file = "terraform/aws/rds.tf"
git_last_modified_at = "2021-12-08 23:26:32"
git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "rbaccus"
git_repo = "terragoat"
yor_trace = "b6f2c2ec-0715-46a0-83d4-502e588826d1"
yor_name = "app1-rds-cluster"
}
storage_encrypted = true
}
HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app1-rds-cluster | Bridgecrew ID: BC_AWS_GENERAL_38 | Checkov ID: CKV_AWS_96

How to Fix

resource "aws_rds_cluster" "example" {
  ...
  cluster_identifier      = "aurora-cluster-demo"
+ storage_encrypted       = true
  ...
}

Description

This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

🪄 Smart Fix -

Fix based on 100% past actions in this repository

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"
Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Jun 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
git_org = "rbaccus"
resource "aws_rds_cluster" "app6-rds-cluster" {
cluster_identifier = "app6-rds-cluster"
allocated_storage = 10
backup_retention_period = 15
tags = {
git_commit = "079fe74f6b96d887c245664fbd8cf676c92f20e5"
git_file = "terraform/aws/rds.tf"
git_last_modified_at = "2021-12-08 23:26:32"
git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "rbaccus"
git_repo = "terragoat"
yor_trace = "fcffb961-d859-4be5-997f-d51b50665ada"
yor_name = "app6-rds-cluster"
}
storage_encrypted = true
}
HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app6-rds-cluster | Bridgecrew ID: BC_AWS_GENERAL_38 | Checkov ID: CKV_AWS_96

How to Fix

resource "aws_rds_cluster" "example" {
  ...
  cluster_identifier      = "aurora-cluster-demo"
+ storage_encrypted       = true
  ...
}

Description

This policy examines the resource **aws_rds_cluster** to check that encryption is set up. The property **storage_encrypted** is examined.

🪄 Smart Fix -

Fix based on 100% past actions in this repository

Name = "${local.resource_prefix.value}-ec2"
}, {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_commit = "4bf3de88aaeb51927f7b2597160bdc72f4983108"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  EBS volumes do not have encrypted launch configurations
    Resource: aws_instance.web_host | Policy ID: 1072680733040327680_AWS_1688463069762 | Checkov ID: CKV_AWS_8

Description

https://docs.bridgecrew.io/docs/general_13

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app9-rds-cluster | Policy ID: 1072680733040327680_AWS_1688462954414 | Checkov ID: CKV_AWS_96

Description

https://docs.bridgecrew.io/docs/bc_aws_general_38

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app6-rds-cluster | Policy ID: 1072680733040327680_AWS_1688462954414 | Checkov ID: CKV_AWS_96

Description

https://docs.bridgecrew.io/docs/bc_aws_general_38

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app7-rds-cluster | Policy ID: 1072680733040327680_AWS_1688462954414 | Checkov ID: CKV_AWS_96

Description

https://docs.bridgecrew.io/docs/bc_aws_general_38

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app8-rds-cluster | Policy ID: 1072680733040327680_AWS_1688462954414 | Checkov ID: CKV_AWS_96

Description

https://docs.bridgecrew.io/docs/bc_aws_general_38

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app1-rds-cluster | Policy ID: 1072680733040327680_AWS_1688462954414 | Checkov ID: CKV_AWS_96

Description

https://docs.bridgecrew.io/docs/bc_aws_general_38

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app3-rds-cluster | Policy ID: 1072680733040327680_AWS_1688462954414 | Checkov ID: CKV_AWS_96

Description

https://docs.bridgecrew.io/docs/bc_aws_general_38

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app2-rds-cluster | Policy ID: 1072680733040327680_AWS_1688462954414 | Checkov ID: CKV_AWS_96

Description

https://docs.bridgecrew.io/docs/bc_aws_general_38

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app4-rds-cluster | Policy ID: 1072680733040327680_AWS_1688462954414 | Checkov ID: CKV_AWS_96

Description

https://docs.bridgecrew.io/docs/bc_aws_general_38

git_last_modified_by = "tron47@gmail.com"
git_modifiers = "tron47"
git_org = "matansha"
git_org = "rbaccus"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH  Not all data stored in Aurora is securely encrypted at rest
    Resource: aws_rds_cluster.app5-rds-cluster | Policy ID: 1072680733040327680_AWS_1688462954414 | Checkov ID: CKV_AWS_96

Description

https://docs.bridgecrew.io/docs/bc_aws_general_38

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant