diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..c2fe172c --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,4 @@ +# CODEOWNERS +# https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners#codeowners-file-location + +* @dominodatalab/platform diff --git a/.gitignore b/.gitignore index 7a3e2fd0..ea3542c3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,10 +1,12 @@ # Local .terraform directories **/.terraform/* - +**/resources/* # .tfstate files *.tfstate *.tfstate.* +**.terraform.lock.hcl* +**.terraform.lock.hcl # Crash log files crash.log @@ -27,3 +29,11 @@ override.tf.json # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan # example: *tfplan* +aws-auth.yaml +domino.pem +domino.pem.pub +k8s-functions.sh +k8s-pre-setup.sh +kubeconfig +mallory.json +domino.yml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..dbccf714 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,41 @@ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.3.0 + hooks: + - id: check-merge-conflict + - id: end-of-file-fixer + - id: no-commit-to-branch + - id: check-case-conflict + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.74.1 + hooks: + - id: terraform_docs + args: + - '--hook-config=--path-to-file=README.md' + - '--hook-config=--add-to-existing-file=true' + - '--hook-config=--create-file-if-not-exist=true' + - '--hook-config=--recursive.enabled=true' + - '--hook-config=--recursive.path=submodules' + - id: terraform_fmt + - id: terraform_tflint + args: + - '--args=--config=__GIT_WORKING_DIR__/.tflint.hcl' + - '--args=--only=terraform_deprecated_interpolation' + - '--args=--only=terraform_deprecated_index' + - '--args=--only=terraform_unused_declarations' + - '--args=--only=terraform_comment_syntax' + - '--args=--only=terraform_documented_outputs' + - '--args=--only=terraform_documented_variables' + - '--args=--only=terraform_typed_variables' + - '--args=--only=terraform_module_pinned_source' + - '--args=--only=terraform_naming_convention' + - '--args=--only=terraform_required_version' + - '--args=--only=terraform_required_providers' + - '--args=--only=terraform_standard_module_structure' + - '--args=--only=terraform_workspace_remote' + - id: terraform_validate + # - id: terrascan # Skipping until they update lifecycle block; Data resources do not have lifecycle settings, so a lifecycle block is not allowed. + # args: + # - '--args=--non-recursive' + # - '--args=--policy-type=aws' + # - '--args=--skip-rules=AC_AWS_0369' #Flow logs are enabled, terrascan does not follow the logical path of the resource diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 00000000..6abb90f9 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,6 @@ +plugin "aws" { + enabled = true + deep_check = true + version = "0.14.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" +} diff --git a/README.md b/README.md index 923db1d4..650ffc36 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,142 @@ # terraform-aws-eks -Terraform module for deploying a Domino on EKS + +## Create SSH Key pair +### Prerequisites +* Host with `ssh-keygen` installed + +### Command +```bash + ssh-keygen -q -P '' -t rsa -b 4096 -m PEM -f domino.pem +``` + +## Create terraform remote state bucket(OPTIONAL) +* Authenticate with aws, make sure that environment variables: `AWS_REGION`, `AWS_ACCESS_KEY_ID` ,`AWS_SECRET_ACCESS_KEY` are set. If your account has MFA set up you will also need `AWS_SESSION_TOKEN`. + +### Prerequisites +* [awscli](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) +* jq (Optional, it parses the api response) + +#### 1. Create Bucket(if you already have a bucket just set the `AWS_TERRAFORM_REMOTE_STATE_BUCKET` to its name, and skip this step): +```bash +export AWS_ACCOUNT="$(aws sts get-caller-identity | jq -r .Account)" +export AWS_TERRAFORM_REMOTE_STATE_BUCKET="domino-terraform-rs-${AWS_ACCOUNT}-${AWS_REGION}" + +aws s3api create-bucket \ + --bucket "${AWS_TERRAFORM_REMOTE_STATE_BUCKET}" \ + --region ${AWS_REGION} \ + --create-bucket-configuration LocationConstraint="${AWS_REGION}" | jq . +``` + +#### Verify bucket exists + +```bash +aws s3api head-bucket --bucket "${AWS_TERRAFORM_REMOTE_STATE_BUCKET}" +``` +You should NOT see an error. + +## 2. Initialize the terraform remote-state +Create a file called terraform.tf(the name does not matter) with the following content +```hcl +terraform { + backend "s3" {} +} +``` + +```bash +### Set the deploy id. This will be used later as well. +export TF_VAR_deploy_id="domino-eks-1" ## <-- Feel free to rename. +terraform init -migrate-state \ + -backend-config="bucket=${AWS_TERRAFORM_REMOTE_STATE_BUCKET}" \ + -backend-config="key=domino-eks/${TF_VAR_deploy_id}" \ + -backend-config="region=${AWS_REGION}" +``` + + + +## If you need to delete the bucket + +```bash + +aws s3 rb s3://"${AWS_TERRAFORM_REMOTE_STATE_BUCKET}" --force +``` + +# Terraform-docs + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.2.0 | +| [aws](#requirement\_aws) | >= 4.0 | +| [local](#requirement\_local) | >= 2.2.0 | +| [null](#requirement\_null) | >= 3.1.1 | +| [tls](#requirement\_tls) | >= 3.4.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.26.0 | +| [null](#provider\_null) | 3.1.1 | +| [tls](#provider\_tls) | 4.0.1 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [bastion](#module\_bastion) | ./submodules/bastion | n/a | +| [eks](#module\_eks) | ./submodules/eks | n/a | +| [k8s\_setup](#module\_k8s\_setup) | ./submodules/k8s | n/a | +| [network](#module\_network) | ./submodules/network | n/a | +| [storage](#module\_storage) | ./submodules/storage | n/a | +| [subnets\_cidr](#module\_subnets\_cidr) | ./submodules/subnets-cidr | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_key_pair.domino](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_ec2_instance_type_offerings.nodes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_instance_type_offerings) | data source | +| [null_data_source.validate_zones](https://registry.terraform.io/providers/hashicorp/null/latest/docs/data-sources/data_source) | data source | +| [tls_public_key.domino](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/public_key) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_node\_groups](#input\_additional\_node\_groups) | Additional EKS managed node groups definition. | 
map(object({
    ami            = optional(string)
    name           = string
    instance_type  = string
    min_per_az     = number
    max_per_az     = number
    desired_per_az = number
    label          = string
    volume = object({
      size = string
      type = string
    })
  }))
| `{}` | no | +| [availability\_zones](#input\_availability\_zones) | List of Availibility zones to distribute the deployment, EKS needs at least 2,https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.
Note that setting this variable bypasses validation of the status of the zones data 'aws\_availability\_zones' 'available'.
Caller is responsible for validating status of these zones. | `list(string)` | `[]` | no | +| [base\_cidr\_block](#input\_base\_cidr\_block) | CIDR block to serve the main private and public subnets. | `string` | `"10.0.0.0/16"` | no | +| [bastion\_ami\_id](#input\_bastion\_ami\_id) | AMI ID for the bastion EC2 instance, otherwise we will use the latest 'amazon\_linux\_2' ami | `string` | `""` | no | +| [create\_bastion](#input\_create\_bastion) | Create bastion toggle. | `bool` | `false` | no | +| [default\_node\_groups](#input\_default\_node\_groups) | EKS managed node groups definition. | 
object({
    compute = object({
      name           = string
      ami            = optional(string)
      instance_type  = string
      min_per_az     = number
      max_per_az     = number
      desired_per_az = number
      volume = object({
        size = string
        type = string
      })
    }),
    platform = object({
      name           = string
      ami            = optional(string)
      instance_type  = string
      min_per_az     = number
      max_per_az     = number
      desired_per_az = number
      volume = object({
        size = string
        type = string
      })
    }),
    gpu = object({
      name           = string
      ami            = optional(string)
      instance_type  = string
      min_per_az     = number
      max_per_az     = number
      desired_per_az = number
      volume = object({
        size = string
        type = string
      })
    })
  })
| 
{
  "compute": {
    "desired_per_az": 1,
    "instance_type": "m5.2xlarge",
    "max_per_az": 10,
    "min_per_az": 0,
    "name": "compute",
    "volume": {
      "size": "100",
      "type": "gp3"
    }
  },
  "gpu": {
    "desired_per_az": 0,
    "instance_type": "g4dn.xlarge",
    "max_per_az": 10,
    "min_per_az": 0,
    "name": "gpu",
    "volume": {
      "size": "100",
      "type": "gp3"
    }
  },
  "platform": {
    "desired_per_az": 1,
    "instance_type": "m5.4xlarge",
    "max_per_az": 10,
    "min_per_az": 0,
    "name": "platform",
    "volume": {
      "size": "100",
      "type": "gp3"
    }
  }
}
| no | +| [deploy\_id](#input\_deploy\_id) | Domino Deployment ID. | `string` | `"domino-eks"` | no | +| [efs\_access\_point\_path](#input\_efs\_access\_point\_path) | Filesystem path for efs. | `string` | `"/domino"` | no | +| [eks\_master\_role\_names](#input\_eks\_master\_role\_names) | IAM role names to be added as masters in eks. | `list(string)` | `[]` | no | +| [enable\_vpc\_endpoints\_s3](#input\_enable\_vpc\_endpoints\_s3) | Enable VPC endpoints for S3 service. This is intented for mission critical, highly available deployments | `bool` | `false` | no | +| [k8s\_version](#input\_k8s\_version) | EKS cluster k8s version. | `string` | `"1.23"` | no | +| [number\_of\_azs](#input\_number\_of\_azs) | Number of AZ to distribute the deployment, EKS needs at least 2. | `number` | `3` | no | +| [private\_cidr\_network\_bits](#input\_private\_cidr\_network\_bits) | Number of network bits to allocate to the private subnet. i.e /19 -> 8,192 IPs. | `number` | `19` | no | +| [public\_cidr\_network\_bits](#input\_public\_cidr\_network\_bits) | Number of network bits to allocate to the public subnet. i.e /27 -> 32 IPs. | `number` | `27` | no | +| [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes | +| [route53\_hosted\_zone\_name](#input\_route53\_hosted\_zone\_name) | AWS Route53 Hosted zone. | `string` | n/a | yes | +| [s3\_force\_destroy\_on\_deletion](#input\_s3\_force\_destroy\_on\_deletion) | Toogle to allow recursive deletion of all objects in the s3 buckets. if 'false' terraform will NOT be able to delete non-empty buckets | `bool` | `false` | no | +| [ssh\_pvt\_key\_path](#input\_ssh\_pvt\_key\_path) | SSH private key filepath. | `string` | n/a | yes | +| [tags](#input\_tags) | Deployment tags. | `map(string)` | `{}` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID for bringing your own vpc, will bypass creation of such. | `string` | `""` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [deploy\_id](#output\_deploy\_id) | Deployment ID. | +| [efs\_access\_point\_id](#output\_efs\_access\_point\_id) | EFS access\_point id | +| [efs\_file\_system\_id](#output\_efs\_file\_system\_id) | EFS filesystem id | +| [efs\_volume\_handle](#output\_efs\_volume\_handle) | EFS volume handle :: | +| [hostname](#output\_hostname) | Domino instance URL. | +| [k8s\_tunnel\_command](#output\_k8s\_tunnel\_command) | Command to run the k8s tunnel mallory. | +| [region](#output\_region) | Deployment region. | +| [ssh\_bastion\_command](#output\_ssh\_bastion\_command) | Command to ssh into the bastion host | + diff --git a/main.tf b/main.tf new file mode 100644 index 00000000..209d6395 --- /dev/null +++ b/main.tf @@ -0,0 +1,156 @@ +# Validating zone offerings. + +# Check the zones where the instance types are being offered +data "aws_ec2_instance_type_offerings" "nodes" { + for_each = merge(var.default_node_groups, var.additional_node_groups) + + filter { + name = "instance-type" + values = [each.value.instance_type] + } + + location_type = "availability-zone" + + lifecycle { + # Validating the number of zones is greater than 2. EKS needs at least 2. + postcondition { + condition = length(toset(self.locations)) >= 2 + error_message = "Availability of the instance types does not satisfy the number of zones" + } + } +} + +# Get "available" azs for the region +data "aws_availability_zones" "available" { + state = "available" + filter { + name = "region-name" + values = [var.region] + } +} + +locals { + # Get zones where ALL instance types are offered(intersection). + zone_intersection_instance_offerings = setintersection([for k, v in data.aws_ec2_instance_type_offerings.nodes : toset(v.locations)]...) + # Get the zones that are available and offered in the region for the instance types. + az_names = length(var.availability_zones) > 0 ? var.availability_zones : data.aws_availability_zones.available.names + offered_azs = setintersection(local.zone_intersection_instance_offerings, toset(local.az_names)) + available_azs_data = zipmap(data.aws_availability_zones.available.names, data.aws_availability_zones.available.zone_ids) + # Getting the required azs name and id. + bastion_user = "ec2-user" + working_dir = path.cwd + ssh_pvt_key_path = "${local.working_dir}/${var.ssh_pvt_key_path}" + kubeconfig_path = "${local.working_dir}/kubeconfig" +} + +# Validate that the number of offered and available zones satisfy the number of required zones. https://github.com/hashicorp/terraform/issues/31122 may result in a more elegant validation and deprecation of the null_data_source +data "null_data_source" "validate_zones" { + inputs = { + validated = true + } + lifecycle { + precondition { + condition = length(local.offered_azs) >= var.number_of_azs + error_message = "Availability of the instance types does not satisfy the desired number of zones, or the desired number of zones is higher than the available/offered zones" + } + } +} + +locals { + availability_zones = { for name in slice(tolist(local.offered_azs), 0, var.number_of_azs) : name => local.available_azs_data[name] if data.null_data_source.validate_zones.outputs["validated"] } +} + +## Importing SSH pvt key to access bastion and EKS nodes + +data "tls_public_key" "domino" { + private_key_openssh = file(var.ssh_pvt_key_path) +} + +resource "aws_key_pair" "domino" { + key_name = var.deploy_id + public_key = trimspace(data.tls_public_key.domino.public_key_openssh) +} + +module "subnets_cidr" { + source = "./submodules/subnets-cidr" + availability_zones = local.availability_zones + base_cidr_block = var.base_cidr_block + public_cidr_network_bits = var.public_cidr_network_bits + private_cidr_network_bits = var.private_cidr_network_bits + subnet_name_prefix = var.deploy_id +} + +module "network" { + source = "./submodules/network" + region = var.region + public_subnets = module.subnets_cidr.public_subnets + private_subnets = module.subnets_cidr.private_subnets + deploy_id = var.deploy_id + base_cidr_block = var.base_cidr_block + vpc_id = var.vpc_id + enable_vpc_endpoints_s3 = var.enable_vpc_endpoints_s3 + monitoring_s3_bucket_arn = module.storage.monitoring_s3_bucket_arn + +} + +locals { + public_subnets = module.network.public_subnets + private_subnets = module.network.private_subnets +} + +module "storage" { + source = "./submodules/storage" + deploy_id = var.deploy_id + efs_access_point_path = var.efs_access_point_path + s3_force_destroy_on_deletion = var.s3_force_destroy_on_deletion + subnets = [for s in local.private_subnets : { + name = s.name + id = s.id + cidr_block = s.cidr_block + }] + vpc_id = module.network.vpc_id +} + +module "bastion" { + count = var.create_bastion ? 1 : 0 + + source = "./submodules/bastion" + region = var.region + vpc_id = module.network.vpc_id + deploy_id = var.deploy_id + ssh_pvt_key_path = aws_key_pair.domino.key_name + bastion_public_subnet_id = local.public_subnets[0].id + bastion_ami_id = var.bastion_ami_id +} + +module "eks" { + source = "./submodules/eks" + region = var.region + k8s_version = var.k8s_version + vpc_id = module.network.vpc_id + deploy_id = var.deploy_id + private_subnets = local.private_subnets + ssh_pvt_key_path = aws_key_pair.domino.key_name + route53_hosted_zone_name = var.route53_hosted_zone_name + bastion_security_group_id = try(module.bastion[0].security_group_id, "") + create_bastion_sg = var.create_bastion + kubeconfig_path = local.kubeconfig_path + default_node_groups = var.default_node_groups + additional_node_groups = var.additional_node_groups + s3_buckets = module.storage.s3_buckets +} + +module "k8s_setup" { + source = "./submodules/k8s" + ssh_pvt_key_path = abspath(local.ssh_pvt_key_path) + bastion_user = local.bastion_user + bastion_public_ip = try(module.bastion[0].public_ip, "") + k8s_cluster_endpoint = module.eks.cluster_endpoint + managed_nodes_role_arns = module.eks.managed_nodes_role_arns + eks_master_role_names = concat(var.eks_master_role_names, module.eks.eks_master_role_name) + kubeconfig_path = local.kubeconfig_path + depends_on = [ + module.eks, + module.bastion + ] +} diff --git a/outputs.tf b/outputs.tf new file mode 100755 index 00000000..a9a1c0af --- /dev/null +++ b/outputs.tf @@ -0,0 +1,39 @@ +output "ssh_bastion_command" { + description = "Command to ssh into the bastion host" + value = "ssh -i ${local.ssh_pvt_key_path} -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no ${local.bastion_user}@${module.bastion[0].public_ip}" +} + +output "k8s_tunnel_command" { + description = "Command to run the k8s tunnel mallory." + value = module.k8s_setup.k8s_tunnel_command +} + +output "hostname" { + description = "Domino instance URL." + value = "${var.deploy_id}.${var.route53_hosted_zone_name}" +} + +output "efs_volume_handle" { + description = "EFS volume handle ::" + value = module.storage.efs_volume_handle +} + +output "efs_access_point_id" { + description = "EFS access_point id" + value = module.storage.efs_access_point_id +} + +output "efs_file_system_id" { + description = "EFS filesystem id" + value = module.storage.efs_file_system_id +} + +output "region" { + description = "Deployment region." + value = var.region +} + +output "deploy_id" { + description = "Deployment ID." + value = var.deploy_id +} diff --git a/submodules/bastion/README.md b/submodules/bastion/README.md new file mode 100644 index 00000000..d5888279 --- /dev/null +++ b/submodules/bastion/README.md @@ -0,0 +1,58 @@ +# bastion + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.22.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_eip.bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource | +| [aws_iam_instance_profile.bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | +| [aws_iam_policy.bastion_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.bastion_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_instance.bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | +| [aws_security_group.bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_ami.amazon_linux_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_caller_identity.aws_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.bastion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.bastion_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [bastion\_ami\_id](#input\_bastion\_ami\_id) | AMI ID for the bastion EC2 instance, otherwise we will use the latest 'amazon\_linux\_2' ami. | `string` | `""` | no | +| [bastion\_public\_subnet\_id](#input\_bastion\_public\_subnet\_id) | Public subnet to create bastion host in. | `string` | n/a | yes | +| [bastion\_security\_group\_rules](#input\_bastion\_security\_group\_rules) | Bastion host security group rules. | 
map(object({
    protocol                 = string
    from_port                = string
    to_port                  = string
    type                     = string
    description              = string
    cidr_blocks              = list(string)
    source_security_group_id = string

  }))
| 
{
  "bastion_inbound_ssh": {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": "Inbound ssh",
    "from_port": "22",
    "protocol": "-1",
    "source_security_group_id": null,
    "to_port": "22",
    "type": "ingress"
  },
  "bastion_outbound_traffic": {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": "Allow all outbound traffic by default",
    "from_port": "0",
    "protocol": "-1",
    "source_security_group_id": null,
    "to_port": "0",
    "type": "egress"
  }
}
| no | +| [deploy\_id](#input\_deploy\_id) | Domino Deployment ID | `string` | n/a | yes | +| [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes | +| [ssh\_pvt\_key\_path](#input\_ssh\_pvt\_key\_path) | SSH private key filepath. | `string` | n/a | yes | +| [vpc\_id](#input\_vpc\_id) | VPC ID. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [public\_ip](#output\_public\_ip) | Bastion host public ip. | +| [security\_group\_id](#output\_security\_group\_id) | Bastion host security group id. | + diff --git a/submodules/bastion/main.tf b/submodules/bastion/main.tf new file mode 100644 index 00000000..192d7e17 --- /dev/null +++ b/submodules/bastion/main.tf @@ -0,0 +1,168 @@ +data "aws_partition" "current" {} +data "aws_caller_identity" "aws_account" {} + +locals { + dns_suffix = data.aws_partition.current.dns_suffix + aws_account_id = data.aws_caller_identity.aws_account.account_id +} + +resource "aws_security_group" "bastion" { + name = "${var.deploy_id}-bastion" + description = "Bastion security group" + vpc_id = var.vpc_id + + lifecycle { + create_before_destroy = true + } + + tags = { + "Name" = "${var.deploy_id}-bastion" + } +} +resource "aws_security_group_rule" "bastion" { + for_each = var.bastion_security_group_rules + + security_group_id = aws_security_group.bastion.id + protocol = each.value.protocol + from_port = each.value.from_port + to_port = each.value.to_port + type = each.value.type + description = each.value.description + cidr_blocks = try(each.value.cidr_blocks, null) + source_security_group_id = try(each.value.source_security_group_id, null) +} +## Bastion iam role +data "aws_iam_policy_document" "bastion" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["ec2.${local.dns_suffix}"] + } + } + + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${local.aws_account_id}:root"] + } + } +} + +resource "aws_iam_role" "bastion" { + assume_role_policy = data.aws_iam_policy_document.bastion.json + name = "${var.deploy_id}-bastion" + tags = { + "Name" = "${var.deploy_id}-bastion" + } +} + +resource "aws_iam_role_policy_attachment" "bastion" { + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" + role = aws_iam_role.bastion.name +} + +resource "aws_iam_instance_profile" "bastion" { + name = "${var.deploy_id}-bastion" + role = aws_iam_role.bastion.name +} + +data "aws_ami" "amazon_linux_2" { + count = var.bastion_ami_id == "" ? 1 : 0 + most_recent = true + owners = ["amazon"] + + filter { + name = "name" + values = ["amzn2-ami-hvm*"] + } +} + +locals { + bastion_ami_id = var.bastion_ami_id != "" ? var.bastion_ami_id : data.aws_ami.amazon_linux_2[0].id +} + +resource "aws_instance" "bastion" { + ami = local.bastion_ami_id + associate_public_ip_address = true + iam_instance_profile = aws_iam_instance_profile.bastion.name + monitoring = true + + capacity_reservation_specification { + capacity_reservation_preference = "open" + } + + disable_api_termination = false + ebs_optimized = false + + enclave_options { + enabled = false + } + + get_password_data = false + hibernation = false + instance_initiated_shutdown_behavior = "stop" + instance_type = "t2.micro" + key_name = var.ssh_pvt_key_path + + metadata_options { + http_endpoint = "enabled" + http_put_response_hop_limit = "1" + http_tokens = "required" + instance_metadata_tags = "disabled" + } + + root_block_device { + delete_on_termination = true + encrypted = true + iops = "3000" + throughput = "125" + volume_size = "40" + volume_type = "gp3" + } + + source_dest_check = true + subnet_id = var.bastion_public_subnet_id + + vpc_security_group_ids = [aws_security_group.bastion.id] + tags = { + "Name" = "${var.deploy_id}-bastion" + } + lifecycle { + ignore_changes = [ + root_block_device[0].tags, + ] + } +} + +resource "aws_eip" "bastion" { + instance = aws_instance.bastion.id + network_border_group = var.region + vpc = true +} + +data "aws_iam_policy_document" "bastion_assume_role" { + statement { + + effect = "Allow" + resources = [aws_iam_role.bastion.arn] + actions = ["sts:AssumeRole"] + } +} + +resource "aws_iam_policy" "bastion_assume_role" { + name = "${var.deploy_id}-bastion-assume" + + description = "Allows bastion to assume a role" + policy = data.aws_iam_policy_document.bastion_assume_role.json +} + + +resource "aws_iam_role_policy_attachment" "bastion_assume_role" { + policy_arn = aws_iam_policy.bastion_assume_role.arn + role = aws_iam_role.bastion.name +} diff --git a/submodules/bastion/outputs.tf b/submodules/bastion/outputs.tf new file mode 100644 index 00000000..985b3736 --- /dev/null +++ b/submodules/bastion/outputs.tf @@ -0,0 +1,9 @@ +output "security_group_id" { + description = "Bastion host security group id." + value = aws_security_group.bastion.id +} + +output "public_ip" { + description = "Bastion host public ip." + value = aws_eip.bastion.public_ip +} diff --git a/submodules/bastion/variables.tf b/submodules/bastion/variables.tf new file mode 100644 index 00000000..03e1b557 --- /dev/null +++ b/submodules/bastion/variables.tf @@ -0,0 +1,66 @@ +variable "deploy_id" { + type = string + description = "Domino Deployment ID" +} + +variable "bastion_ami_id" { + description = "AMI ID for the bastion EC2 instance, otherwise we will use the latest 'amazon_linux_2' ami." + type = string + default = "" +} +variable "region" { + description = "AWS region for the deployment" + type = string +} + +variable "vpc_id" { + description = "VPC ID." + type = string +} + +variable "ssh_pvt_key_path" { + description = "SSH private key filepath." + type = string +} + +variable "bastion_public_subnet_id" { + description = "Public subnet to create bastion host in." + type = string +} + +variable "bastion_security_group_rules" { + + description = "Bastion host security group rules." + type = map(object({ + protocol = string + from_port = string + to_port = string + type = string + description = string + cidr_blocks = list(string) + source_security_group_id = string + + })) + + default = { + bastion_outbound_traffic = { + protocol = "-1" + from_port = "0" + to_port = "0" + type = "egress" + description = "Allow all outbound traffic by default" + cidr_blocks = ["0.0.0.0/0"] + source_security_group_id = null + } + bastion_inbound_ssh = { + protocol = "-1" + from_port = "22" + to_port = "22" + type = "ingress" + description = "Inbound ssh" + cidr_blocks = ["0.0.0.0/0"] + source_security_group_id = null + } + } + +} diff --git a/submodules/bastion/versions.tf b/submodules/bastion/versions.tf new file mode 100644 index 00000000..b4912520 --- /dev/null +++ b/submodules/bastion/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } +} diff --git a/submodules/eks/README.md b/submodules/eks/README.md new file mode 100644 index 00000000..de436d1f --- /dev/null +++ b/submodules/eks/README.md @@ -0,0 +1,102 @@ +# eks + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.2.0 | +| [aws](#requirement\_aws) | >= 4.0 | +| [null](#requirement\_null) | >= 3.1.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.22.0 | +| [null](#provider\_null) | 3.1.1 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_eks_addon.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource | +| [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster) | resource | +| [aws_eks_node_group.additional_node_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group) | resource | +| [aws_eks_node_group.compute](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group) | resource | +| [aws_eks_node_group.gpu](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group) | resource | +| [aws_eks_node_group.platform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group) | resource | +| [aws_iam_policy.autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.domino_ecr_restricted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.route53](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.snapshot](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.eks_nodes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.aws_eks_nodes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.custom_eks_nodes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.custom_eks_nodes_route53](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_kms_key.eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_launch_template.additional_node_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource | +| [aws_launch_template.compute](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource | +| [aws_launch_template.gpu](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource | +| [aws_launch_template.platform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource | +| [aws_security_group.eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.eks_nodes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.bastion_eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [null_resource.kubeconfig](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_ami.eks_gpu](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_caller_identity.aws_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.domino_ecr_restricted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.eks_nodes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.route53](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.snapshot](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_node\_groups](#input\_additional\_node\_groups) | Additional EKS managed node groups definition. | 
map(object({
    name           = string
    ami            = optional(string)
    instance_type  = string
    min_per_az     = number
    max_per_az     = number
    desired_per_az = number
    label          = string
    volume = object({
      size = string
      type = string
    })
  }))
| `{}` | no | +| [bastion\_security\_group\_id](#input\_bastion\_security\_group\_id) | Bastion security group id. | `string` | `""` | no | +| [create\_bastion\_sg](#input\_create\_bastion\_sg) | Create bastion access rules toggle. | `bool` | n/a | yes | +| [default\_node\_groups](#input\_default\_node\_groups) | EKS managed node groups definition. | 
object({
    compute = object({
      name           = string
      ami            = optional(string)
      instance_type  = string
      min_per_az     = number
      max_per_az     = number
      desired_per_az = number
      volume = object({
        size = string
        type = string
      })
    }),
    platform = object({
      name           = string
      ami            = optional(string)
      instance_type  = string
      min_per_az     = number
      max_per_az     = number
      desired_per_az = number
      volume = object({
        size = string
        type = string
      })
    }),
    gpu = object({
      name           = string
      ami            = optional(string)
      instance_type  = string
      min_per_az     = number
      max_per_az     = number
      desired_per_az = number
      volume = object({
        size = string
        type = string
      })
    })
  })
| n/a | yes | +| [deploy\_id](#input\_deploy\_id) | Domino Deployment ID | `string` | n/a | yes | +| [eks\_cluster\_addons](#input\_eks\_cluster\_addons) | EKS cluster addons. | `list(string)` | 
[
  "vpc-cni",
  "kube-proxy",
  "coredns"
]
| no | +| [eks\_security\_group\_rules](#input\_eks\_security\_group\_rules) | EKS security group rules. | 
map(object({
    security_group_id        = string
    protocol                 = string
    from_port                = string
    to_port                  = string
    type                     = string
    description              = string
    source_security_group_id = string
  }))
| `{}` | no | +| [k8s\_version](#input\_k8s\_version) | EKS cluster k8s version. | `string` | n/a | yes | +| [kubeconfig\_path](#input\_kubeconfig\_path) | Kubeconfig file path. | `string` | `"kubeconfig"` | no | +| [private\_subnets](#input\_private\_subnets) | Private subnets object | 
list(object({
    cidr_block = string
    name       = string
    type       = string
    zone       = string
    zone_id    = string
    id         = string
  }))
| n/a | yes | +| [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes | +| [route53\_hosted\_zone\_name](#input\_route53\_hosted\_zone\_name) | Route53 zone | `string` | n/a | yes | +| [s3\_buckets](#input\_s3\_buckets) | S3 buckets information that the nodegroups need access to | 
list(object({
    bucket_name = string
    arn         = string
  }))
| n/a | yes | +| [ssh\_pvt\_key\_path](#input\_ssh\_pvt\_key\_path) | SSH private key filepath. | `string` | n/a | yes | +| [vpc\_id](#input\_vpc\_id) | VPC ID. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [cluster\_endpoint](#output\_cluster\_endpoint) | EKS cluster API endpoint. | +| [eks\_master\_role\_name](#output\_eks\_master\_role\_name) | EKS master role arns. | +| [hosted\_zone\_id](#output\_hosted\_zone\_id) | DNS hosted zone ID. | +| [managed\_nodes\_role\_arns](#output\_managed\_nodes\_role\_arns) | EKS managed nodes arns. | +| [nodes\_security\_group\_id](#output\_nodes\_security\_group\_id) | EKS managed nodes security group id. | +| [security\_group\_id](#output\_security\_group\_id) | EKS security group id. | + diff --git a/submodules/eks/cluster.tf b/submodules/eks/cluster.tf new file mode 100755 index 00000000..b1c5ee70 --- /dev/null +++ b/submodules/eks/cluster.tf @@ -0,0 +1,128 @@ +## EKS key +data "aws_iam_policy_document" "kms_key" { + statement { + actions = [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion", + "kubeconms:GenerateDataKey", + "kms:TagResource", + "kms:UntagResource" + ] + resources = ["*"] + effect = "Allow" + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${local.aws_account_id}:root"] + } + } +} + +resource "aws_kms_key" "eks_cluster" { + customer_master_key_spec = "SYMMETRIC_DEFAULT" + enable_key_rotation = true + is_enabled = true + key_usage = "ENCRYPT_DECRYPT" + multi_region = false + policy = data.aws_iam_policy_document.kms_key.json + tags = { + "Name" = "${local.eks_cluster_name}-eks-cluster" + } +} + +resource "aws_security_group" "eks_cluster" { + name = "${local.eks_cluster_name}-cluster" + description = "EKS cluster security group" + vpc_id = var.vpc_id + + lifecycle { + create_before_destroy = true + } + tags = { + "Name" = "${local.eks_cluster_name}-eks-cluster" + } +} + +resource "aws_security_group_rule" "eks_cluster" { + for_each = local.eks_cluster_security_group_rules + + security_group_id = aws_security_group.eks_cluster.id + protocol = each.value.protocol + from_port = each.value.from_port + to_port = each.value.to_port + type = each.value.type + description = each.value.description + cidr_blocks = try(each.value.cidr_blocks, null) + source_security_group_id = try(each.value.source_security_group_id, null) +} + +resource "aws_cloudwatch_log_group" "eks_cluster" { + name = "/aws/eks/${local.eks_cluster_name}/cluster" +} + +## EKS cluster +resource "aws_eks_cluster" "this" { + name = local.eks_cluster_name + role_arn = aws_iam_role.eks_cluster.arn + enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] + version = var.k8s_version + + encryption_config { + provider { + key_arn = aws_kms_key.eks_cluster.arn + } + resources = ["secrets"] + } + + kubernetes_network_config { + ip_family = "ipv4" + service_ipv4_cidr = "172.20.0.0/16" + } + + + vpc_config { + endpoint_private_access = true + endpoint_public_access = false + security_group_ids = [aws_security_group.eks_cluster.id] + subnet_ids = [for sb in var.private_subnets : sb.id] + } + depends_on = [ + aws_iam_role_policy_attachment.eks_cluster, + aws_cloudwatch_log_group.eks_cluster + ] +} + +resource "aws_eks_addon" "this" { + for_each = toset(var.eks_cluster_addons) + cluster_name = aws_eks_cluster.this.name + resolve_conflicts = "OVERWRITE" + addon_name = each.key + + depends_on = [ + aws_eks_node_group.compute, + aws_eks_node_group.platform, + aws_eks_node_group.gpu, + ] +} + +resource "null_resource" "kubeconfig" { + provisioner "local-exec" { + environment = { + KUBECONFIG = var.kubeconfig_path + } + command = "aws eks update-kubeconfig --region ${var.region} --name ${aws_eks_cluster.this.name}" + } + triggers = { + domino_eks_cluster_ca = aws_eks_cluster.this.certificate_authority[0].data + } + depends_on = [aws_eks_cluster.this] +} diff --git a/submodules/eks/eks-bastion-access.tf b/submodules/eks/eks-bastion-access.tf new file mode 100644 index 00000000..4f70efcb --- /dev/null +++ b/submodules/eks/eks-bastion-access.tf @@ -0,0 +1,23 @@ +resource "aws_security_group_rule" "bastion_eks" { + for_each = { for k, v in local.bastion_eks_security_group_rules : k => v if var.create_bastion_sg } + + security_group_id = each.value.security_group_id + protocol = each.value.protocol + from_port = each.value.from_port + to_port = each.value.to_port + type = each.value.type + description = each.value.description + source_security_group_id = each.value.source_security_group_id +} + +resource "aws_security_group_rule" "eks" { + for_each = var.eks_security_group_rules + + security_group_id = each.value.security_group_id + protocol = each.value.protocol + from_port = each.value.from_port + to_port = each.value.to_port + type = each.value.type + description = each.value.description + source_security_group_id = each.value.source_security_group_id +} diff --git a/submodules/eks/iam.tf b/submodules/eks/iam.tf new file mode 100644 index 00000000..8463a3b9 --- /dev/null +++ b/submodules/eks/iam.tf @@ -0,0 +1,317 @@ +## EKS IAM +data "aws_iam_policy_document" "eks_cluster" { + statement { + sid = "EKSClusterAssumeRole" + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["eks.${local.dns_suffix}"] + } + } +} + +resource "aws_iam_role" "eks_cluster" { + name = "${var.deploy_id}-eks" + assume_role_policy = data.aws_iam_policy_document.eks_cluster.json +} + +resource "aws_iam_role_policy_attachment" "eks_cluster" { + policy_arn = "${local.policy_arn_prefix}/AmazonEKSClusterPolicy" + role = aws_iam_role.eks_cluster.name +} + +data "aws_iam_policy_document" "domino_ecr_restricted" { + statement { + + effect = "Deny" + resources = ["arn:aws:ecr:*:${local.aws_account_id}:*"] + + actions = [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer", + ] + + condition { + test = "StringNotEqualsIfExists" + variable = "ecr:ResourceTag/domino-deploy-id" + values = [var.deploy_id] + } + } +} + +resource "aws_iam_policy" "domino_ecr_restricted" { + name = "${var.deploy_id}-DominoEcrRestricted" + path = "/" + policy = data.aws_iam_policy_document.domino_ecr_restricted.json +} + +data "aws_iam_policy_document" "s3" { + statement { + + effect = "Allow" + resources = ["*"] + + actions = [ + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:ListBucketMultipartUploads", + ] + } + + statement { + sid = "" + effect = "Allow" + + resources = [for b in var.s3_buckets : "${b.arn}*"] + + actions = [ + "s3:PutObject", + "s3:GetObject", + "s3:DeleteObject", + "s3:ListMultipartUploadParts", + "s3:AbortMultipartUpload", + ] + } +} + +resource "aws_iam_policy" "s3" { + name = "${var.deploy_id}-S3" + path = "/" + policy = data.aws_iam_policy_document.s3.json +} + +data "aws_iam_policy_document" "autoscaler" { + statement { + + effect = "Allow" + resources = ["*"] + + actions = [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeTags", + "ec2:DescribeLaunchTemplateVersions", + ] + } + + statement { + + effect = "Allow" + resources = ["*"] + + actions = [ + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup", + ] + + condition { + test = "StringEquals" + variable = "autoscaling:ResourceTag/eks:cluster-name" + values = [var.deploy_id] + } + } +} + +resource "aws_iam_policy" "autoscaler" { + name = "${var.deploy_id}-Autoscaler" + path = "/" + policy = data.aws_iam_policy_document.autoscaler.json +} + +data "aws_iam_policy_document" "ebs_csi" { + statement { + + effect = "Allow" + resources = ["*"] + + actions = [ + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstances", + "ec2:DescribeInstanceStatus", + "ec2:DescribeSnapshots", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications", + ] + } + + statement { + + effect = "Allow" + resources = ["*"] + + actions = [ + "ec2:CreateSnapshot", + "ec2:AttachVolume", + "ec2:DetachVolume", + "ec2:ModifyVolume", + ] + + condition { + test = "StringLike" + variable = "aws:ResourceTag/kubernetes.io/cluster/${var.deploy_id}" + values = ["owned"] + } + } + + statement { + sid = "" + effect = "Allow" + + resources = [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*", + ] + + actions = ["ec2:CreateTags"] + + condition { + test = "StringEquals" + variable = "ec2:CreateAction" + + values = [ + "CreateVolume", + "CreateSnapshot", + ] + } + } + + statement { + sid = "" + effect = "Allow" + + resources = [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*", + ] + + actions = ["ec2:DeleteTags"] + } + + statement { + + effect = "Allow" + resources = ["*"] + actions = ["ec2:CreateVolume"] + + condition { + test = "StringLike" + variable = "aws:RequestTag/KubernetesCluster" + values = [var.deploy_id] + } + } + + statement { + + effect = "Allow" + resources = ["*"] + + actions = [ + "ec2:DeleteVolume", + "ec2:DeleteSnapshot", + ] + + condition { + test = "StringLike" + variable = "aws:ResourceTag/KubernetesCluster" + values = [var.deploy_id] + } + } +} + +resource "aws_iam_policy" "ebs_csi" { + name = "${var.deploy_id}-ebs-csi" + path = "/" + policy = data.aws_iam_policy_document.ebs_csi.json +} + +data "aws_iam_policy_document" "route53" { + statement { + + effect = "Allow" + resources = ["*"] + actions = ["route53:ListHostedZones"] + } + + statement { + + effect = "Allow" + resources = [local.aws_route53_zone_arn] + + actions = [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + ] + } +} + +resource "aws_iam_policy" "route53" { + count = var.route53_hosted_zone_name != "" ? 1 : 0 + name = "${var.deploy_id}-Route53" + path = "/" + policy = data.aws_iam_policy_document.route53.json +} + +data "aws_iam_policy_document" "snapshot" { + statement { + + effect = "Allow" + resources = ["*"] + + actions = [ + "ec2:CreateSnapshot", + "ec2:CreateTags", + "ec2:DeleteSnapshot", + "ec2:DeleteTags", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeSnapshots", + "ec2:DescribeTags", + ] + } +} + +resource "aws_iam_policy" "snapshot" { + name = "${var.deploy_id}-snapshot" + path = "/" + policy = data.aws_iam_policy_document.snapshot.json +} + +locals { + + eks_aws_node_iam_policies = toset([ + "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", + "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", + "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", + "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" + ]) + + eks_custom_node_iam_policies = { + "domino_ecr_restricted" = aws_iam_policy.domino_ecr_restricted.arn, + "s3" = aws_iam_policy.s3.arn, + "autoscaler" = aws_iam_policy.autoscaler.arn, + "ebs_csi" = aws_iam_policy.ebs_csi.arn, + "route53" = try(aws_iam_policy.route53[0].arn, ""), + "snapshot" = aws_iam_policy.snapshot.arn + } +} + +resource "aws_iam_role_policy_attachment" "aws_eks_nodes" { + for_each = toset(local.eks_aws_node_iam_policies) + policy_arn = each.key + role = aws_iam_role.eks_nodes.name +} + +resource "aws_iam_role_policy_attachment" "custom_eks_nodes" { + for_each = { for name, arn in local.eks_custom_node_iam_policies : name => arn if name != "route53" } + policy_arn = each.value + role = aws_iam_role.eks_nodes.name +} + +resource "aws_iam_role_policy_attachment" "custom_eks_nodes_route53" { + count = var.route53_hosted_zone_name != "" ? 1 : 0 + policy_arn = local.eks_custom_node_iam_policies["route53"] + role = aws_iam_role.eks_nodes.name +} diff --git a/submodules/eks/main.tf b/submodules/eks/main.tf new file mode 100644 index 00000000..bab5ef79 --- /dev/null +++ b/submodules/eks/main.tf @@ -0,0 +1,270 @@ + +data "aws_partition" "current" {} +data "aws_caller_identity" "aws_account" {} + +locals { + eks_cluster_name = var.deploy_id + aws_account_id = data.aws_caller_identity.aws_account.account_id + dns_suffix = data.aws_partition.current.dns_suffix + policy_arn_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy" + eks_cluster_security_group_rules = { + ingress_nodes_443 = { + description = "Private subnets to ${local.eks_cluster_name} EKS cluster API" + protocol = "tcp" + from_port = 443 + to_port = 443 + type = "ingress" + cidr_blocks = [for sb in var.private_subnets : sb.cidr_block] + } + egress_nodes_9443 = { + description = "EKS control plane to nodes" + protocol = "tcp" + from_port = 9443 + to_port = 9443 + type = "egress" + cidr_blocks = [for sb in var.private_subnets : sb.cidr_block] + } + egress_nodes_443 = { + description = "${local.eks_cluster_name} EKS cluster API to private subnets" + protocol = "tcp" + from_port = 443 + to_port = 443 + type = "egress" + cidr_blocks = [for sb in var.private_subnets : sb.cidr_block] + } + egress_nodes_kubelet = { + description = "${local.eks_cluster_name} EKS cluster API to private subnets" + protocol = "tcp" + from_port = 10250 + to_port = 10250 + type = "egress" + cidr_blocks = [for sb in var.private_subnets : sb.cidr_block] + } + } + + node_security_group_rules = { + ingress_cluster_9443 = { + description = "Cluster API to node groups 9443, hephaestus" + protocol = "tcp" + from_port = 9443 + to_port = 9443 + type = "ingress" + source_cluster_security_group = true + } + egress_cluster_443 = { + description = "Node groups to cluster API 443" + protocol = "tcp" + from_port = 443 + to_port = 443 + type = "egress" + source_cluster_security_group = true + } + ingress_cluster_443 = { + description = "Cluster API to node groups 443" + protocol = "tcp" + from_port = 443 + to_port = 443 + type = "ingress" + source_cluster_security_group = true + } + ingress_cluster_kubelet = { + description = "Cluster API to node kubelets" + protocol = "tcp" + from_port = 10250 + to_port = 10250 + type = "ingress" + source_cluster_security_group = true + } + ingress_cluster_coredns_tcp = { + description = "Cluster to node CoreDNS TCP" + protocol = "tcp" + from_port = 53 + to_port = 53 + type = "ingress" + source_cluster_security_group = true + } + egress_cluster_coredns_tcp = { + description = "Cluster to node CoreDNS TCP" + protocol = "tcp" + from_port = 53 + to_port = 53 + type = "egress" + source_cluster_security_group = true + } + ingress_cluster_coredns_udp = { + description = "Cluster to node CoreDNS UDP" + protocol = "udp" + from_port = 53 + to_port = 53 + type = "ingress" + source_cluster_security_group = true + } + egress_cluster_coredns_udp = { + description = "Cluster to node CoreDNS UDP" + protocol = "udp" + from_port = 53 + to_port = 53 + type = "egress" + source_cluster_security_group = true + } + ingress_self_coredns_tcp = { + description = "Node to node CoreDNS" + protocol = "tcp" + from_port = 53 + to_port = 53 + type = "ingress" + self = true + } + egress_self_coredns_tcp = { + description = "Node to node CoreDNS" + protocol = "tcp" + from_port = 53 + to_port = 53 + type = "egress" + self = true + } + ingress_self_coredns_udp = { + description = "Node to node CoreDNS" + protocol = "udp" + from_port = 53 + to_port = 53 + type = "ingress" + self = true + } + egress_self_coredns_udp = { + description = "Node to node CoreDNS" + protocol = "udp" + from_port = 53 + to_port = 53 + type = "egress" + self = true + } + egress_https = { + description = "Egress all HTTPS to internet" + protocol = "tcp" + from_port = 443 + to_port = 443 + type = "egress" + cidr_blocks = ["0.0.0.0/0"] + } + egress_ntp_tcp = { + description = "Egress NTP/TCP to internet" + protocol = "tcp" + from_port = 123 + to_port = 123 + type = "egress" + cidr_blocks = ["0.0.0.0/0"] + } + egress_ntp_udp = { + description = "Egress NTP/UDP to internet" + protocol = "udp" + from_port = 123 + to_port = 123 + type = "egress" + cidr_blocks = ["0.0.0.0/0"] + } + teleport_3024 = { + description = "Access to Teleport" + protocol = "tcp" + from_port = 3024 + to_port = 3024 + type = "egress" + cidr_blocks = ["0.0.0.0/0"] + } + efs_2049 = { + description = "Access to EFS" + protocol = "tcp" + from_port = 2049 + to_port = 2049 + type = "egress" + cidr_blocks = ["0.0.0.0/0"] + } + inter_node_traffic_in_80 = { + description = "Node to node http traffic" + protocol = "tcp" + from_port = 80 + to_port = 80 + type = "ingress" + self = true + } + inter_node_traffic_out_80 = { + description = "Node to node http traffic" + protocol = "tcp" + from_port = 80 + to_port = 80 + type = "egress" + self = true + } + inter_node_traffic_in_443 = { + description = "Node to node https traffic" + protocol = "tcp" + from_port = 443 + to_port = 443 + type = "ingress" + self = true + } + inter_node_traffic_out_443 = { + description = "Node to node https traffic" + protocol = "tcp" + from_port = 443 + to_port = 443 + type = "egress" + self = true + } + inter_node_traffic_in = { + description = "Node to node pod/svc trafic in" + protocol = "tcp" + from_port = 1025 + to_port = 65535 + type = "ingress" + self = true + } + inter_node_traffic_out = { + description = "Node to node pod/svc trafic out" + protocol = "tcp" + from_port = 1025 + to_port = 65535 + type = "egress" + self = true + } + } + + bastion_eks_security_group_rules = { + bastion_to_eks_api = { + description = "Bastion outbound to eks cluster ${local.eks_cluster_name}:443 API" + protocol = "tcp" + from_port = "443" + to_port = "443" + type = "egress" + security_group_id = var.bastion_security_group_id + source_security_group_id = aws_security_group.eks_cluster.id + } + bastion_to_eks_nodes_ssh = { + description = "Bastion ssh to eks cluster nodes outbound" + protocol = "tcp" + from_port = "22" + to_port = "22" + type = "egress" + security_group_id = var.bastion_security_group_id + source_security_group_id = aws_security_group.eks_nodes.id + } + eks_api_from_bastion = { + description = "Eks cluster ${local.eks_cluster_name}:443 inbound from bastion" + protocol = "tcp" + from_port = "443" + to_port = "443" + type = "ingress" + security_group_id = aws_security_group.eks_cluster.id + source_security_group_id = var.bastion_security_group_id + } + eks_nodes_ssh_from_bastion = { + description = "Bastion ssh to eks cluster nodes inbound" + protocol = "tcp" + from_port = "22" + to_port = "22" + type = "ingress" + security_group_id = var.bastion_security_group_id + source_security_group_id = aws_security_group.eks_nodes.id + } + } +} diff --git a/submodules/eks/node-group.tf b/submodules/eks/node-group.tf new file mode 100644 index 00000000..bfb14f9f --- /dev/null +++ b/submodules/eks/node-group.tf @@ -0,0 +1,406 @@ + +## EKS Nodes +data "aws_iam_policy_document" "eks_nodes" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["ec2.${local.dns_suffix}"] + } + } +} + +data "aws_route53_zone" "this" { + name = var.route53_hosted_zone_name + private_zone = false +} + +resource "aws_iam_role" "eks_nodes" { + name = "${local.eks_cluster_name}-eks-nodes" + assume_role_policy = data.aws_iam_policy_document.eks_nodes.json +} + +locals { + # gpu_bootstrap_extra_args = "--node-labels lifecycle=OnDemand --node-labels=dominodatalab.com/node-pool=default-gpu,nvidia.com/gpu=true,dominodatalab.com/domino-node=true --register-with-taints=nvidia.com/gpu=true:NoSchedule" + + aws_route53_zone_arn = data.aws_route53_zone.this.arn + gpu_bootstrap_extra_args = "" + gpu_user_data = base64encode(templatefile("${path.module}/templates/linux_custom.tpl", { + cluster_name = aws_eks_cluster.this.name + cluster_endpoint = aws_eks_cluster.this.endpoint + cluster_auth_base64 = aws_eks_cluster.this.certificate_authority[0].data + bootstrap_extra_args = local.gpu_bootstrap_extra_args + pre_bootstrap_user_data = "" + post_bootstrap_user_data = "echo ALL DONE !!!" + })) + node_group_gpu_ami_id = var.default_node_groups.gpu.ami != null ? var.default_node_groups.gpu.ami : data.aws_ami.eks_gpu.image_id + # node_group_compute_ami_id = var.default_node_groups.compute.ami != null ? var.default_node_groups.compute.ami : data.aws_ami.eks_gpu.image_id +} + + +resource "aws_security_group" "eks_nodes" { + name = "${local.eks_cluster_name}-nodes" + description = "EKS cluster Nodes security group" + vpc_id = var.vpc_id + + lifecycle { + create_before_destroy = true + } + tags = { + "Name" = "${local.eks_cluster_name}-eks-nodes" + } +} + +resource "aws_security_group_rule" "node" { + for_each = local.node_security_group_rules + + # Required + security_group_id = aws_security_group.eks_nodes.id + protocol = each.value.protocol + from_port = each.value.from_port + to_port = each.value.to_port + type = each.value.type + description = each.value.description + cidr_blocks = try(each.value.cidr_blocks, null) + self = try(each.value.self, null) + source_security_group_id = try( + each.value.source_security_group_id, + try(each.value.source_cluster_security_group, false) ? aws_security_group.eks_cluster.id : null + ) +} + +data "aws_ami" "eks_gpu" { + filter { + name = "name" + values = ["amazon-eks-gpu-node-${var.k8s_version}-v*"] + } + most_recent = true + owners = ["amazon"] +} + +resource "aws_launch_template" "compute" { + name = "${local.eks_cluster_name}-compute" + disable_api_termination = false + instance_type = var.default_node_groups.compute.instance_type + key_name = var.ssh_pvt_key_path + vpc_security_group_ids = [aws_security_group.eks_nodes.id] + image_id = var.default_node_groups.compute.ami + + block_device_mappings { + device_name = "/dev/xvda" + + ebs { + delete_on_termination = true + encrypted = true + volume_size = var.default_node_groups.compute.volume.size + volume_type = var.default_node_groups.compute.volume.type + } + } + + metadata_options { + http_endpoint = "enabled" + http_put_response_hop_limit = "2" + http_tokens = "required" + } + tag_specifications { + resource_type = "instance" + tags = { + "Name" = "${local.eks_cluster_name}-compute" + } + } + + tag_specifications { + resource_type = "volume" + tags = { + "Name" = "${local.eks_cluster_name}-compute" + } + } +} + +resource "aws_eks_node_group" "compute" { + for_each = { for sb in var.private_subnets : sb.zone => sb if lookup(var.default_node_groups, "compute", {}) != {} } + cluster_name = aws_eks_cluster.this.name + node_group_name = "${local.eks_cluster_name}-compute-${each.value.zone}" + node_role_arn = aws_iam_role.eks_nodes.arn + subnet_ids = [each.value.id] + scaling_config { + min_size = var.default_node_groups.compute.min_per_az + max_size = var.default_node_groups.compute.max_per_az + desired_size = var.default_node_groups.compute.desired_per_az + } + + launch_template { + id = aws_launch_template.compute.id + version = aws_launch_template.compute.latest_version + } + + + labels = { + "lifecycle" = "OnDemand" + "dominodatalab.com/node-pool" = "default" + "dominodatalab.com/domino-node" = true + } + + lifecycle { + create_before_destroy = true + ignore_changes = [ + scaling_config[0].desired_size, + ] + } + + depends_on = [ + aws_iam_role_policy_attachment.aws_eks_nodes, + aws_iam_role_policy_attachment.custom_eks_nodes + ] +} + +resource "aws_launch_template" "platform" { + name = "${local.eks_cluster_name}-platform" + disable_api_termination = false + instance_type = var.default_node_groups.platform.instance_type + key_name = var.ssh_pvt_key_path + vpc_security_group_ids = [aws_security_group.eks_nodes.id] + image_id = var.default_node_groups.platform.ami + + block_device_mappings { + device_name = "/dev/xvda" + + ebs { + delete_on_termination = true + encrypted = true + volume_size = var.default_node_groups.platform.volume.size + volume_type = var.default_node_groups.platform.volume.type + } + } + + metadata_options { + http_endpoint = "enabled" + http_put_response_hop_limit = "2" + http_tokens = "required" + } + tag_specifications { + resource_type = "instance" + tags = { + "Name" = "${local.eks_cluster_name}-platform" + } + } + + tag_specifications { + resource_type = "volume" + tags = { + "Name" = "${local.eks_cluster_name}-platform" + } + } +} + +resource "aws_eks_node_group" "platform" { + for_each = { for sb in var.private_subnets : sb.zone => sb if lookup(var.default_node_groups, "platform", {}) != {} } + cluster_name = aws_eks_cluster.this.name + node_group_name = "${local.eks_cluster_name}-platform-${each.value.zone}" + node_role_arn = aws_iam_role.eks_nodes.arn + subnet_ids = [each.value.id] + scaling_config { + min_size = var.default_node_groups.platform.min_per_az + max_size = var.default_node_groups.platform.max_per_az + desired_size = var.default_node_groups.platform.desired_per_az + } + + launch_template { + id = aws_launch_template.platform.id + version = aws_launch_template.platform.latest_version + } + + + labels = { + "lifecycle" = "OnDemand" + "dominodatalab.com/node-pool" = "platform" + "dominodatalab.com/domino-node" = true + } + + lifecycle { + create_before_destroy = true + ignore_changes = [ + scaling_config[0].desired_size, + ] + } + + depends_on = [ + aws_iam_role_policy_attachment.aws_eks_nodes, + aws_iam_role_policy_attachment.custom_eks_nodes + ] +} + +resource "aws_launch_template" "gpu" { + name = "${local.eks_cluster_name}-gpu" + image_id = local.node_group_gpu_ami_id + disable_api_termination = false + instance_type = var.default_node_groups.gpu.instance_type + key_name = var.ssh_pvt_key_path + vpc_security_group_ids = [aws_security_group.eks_nodes.id] + user_data = local.gpu_user_data + block_device_mappings { + device_name = "/dev/xvda" + + ebs { + delete_on_termination = true + encrypted = true + volume_size = var.default_node_groups.gpu.volume.size + volume_type = var.default_node_groups.gpu.volume.type + } + } + + metadata_options { + http_endpoint = "enabled" + http_put_response_hop_limit = "2" + http_tokens = "required" + } + tag_specifications { + resource_type = "instance" + tags = { + "Name" = "${local.eks_cluster_name}-gpu" + } + } + + tag_specifications { + resource_type = "volume" + tags = { + "Name" = "${local.eks_cluster_name}-gpu" + } + } +} + +resource "aws_eks_node_group" "gpu" { + for_each = { for sb in var.private_subnets : sb.zone => sb if lookup(var.default_node_groups, "gpu", {}) != {} } + cluster_name = aws_eks_cluster.this.name + node_group_name = "${local.eks_cluster_name}-gpu-${each.value.zone}" + node_role_arn = aws_iam_role.eks_nodes.arn + subnet_ids = [each.value.id] + scaling_config { + min_size = var.default_node_groups.gpu.min_per_az + max_size = var.default_node_groups.gpu.max_per_az + desired_size = var.default_node_groups.gpu.desired_per_az + } + + launch_template { + id = aws_launch_template.gpu.id + version = aws_launch_template.gpu.latest_version + } + + taint { + key = "nvidia.com/gpu" + value = true + effect = "NO_SCHEDULE" + } + labels = { + "lifecycle" = "OnDemand" + "dominodatalab.com/node-pool" = "default-gpu" + "dominodatalab.com/domino-node" = true + "nvidia.com/gpu" = true + } + + lifecycle { + create_before_destroy = true + ignore_changes = [ + scaling_config[0].desired_size, + ] + } + + depends_on = [ + aws_iam_role_policy_attachment.aws_eks_nodes, + aws_iam_role_policy_attachment.custom_eks_nodes + ] +} + +## Additional node groups + +locals { + additional_node_groups_per_zone = length(var.additional_node_groups) > 0 ? flatten([ + for sb in var.private_subnets : [ + for ng in var.additional_node_groups : { + # ng_resource_id = "${ng.name}-${sb.zone}" + subnet_zone = sb.zone + subnet_id = sb.id + node_group = ng + } + ] + ]) : [] +} + + +resource "aws_launch_template" "additional_node_groups" { + for_each = var.additional_node_groups + name = "${local.eks_cluster_name}-${try(each.value.name, each.key)}" + disable_api_termination = false + instance_type = each.value.instance_type + key_name = var.ssh_pvt_key_path + vpc_security_group_ids = [aws_security_group.eks_nodes.id] + image_id = each.value.ami + + block_device_mappings { + device_name = "/dev/xvda" + + ebs { + delete_on_termination = true + encrypted = true + volume_size = each.value.volume.size + volume_type = each.value.volume.type + } + } + + metadata_options { + http_endpoint = "enabled" + http_put_response_hop_limit = "2" + http_tokens = "required" + } + tag_specifications { + resource_type = "instance" + tags = { + "Name" = "${local.eks_cluster_name}-${try(each.value.name, each.key)}" + } + } + + tag_specifications { + resource_type = "volume" + tags = { + "Name" = "${local.eks_cluster_name}-${try(each.value.name, each.key)}" + } + } +} + +resource "aws_eks_node_group" "additional_node_groups" { + for_each = { for ng in local.additional_node_groups_per_zone : "${ng.node_group.name}-${ng.subnet_zone}" => ng } + cluster_name = aws_eks_cluster.this.name + node_group_name = "${local.eks_cluster_name}-platform-${each.value.subnet_zone}" + node_role_arn = aws_iam_role.eks_nodes.arn + subnet_ids = [each.value.subnet_id] + scaling_config { + min_size = each.value.node_group.min_per_az + max_size = each.value.node_group.max_per_az + desired_size = each.value.node_group.desired_per_az + } + + launch_template { + id = aws_launch_template.additional_node_groups[each.value.node_group.name].id + version = aws_launch_template.additional_node_groups[each.value.node_group.name].latest_version + } + + + labels = { + "lifecycle" = "OnDemand" + "dominodatalab.com/node-pool" = each.value.node_group.label + "dominodatalab.com/domino-node" = true + } + + lifecycle { + create_before_destroy = true + ignore_changes = [ + scaling_config[0].desired_size, + ] + } + + depends_on = [ + aws_iam_role_policy_attachment.aws_eks_nodes, + aws_iam_role_policy_attachment.custom_eks_nodes + ] +} diff --git a/submodules/eks/outputs.tf b/submodules/eks/outputs.tf new file mode 100644 index 00000000..6535c6aa --- /dev/null +++ b/submodules/eks/outputs.tf @@ -0,0 +1,30 @@ + +output "security_group_id" { + description = "EKS security group id." + value = aws_security_group.eks_cluster.id +} + +output "nodes_security_group_id" { + description = "EKS managed nodes security group id." + value = aws_security_group.eks_nodes.id +} + +output "cluster_endpoint" { + description = "EKS cluster API endpoint." + value = aws_eks_cluster.this.endpoint +} + +output "managed_nodes_role_arns" { + description = "EKS managed nodes arns." + value = [aws_iam_role.eks_nodes.arn] +} + +output "eks_master_role_name" { + description = "EKS master role arns." + value = [aws_iam_role.eks_cluster.name] +} + +output "hosted_zone_id" { + description = "DNS hosted zone ID." + value = data.aws_route53_zone.this.zone_id +} diff --git a/submodules/eks/templates/linux_custom.tpl b/submodules/eks/templates/linux_custom.tpl new file mode 100644 index 00000000..e6f376dc --- /dev/null +++ b/submodules/eks/templates/linux_custom.tpl @@ -0,0 +1,12 @@ +#!/bin/bash +set -ex +KUBELET_CONFIG=/etc/kubernetes/kubelet/kubelet-config.json +echo "$(jq '.eventRecordQPS=0' $KUBELET_CONFIG)" > $KUBELET_CONFIG +yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm +${pre_bootstrap_user_data ~} + +# Custom user data template provided for rendering +B64_CLUSTER_CA=${cluster_auth_base64} +API_SERVER_URL=${cluster_endpoint} +/etc/eks/bootstrap.sh ${cluster_name} ${bootstrap_extra_args} --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL +${post_bootstrap_user_data ~} diff --git a/submodules/eks/variables.tf b/submodules/eks/variables.tf new file mode 100755 index 00000000..ce63f521 --- /dev/null +++ b/submodules/eks/variables.tf @@ -0,0 +1,156 @@ +variable "deploy_id" { + type = string + description = "Domino Deployment ID" + + validation { + condition = can(regex("^[a-z-0-9]{3,32}$", var.deploy_id)) + error_message = "Argument deploy_id must: start with a letter, contain lowercase alphanumeric characters(can contain hyphens[-]) with length between 3 and 32 characters." + } +} + +variable "region" { + type = string + description = "AWS region for the deployment" +} + +variable "k8s_version" { + type = string + description = "EKS cluster k8s version." +} + +variable "default_node_groups" { + description = "EKS managed node groups definition." + type = object({ + compute = object({ + name = string + ami = optional(string) + instance_type = string + min_per_az = number + max_per_az = number + desired_per_az = number + volume = object({ + size = string + type = string + }) + }), + platform = object({ + name = string + ami = optional(string) + instance_type = string + min_per_az = number + max_per_az = number + desired_per_az = number + volume = object({ + size = string + type = string + }) + }), + gpu = object({ + name = string + ami = optional(string) + instance_type = string + min_per_az = number + max_per_az = number + desired_per_az = number + volume = object({ + size = string + type = string + }) + }) + }) +} + +variable "additional_node_groups" { + description = "Additional EKS managed node groups definition." + type = map(object({ + name = string + ami = optional(string) + instance_type = string + min_per_az = number + max_per_az = number + desired_per_az = number + label = string + volume = object({ + size = string + type = string + }) + })) + default = {} +} + +variable "kubeconfig_path" { + type = string + description = "Kubeconfig file path." + default = "kubeconfig" +} + +variable "private_subnets" { + description = "Private subnets object" + type = list(object({ + cidr_block = string + name = string + type = string + zone = string + zone_id = string + id = string + })) + validation { + condition = length(var.private_subnets) >= 2 + error_message = "EKS deployment needs at least 2 subnets. https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html." + } +} + +variable "vpc_id" { + type = string + description = "VPC ID." +} + +variable "ssh_pvt_key_path" { + type = string + description = "SSH private key filepath." +} + +variable "route53_hosted_zone_name" { + type = string + description = "Route53 zone" +} + +variable "bastion_security_group_id" { + type = string + description = "Bastion security group id." + default = "" +} + +variable "eks_cluster_addons" { + type = list(string) + description = "EKS cluster addons." + default = ["vpc-cni", "kube-proxy", "coredns"] +} + +variable "eks_security_group_rules" { + description = "EKS security group rules." + type = map(object({ + security_group_id = string + protocol = string + from_port = string + to_port = string + type = string + description = string + source_security_group_id = string + })) + default = {} +} + +variable "create_bastion_sg" { + description = "Create bastion access rules toggle." + type = bool +} + +variable "s3_buckets" { + description = "S3 buckets information that the nodegroups need access to" + type = list(object({ + bucket_name = string + arn = string + })) + +} diff --git a/submodules/eks/versions.tf b/submodules/eks/versions.tf new file mode 100644 index 00000000..6b999fcc --- /dev/null +++ b/submodules/eks/versions.tf @@ -0,0 +1,14 @@ +terraform { + experiments = [module_variable_optional_attrs] + required_version = ">= 1.2.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + null = { + source = "hashicorp/null" + version = ">= 3.1.0" + } + } +} diff --git a/submodules/k8s/README.md b/submodules/k8s/README.md new file mode 100644 index 00000000..266f4285 --- /dev/null +++ b/submodules/k8s/README.md @@ -0,0 +1,53 @@ +# k8s + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.0 | +| [local](#requirement\_local) | >= 2.2.0 | +| [null](#requirement\_null) | >= 3.1.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.22.0 | +| [local](#provider\_local) | 2.2.3 | +| [null](#provider\_null) | 3.1.1 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [local_file.templates](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | +| [null_resource.run_k8s_pre_setup](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_iam_role.eks_master_roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [bastion\_public\_ip](#input\_bastion\_public\_ip) | Bastion host public ip. | `string` | n/a | yes | +| [bastion\_user](#input\_bastion\_user) | ec2 instance user. | `string` | `"ec2-user"` | no | +| [calico\_version](#input\_calico\_version) | Calico operator version. | `string` | `"v1.11.0"` | no | +| [eks\_master\_role\_names](#input\_eks\_master\_role\_names) | IAM role names to be added as masters in eks. | `list(string)` | `[]` | no | +| [k8s\_cluster\_endpoint](#input\_k8s\_cluster\_endpoint) | EKS cluster API endpoint. | `string` | n/a | yes | +| [kubeconfig\_path](#input\_kubeconfig\_path) | Kubeconfig filename. | `string` | `"kubeconfig"` | no | +| [mallory\_local\_normal\_port](#input\_mallory\_local\_normal\_port) | Mallory k8s tunnel normal port. | `string` | `"1315"` | no | +| [mallory\_local\_smart\_port](#input\_mallory\_local\_smart\_port) | Mallory k8s tunnel smart(filters based on the blocked list) port. | `string` | `"1316"` | no | +| [managed\_nodes\_role\_arns](#input\_managed\_nodes\_role\_arns) | EKS managed nodes arns to be added to aws-auth for api auth. | `list(string)` | n/a | yes | +| [ssh\_pvt\_key\_path](#input\_ssh\_pvt\_key\_path) | SSH private key filepath. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [k8s\_tunnel\_command](#output\_k8s\_tunnel\_command) | Command to run the k8s tunnel mallory. | + diff --git a/submodules/k8s/main.tf b/submodules/k8s/main.tf new file mode 100644 index 00000000..f9c82843 --- /dev/null +++ b/submodules/k8s/main.tf @@ -0,0 +1,92 @@ +data "aws_iam_role" "eks_master_roles" { + for_each = toset(var.eks_master_role_names) + name = each.key +} + +locals { + mallory_config_filename = "mallory.json" + mallory_container_name = "mallory_k8s_tunnel" + mallory_config_path_container = "/root/.config/${local.mallory_config_filename}" + pvt_key_path_container = "/root/${basename(var.ssh_pvt_key_path)}" + k8s_functions_sh_filename = "k8s-functions.sh" + k8s_functions_sh_template = "k8s-functions.sh.tftpl" + k8s_pre_setup_sh_filename = "k8s-pre-setup.sh" + k8s_pre_setup_sh_template = "k8s-pre-setup.sh.tftpl" + aws_auth_filename = "aws-auth.yaml" + aws_auth_template = "aws-auth.yaml.tftpl" + calico = { + operator_url = "https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/${var.calico_version}/config/master/calico-operator.yaml" + custom_resources_url = "https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/${var.calico_version}/config/master/calico-crs.yaml" + } + + k8s_tunnel_command = "docker run --rm --name ${local.mallory_container_name} -d -v $PWD/${local.mallory_config_filename}:${local.mallory_config_path_container} -p ${var.mallory_local_normal_port}:${var.mallory_local_normal_port} -p ${var.mallory_local_smart_port}:${var.mallory_local_smart_port} -v ${var.ssh_pvt_key_path}:${local.pvt_key_path_container} zoobab/mallory" + + resources_directory = path.cwd + templates_dir = "${path.module}/templates" + + templates = { + k8s_functions_sh = { + filename = local.k8s_functions_sh_filename + content = templatefile("${local.templates_dir}/${local.k8s_functions_sh_template}", { + kubeconfig_path = basename(var.kubeconfig_path) + k8s_tunnel_command = local.k8s_tunnel_command + mallory_port = var.mallory_local_smart_port + mallory_container_name = local.mallory_container_name + mallory_config_file = local.mallory_config_filename + aws_auth_yaml = basename(local.aws_auth_filename) + calico_operator_url = local.calico.operator_url + calico_custom_resources_url = local.calico.custom_resources_url + }) + } + + k8s_presetup = { + filename = local.k8s_pre_setup_sh_filename + content = templatefile("${local.templates_dir}/${local.k8s_pre_setup_sh_template}", { + k8s_functions_sh_filename = local.k8s_functions_sh_filename + }) + } + + mallory_k8s_tunnel = { + filename = local.mallory_config_filename + content = jsonencode( + { + "id_rsa" = local.pvt_key_path_container + "local_smart" = ":${var.mallory_local_smart_port}" + "local_normal" = ":${var.mallory_local_normal_port}" + "remote" = "ssh://${var.bastion_user}@${var.bastion_public_ip}:22" + "blocked" = [var.k8s_cluster_endpoint] + }) } + + aws_auth = { + filename = local.aws_auth_filename + content = templatefile("${local.templates_dir}/${local.aws_auth_template}", + { + eks_managed_nodes_role_arns = sort(var.managed_nodes_role_arns) + eks_master_role_arns = try({ for r in sort(var.eks_master_role_names) : r => data.aws_iam_role.eks_master_roles[r].arn }, {}) + + }) + + } + } + +} + +resource "local_file" "templates" { + for_each = { for k, v in local.templates : k => v } + content = each.value.content + filename = "${local.resources_directory}/${each.value.filename}" + directory_permission = "0777" + file_permission = "0744" +} + +resource "null_resource" "run_k8s_pre_setup" { + provisioner "local-exec" { + command = basename(local_file.templates["k8s_presetup"].filename) + interpreter = ["bash", "-ex"] + working_dir = local.resources_directory + } + + depends_on = [ + local_file.templates, + ] +} diff --git a/submodules/k8s/outputs.tf b/submodules/k8s/outputs.tf new file mode 100644 index 00000000..4f1aed84 --- /dev/null +++ b/submodules/k8s/outputs.tf @@ -0,0 +1,4 @@ +output "k8s_tunnel_command" { + description = "Command to run the k8s tunnel mallory." + value = local.k8s_tunnel_command +} diff --git a/submodules/k8s/templates/aws-auth.yaml.tftpl b/submodules/k8s/templates/aws-auth.yaml.tftpl new file mode 100644 index 00000000..51cc304c --- /dev/null +++ b/submodules/k8s/templates/aws-auth.yaml.tftpl @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: aws-auth + namespace: kube-system +data: + mapRoles: | +%{ for arn in eks_managed_nodes_role_arns ~} + - rolearn: ${arn} + username: system:node:{{EC2PrivateDNSName}} + groups: + - system:bootstrappers + - system:nodes +%{ endfor ~} +%{ for role, arn in eks_master_role_arns ~} + - rolearn: ${arn} + username: ${role} + groups: + - system:masters +%{ endfor ~} diff --git a/submodules/k8s/templates/docker-repo-creds-secret.yaml.tftpl b/submodules/k8s/templates/docker-repo-creds-secret.yaml.tftpl new file mode 100644 index 00000000..4f5765a5 --- /dev/null +++ b/submodules/k8s/templates/docker-repo-creds-secret.yaml.tftpl @@ -0,0 +1,12 @@ +%{ for ns in namespaces ~} +--- +kind: Secret +apiVersion: v1 +metadata: + name: ${name} + namespace: ${ns} +data: + ".dockerconfigjson": ${quay_auth_encoded} +type: kubernetes.io/dockerconfigjson + +%{ endfor ~} diff --git a/submodules/k8s/templates/ebs-storageclass.yaml.tftpl b/submodules/k8s/templates/ebs-storageclass.yaml.tftpl new file mode 100644 index 00000000..4c718c58 --- /dev/null +++ b/submodules/k8s/templates/ebs-storageclass.yaml.tftpl @@ -0,0 +1,12 @@ +--- +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: ${name} +provisioner: ${driver} +parameters: + encrypted: 'true' + type: gp3 +reclaimPolicy: Delete +allowVolumeExpansion: true +volumeBindingMode: WaitForFirstConsumer diff --git a/submodules/k8s/templates/efs-persistent-volume-claim.yaml.tftpl b/submodules/k8s/templates/efs-persistent-volume-claim.yaml.tftpl new file mode 100644 index 00000000..26348e99 --- /dev/null +++ b/submodules/k8s/templates/efs-persistent-volume-claim.yaml.tftpl @@ -0,0 +1,15 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: ${pvc_name} + namespace: ${namespace} +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: ${capacity} + volumeName: ${pv_name} + storageClassName: ${storage_class} + volumeMode: Filesystem diff --git a/submodules/k8s/templates/efs-persistent-volume.yaml.tftpl b/submodules/k8s/templates/efs-persistent-volume.yaml.tftpl new file mode 100644 index 00000000..f216e33a --- /dev/null +++ b/submodules/k8s/templates/efs-persistent-volume.yaml.tftpl @@ -0,0 +1,18 @@ +--- +kind: PersistentVolume +apiVersion: v1 +metadata: + name: ${pv_name} +spec: + capacity: + storage: ${capacity} + csi: + driver: ${driver} + volumeHandle: ${efs_volume_handle} + volumeAttributes: + encryptInTransit: 'true' + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + storageClassName: ${storage_class} + volumeMode: Filesystem diff --git a/submodules/k8s/templates/efs-storageclass.yaml.tftpl b/submodules/k8s/templates/efs-storageclass.yaml.tftpl new file mode 100644 index 00000000..728402aa --- /dev/null +++ b/submodules/k8s/templates/efs-storageclass.yaml.tftpl @@ -0,0 +1,9 @@ +--- +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: ${name} +provisioner: ${driver} +reclaimPolicy: Delete +allowVolumeExpansion: true +volumeBindingMode: Immediate diff --git a/submodules/k8s/templates/k8s-functions.sh.tftpl b/submodules/k8s/templates/k8s-functions.sh.tftpl new file mode 100644 index 00000000..5e7a2beb --- /dev/null +++ b/submodules/k8s/templates/k8s-functions.sh.tftpl @@ -0,0 +1,75 @@ +#! /usr/bin/env bash + +RED="\e[31m" +GREEN="\e[32m" +EC="\e[0m" + +open_ssh_tunnel_to_k8s_api() { + printf "$GREEN Setting up mallory k8s tunnel... $EC \n" + if [[ -z "$https_proxy" ]]; then + MALLORY_PORT=${mallory_port} + https_proxy=http://localhost:$MALLORY_PORT + export https_proxy + fi + + if test -f "${mallory_config_file}"; then + { docker kill ${mallory_container_name} && docker rm ${mallory_container_name}; } || true + eval ${k8s_tunnel_command} && sleep 3 + else + echo "Mallory config file ${mallory_config_file} does not exist." && exit 1 + fi + + echo +} + +check_kubeconfig() { + KUBECONFIG="${kubeconfig_path}" + printf "$GREEN Checking if $KUBECONFIG exists... $EC \n" + if test -f "$KUBECONFIG"; then + echo "$KUBECONFIG exists." && export KUBECONFIG + else + echo "$KUBECONFIG does not exist." && exit 1 + fi + echo +} + +set_k8s_auth() { + AWS_AUTH_YAML="${aws_auth_yaml}" + if test -f "$AWS_AUTH_YAML"; then + printf "$GREEN Updating $AWS_AUTH_YAML... $EC \n" + kubectl apply -f "$AWS_AUTH_YAML" + else + printf "$RED $AWS_AUTH_YAML does not exist. $EC \n" && exit 1 + fi + echo +} + +install_calico() { + CALICO_OPERATOR_YAML_URL=${calico_operator_url} + printf "$GREEN Installing Calico Operator $EC \n" + kubectl apply -f $CALICO_OPERATOR_YAML_URL || printf "$RED There was an error installing the calico operator" + echo + CALICO_CRD_YAML_URL=${calico_custom_resources_url} + printf "$GREEN Installing Calico Custom resources $EC \n" || printf "$RED There was an error installing the calico CRD" + kubectl apply -f $CALICO_CRD_YAML_URL + echo +} + +kubectl_apply() { + k8s_manifest="$1" + if test -f "$k8s_manifest"; then + echo "Applying $k8s_manifest..." + kubectl apply -f $k8s_manifest + else + printf "$RED $k8s_manifest does not exist. $EC \n" && exit 1 + fi + + kubectl apply -f "$k8s_manifest" +} + +close_ssh_tunnel_to_k8s_api() { + printf "$GREEN Shutting down mallory k8s tunnel ${mallory_container_name} ... $EC" + docker kill "${mallory_container_name}" + docker rm "${mallory_container_name}" || true + echo +} diff --git a/submodules/k8s/templates/k8s-pre-setup.sh.tftpl b/submodules/k8s/templates/k8s-pre-setup.sh.tftpl new file mode 100644 index 00000000..00dc96ec --- /dev/null +++ b/submodules/k8s/templates/k8s-pre-setup.sh.tftpl @@ -0,0 +1,17 @@ +#! /usr/bin/env bash + +RED="\e[31m" +GREEN="\e[32m" +EC="\e[0m" + +source ${k8s_functions_sh_filename} + +main() { + open_ssh_tunnel_to_k8s_api + check_kubeconfig + set_k8s_auth + install_calico +} + +trap close_ssh_tunnel_to_k8s_api EXIT +main diff --git a/submodules/k8s/templates/k8s-pre-setup.sh.tftpl.back b/submodules/k8s/templates/k8s-pre-setup.sh.tftpl.back new file mode 100644 index 00000000..64898311 --- /dev/null +++ b/submodules/k8s/templates/k8s-pre-setup.sh.tftpl.back @@ -0,0 +1,172 @@ +#! /usr/bin/env bash + +RED="\e[31m" +GREEN="\e[32m" +EC="\e[0m" + +open_ssh_tunnel_to_k8s_api() { + printf "$GREEN Setting up mallory k8s tunnel... $EC \n" + if [[ -z "$https_proxy" ]]; then + MALLORY_PORT=${mallory_port} + https_proxy=http://localhost:$MALLORY_PORT + export https_proxy + fi + eval ${k8s_tunnel_command} && sleep 3 + echo +} + +check_kubeconfig() { + KUBECONFIG="${kubeconfig_path}" + printf "$GREEN Checking if $KUBECONFIG exists... $EC \n" + if test -f "$KUBECONFIG"; then + echo "$KUBECONFIG exists." && export KUBECONFIG + else + echo "$KUBECONFIG does not exist." && exit 1 + fi + echo +} + +set_k8s_auth() {\ + AWS_AUTH_YAML="${aws_auth_yaml}" + if test -f "$AWS_AUTH_YAML"; then + printf "$GREEN Updating $AWS_AUTH_YAML... $EC \n" + kubectl apply -f "$AWS_AUTH_YAML" + else + printf "$RED $AWS_AUTH_YAML does not exist. $EC \n" && exit 1 + fi + echo +} + +install_calico() { + CALICO_OPERATOR_YAML_URL=${calico_operator_url} + printf "$GREEN Installing Calico Operator $EC \n" + kubectl apply -f $CALICO_OPERATOR_YAML_URL || printf "$RED There was an error installing the calico operator" + echo + CALICO_CRD_YAML_URL=${calico_custom_resources_url} + printf "$GREEN Installing Calico Custom resources $EC \n" || printf "$RED There was an error installing the calico CRD" + kubectl apply -f $CALICO_CRD_YAML_URL + echo +} + + +create_namespace() { + namespace=$1 + printf "$GREEN Creating namespace $namespace $EC \n" + kubectl create namespace $namespace --dry-run=client --save-config -o yaml | kubectl apply -f - + echo +} + +helm_install() { + HELM_REPO=${domino_helm_repo} + printf "$RED Make sure you are authenticated with $HELM_REPO $EC \n" + chart_name=$1 + chart_version=$2 + namespace=$3 + + printf "$GREEN Installing helm-chart:$chart_name version:$chart_version $EC \n" + + helm_command="helm upgrade --install $chart_name $HELM_REPO/$chart_name --version $chart_version --namespace $namespace" + echo "$helm_command" + eval "$helm_command" +} + +kubectl_apply() { + k8s_manifest="$1" + if test -f "$k8s_manifest"; then + echo "Applying $k8s_manifest..." + kubectl apply -f $k8s_manifest + else + printf "$RED $k8s_manifest does not exist. $EC \n" && exit 1 + fi + + kubectl apply -f "$k8s_manifest" +} + +create_namespaces() { + %{~ for namespace in domino_namespaces ~} + create_namespace ${namespace} + %{~ endfor } + echo +} + +install_helm_charts() { + %{~ for chart in helm_charts ~} + helm_install ${chart.name} ${chart.version} ${domino_namespaces_map[chart.namespace]} + %{~ endfor } + echo +} + +# create_storage_classes() { +# echo "Creating storageclasses..." + +# %{~ for manifest in domino_storage_classes_filenames ~} +# kubectl_apply ${manifest} +# %{~ endfor } +# echo +# } + +create_persistent_volumes() { + printf "$GREEN Creating persistent-volumes... $EC \n" + + %{~ for manifest in domino_persistent_volume_filenames ~} + kubectl_apply ${manifest} + %{~ endfor } + echo +} +create_persistent_volume_claims() { + printf "$GREEN Creating persistent-volume-claims... $EC \n" + + %{~ for manifest in domino_persistent_volume_claims_filenames ~} + kubectl_apply ${manifest} + %{~ endfor } + echo +} +create_persistent_storage() { + create_persistent_volumes && create_persistent_volume_claims +} + +close_ssh_tunnel_to_k8s_api() { + printf "$GREEN Shutting down mallory k8s tunnel ${mallory_container_name} ... $EC" + docker kill "${mallory_container_name}" + docker rm "${mallory_container_name}" || true + echo +} + +create_docker_cred_secret() { + printf "$GREEN Creating domino-quay-repos secret (for domino docker repo pullImageSecret)... $EC" + kubectl create secret \ + docker-registry \ + -o yaml --dry-run=client --save-config \ + --docker-server=quay.io \ + --docker-username=$QUAY_USERNAME \ + --docker-password=$QUAY_PASSWORD \ + --docker-email=. ${domino_docker_pull_secret_name} | kubectl apply -f - + + echo +} + +create_domino_cm() { + printf "$GREEN Creating configmap for fleetcommand configuration(${domino_config_filename})... $EC" + kubectl create configmap \ + -o yaml --dry-run=client --save-config \ + fleetcommand-agent-config \ + --from-file=${domino_config_filename} | kubectl apply -f - + echo +} + + + +main() { + open_ssh_tunnel_to_k8s_api + check_kubeconfig + set_k8s_auth + # create_namespaces + # create_docker_cred_secret + # create_persistent_storage + install_calico + # create_domino_cm + # install_helm_charts +} + +trap close_ssh_tunnel_to_k8s_api EXIT +main diff --git a/submodules/k8s/variables.tf b/submodules/k8s/variables.tf new file mode 100755 index 00000000..54adddd9 --- /dev/null +++ b/submodules/k8s/variables.tf @@ -0,0 +1,56 @@ +variable "kubeconfig_path" { + type = string + description = "Kubeconfig filename." + default = "kubeconfig" +} + +variable "ssh_pvt_key_path" { + type = string + description = "SSH private key filepath." +} + + +variable "bastion_user" { + type = string + description = "ec2 instance user." + default = "ec2-user" + +} + +variable "bastion_public_ip" { + type = string + description = "Bastion host public ip." +} +variable "k8s_cluster_endpoint" { + type = string + description = "EKS cluster API endpoint." +} + +variable "managed_nodes_role_arns" { + type = list(string) + description = "EKS managed nodes arns to be added to aws-auth for api auth." +} + +variable "eks_master_role_names" { + type = list(string) + description = "IAM role names to be added as masters in eks." + default = [] +} + +variable "mallory_local_normal_port" { + type = string + description = "Mallory k8s tunnel normal port." + default = "1315" +} + +variable "mallory_local_smart_port" { + type = string + description = "Mallory k8s tunnel smart(filters based on the blocked list) port." + default = "1316" +} + +variable "calico_version" { + type = string + description = "Calico operator version." + default = "v1.11.0" +} diff --git a/submodules/k8s/versions.tf b/submodules/k8s/versions.tf new file mode 100644 index 00000000..d6618ab4 --- /dev/null +++ b/submodules/k8s/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + null = { + source = "hashicorp/null" + version = ">= 3.1.0" + } + local = { + source = "hashicorp/local" + version = ">= 2.2.0" + } + } +} diff --git a/submodules/network/README.md b/submodules/network/README.md new file mode 100644 index 00000000..20820627 --- /dev/null +++ b/submodules/network/README.md @@ -0,0 +1,62 @@ +# network + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.22.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_default_network_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl) | resource | +| [aws_eip.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource | +| [aws_flow_log.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource | +| [aws_internet_gateway.igw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource | +| [aws_internet_gateway_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway_attachment) | resource | +| [aws_nat_gateway.ngw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource | +| [aws_route_table.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | +| [aws_route_table.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | +| [aws_route_table_association.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_subnet.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | +| [aws_vpc_endpoint.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | +| [aws_network_acls.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/network_acls) | data source | +| [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [base\_cidr\_block](#input\_base\_cidr\_block) | CIDR block to serve the main private and public subnets | `string` | n/a | yes | +| [deploy\_id](#input\_deploy\_id) | Domino Deployment ID | `string` | `""` | no | +| [enable\_vpc\_endpoints\_s3](#input\_enable\_vpc\_endpoints\_s3) | Enable VPC endpoints for S3 service. This is intented for mission critical, highly available deployments | `bool` | `false` | no | +| [monitoring\_s3\_bucket\_arn](#input\_monitoring\_s3\_bucket\_arn) | Monitoring bucket for vpc flow logging | `string` | n/a | yes | +| [private\_subnets](#input\_private\_subnets) | Private subnets object | 
list(object({
    cidr_block = string
    name       = string
    type       = string
    zone       = string
    zone_id    = string
  }))
| n/a | yes | +| [public\_subnets](#input\_public\_subnets) | Public subnets object | 
list(object({
    cidr_block = string
    name       = string
    type       = string
    zone       = string
    zone_id    = string
  }))
| n/a | yes | +| [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes | +| [vpc\_id](#input\_vpc\_id) | VPC ID. | `string` | `""` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [private\_subnets](#output\_private\_subnets) | Private subnets object. Adds id to the object | +| [public\_subnets](#output\_public\_subnets) | Public subnets object. Adds id to the object | +| [vpc\_id](#output\_vpc\_id) | VPC id. | + diff --git a/submodules/network/internet-gateway.tf b/submodules/network/internet-gateway.tf new file mode 100644 index 00000000..5a93d8f9 --- /dev/null +++ b/submodules/network/internet-gateway.tf @@ -0,0 +1,22 @@ +resource "aws_internet_gateway" "igw" { + # vpc_id = local.vpc_id + tags = { + "Name" = "${var.deploy_id}-domino-igw" + } +} + +resource "aws_internet_gateway_attachment" "this" { + internet_gateway_id = aws_internet_gateway.igw.id + vpc_id = local.vpc_id +} + +resource "aws_eip" "public" { + for_each = { for sb in var.public_subnets : sb.name => sb } + network_border_group = var.region + public_ipv4_pool = "amazon" + vpc = true + tags = { + "Name" = each.value.name + } + depends_on = [aws_internet_gateway.igw] +} diff --git a/submodules/network/main.tf b/submodules/network/main.tf new file mode 100644 index 00000000..9739fa14 --- /dev/null +++ b/submodules/network/main.tf @@ -0,0 +1,88 @@ +data "aws_vpc" "this" { + count = var.vpc_id != "" ? 1 : 0 + state = "available" + id = var.vpc_id +} + +resource "aws_vpc" "this" { + count = var.vpc_id != "" ? 0 : 1 + assign_generated_ipv6_cidr_block = false + cidr_block = var.base_cidr_block + enable_dns_hostnames = true + enable_dns_support = true + tags = { + "Name" = var.deploy_id + } +} + +locals { + vpc_id = var.vpc_id != "" ? data.aws_vpc.this[0].id : aws_vpc.this[0].id +} + +resource "aws_vpc_endpoint" "s3" { + count = var.enable_vpc_endpoints_s3 ? 1 : 0 + vpc_id = local.vpc_id + service_name = "com.amazonaws.${var.region}.s3" + vpc_endpoint_type = "Gateway" + + route_table_ids = concat( + [for s in aws_route_table.public : s.id], + [for s in aws_route_table.private : s.id] + ) + + tags = { + "Name" = "${var.deploy_id}-s3" + } +} + +data "aws_network_acls" "default" { + vpc_id = local.vpc_id + + filter { + name = "default" + values = ["true"] + } +} + +resource "aws_default_network_acl" "default" { + default_network_acl_id = one(data.aws_network_acls.default.ids) + + egress { + action = "allow" + cidr_block = "0.0.0.0/0" + from_port = "0" + icmp_code = "0" + icmp_type = "0" + protocol = "-1" + rule_no = "100" + to_port = "0" + } + + ingress { + action = "allow" + cidr_block = "0.0.0.0/0" + from_port = "0" + icmp_code = "0" + icmp_type = "0" + protocol = "-1" + rule_no = "100" + to_port = "0" + } + + subnet_ids = concat( + [for s in aws_subnet.public : s.id], + [for s in aws_subnet.private : s.id] + ) + + lifecycle { + ignore_changes = [subnet_ids] + } +} + +resource "aws_flow_log" "this" { + log_destination = var.monitoring_s3_bucket_arn + vpc_id = local.vpc_id + max_aggregation_interval = 600 + log_destination_type = "s3" + traffic_type = "REJECT" +} diff --git a/submodules/network/nat-gateway.tf b/submodules/network/nat-gateway.tf new file mode 100644 index 00000000..bd5e9c84 --- /dev/null +++ b/submodules/network/nat-gateway.tf @@ -0,0 +1,11 @@ +resource "aws_nat_gateway" "ngw" { + for_each = { for sb in var.public_subnets : sb.zone => sb } + allocation_id = aws_eip.public[each.value.name].allocation_id + connectivity_type = "public" + subnet_id = aws_subnet.public[each.value.name].id + tags = { + "Name" = each.value.name + "zone" = each.value.zone + } + depends_on = [aws_internet_gateway.igw] +} diff --git a/submodules/network/outputs.tf b/submodules/network/outputs.tf new file mode 100644 index 00000000..5c6e8d5b --- /dev/null +++ b/submodules/network/outputs.tf @@ -0,0 +1,32 @@ +output "vpc_id" { + description = "VPC id." + value = local.vpc_id +} + +output "private_subnets" { + description = "Private subnets object. Adds id to the object" + value = [for sb in var.private_subnets : + { + id = aws_subnet.private[sb.name].id + name = sb.name + cidr_block = sb.cidr_block + zone = sb.zone + zone_id = sb.zone_id + type = sb.type + } + ] +} + +output "public_subnets" { + description = "Public subnets object. Adds id to the object" + value = [for sb in var.public_subnets : + { + id = aws_subnet.public[sb.name].id + name = sb.name + cidr_block = sb.cidr_block + zone = sb.zone + zone_id = sb.zone_id + type = sb.type + } + ] +} diff --git a/submodules/network/route-tables.tf b/submodules/network/route-tables.tf new file mode 100644 index 00000000..0514f973 --- /dev/null +++ b/submodules/network/route-tables.tf @@ -0,0 +1,40 @@ +resource "aws_route_table" "public" { + for_each = { for sb in var.public_subnets : sb.name => sb } + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw.id + } + vpc_id = local.vpc_id + tags = { + "Name" = each.value.name, + "kubernetes.io/role/elb" = "1", + "kubernetes.io/cluster/${var.deploy_id}" = "shared", + } + +} + +resource "aws_route_table_association" "public" { + for_each = { for sb in var.public_subnets : sb.name => sb } + subnet_id = aws_subnet.public[each.value.name].id + route_table_id = aws_route_table.public[each.value.name].id +} + +resource "aws_route_table" "private" { + for_each = { for sb in var.private_subnets : sb.name => sb } + route { + cidr_block = "0.0.0.0/0" + nat_gateway_id = aws_nat_gateway.ngw[each.value.zone].id + } + vpc_id = local.vpc_id + tags = { + "Name" = each.value.name, + "kubernetes.io/role/internal-elb" = "1", + "kubernetes.io/cluster/${var.deploy_id}" = "shared", + } +} + +resource "aws_route_table_association" "private" { + for_each = { for sb in var.private_subnets : sb.name => sb } + subnet_id = aws_subnet.private[each.value.name].id + route_table_id = aws_route_table.private[each.value.name].id +} diff --git a/submodules/network/subnets.tf b/submodules/network/subnets.tf new file mode 100644 index 00000000..fed2c8e8 --- /dev/null +++ b/submodules/network/subnets.tf @@ -0,0 +1,25 @@ +resource "aws_subnet" "public" { + for_each = { for sb in var.public_subnets : sb.name => sb } + + availability_zone_id = each.value.zone_id + vpc_id = local.vpc_id + cidr_block = each.value.cidr_block + tags = { + "Name" = each.value.name, + "kubernetes.io/role/elb" = "1", + "kubernetes.io/cluster/${var.deploy_id}" = "shared", + } +} + +resource "aws_subnet" "private" { + for_each = { for sb in var.private_subnets : sb.name => sb } + + availability_zone_id = each.value.zone_id + vpc_id = local.vpc_id + cidr_block = each.value.cidr_block + tags = { + "Name" = each.value.name, + "kubernetes.io/role/internal-elb" = "1", + "kubernetes.io/cluster/${var.deploy_id}" = "shared", + } +} diff --git a/submodules/network/variables.tf b/submodules/network/variables.tf new file mode 100644 index 00000000..9ab7c90b --- /dev/null +++ b/submodules/network/variables.tf @@ -0,0 +1,66 @@ +variable "deploy_id" { + type = string + description = "Domino Deployment ID" + default = "" + + validation { + condition = can(regex("^[a-z-0-9]{3,32}$", var.deploy_id)) + error_message = "Argument deploy_id must: start with a letter, contain lowercase alphanumeric characters(can contain hyphens[-]) with length between 3 and 32 characters." + } +} + +variable "region" { + type = string + description = "AWS region for the deployment" +} + +variable "base_cidr_block" { + type = string + description = "CIDR block to serve the main private and public subnets" + validation { + condition = ( + try(cidrhost(var.base_cidr_block, 0), null) == regex("^(.*)/", var.base_cidr_block)[0] && + try(cidrnetmask(var.base_cidr_block), null) == "255.255.0.0" + ) + error_message = "Argument base_cidr_block must be a valid CIDR block." + } +} + +variable "public_subnets" { + description = "Public subnets object" + type = list(object({ + cidr_block = string + name = string + type = string + zone = string + zone_id = string + })) +} + +variable "private_subnets" { + description = "Private subnets object" + type = list(object({ + cidr_block = string + name = string + type = string + zone = string + zone_id = string + })) +} + +variable "vpc_id" { + type = string + description = "VPC ID." + default = "" +} + +variable "monitoring_s3_bucket_arn" { + type = string + description = "Monitoring bucket for vpc flow logging" +} + +variable "enable_vpc_endpoints_s3" { + description = "Enable VPC endpoints for S3 service. This is intented for mission critical, highly available deployments" + type = bool + default = false +} diff --git a/submodules/network/versions.tf b/submodules/network/versions.tf new file mode 100644 index 00000000..b4912520 --- /dev/null +++ b/submodules/network/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } +} diff --git a/submodules/storage/README.md b/submodules/storage/README.md new file mode 100644 index 00000000..7ad6b72b --- /dev/null +++ b/submodules/storage/README.md @@ -0,0 +1,70 @@ +# storage + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.22.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_efs_access_point.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_access_point) | resource | +| [aws_efs_file_system.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system) | resource | +| [aws_efs_mount_target.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_mount_target) | resource | +| [aws_s3_bucket.backups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket.blobs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket.monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket.registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_logging.buckets_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_policy.buckets_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.block_public_accss](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_request_payment_configuration.buckets_payer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_request_payment_configuration) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.buckets_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.buckets_versioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [aws_security_group.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_canonical_user_id.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/canonical_user_id) | data source | +| [aws_elb_service_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | +| [aws_iam_policy_document.backups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.blobs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [deploy\_id](#input\_deploy\_id) | Domino Deployment ID | `string` | n/a | yes | +| [efs\_access\_point\_path](#input\_efs\_access\_point\_path) | Filesystem path for efs. | `string` | `"/domino"` | no | +| [s3\_encryption\_use\_sse\_kms\_key](#input\_s3\_encryption\_use\_sse\_kms\_key) | if true use 'aws:kms' else 'AES256' for the s3 server-side-encryption. | `bool` | `false` | no | +| [s3\_force\_destroy\_on\_deletion](#input\_s3\_force\_destroy\_on\_deletion) | Toogle to allow recursive deletion of all objects in the s3 buckets. if 'false' terraform will NOT be able to delete non-empty buckets | `bool` | `false` | no | +| [subnets](#input\_subnets) | List of subnet ids to create EFS mount targets | 
list(object({
    name       = string
    id         = string
    cidr_block = string
  }))
| n/a | yes | +| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [efs\_access\_point\_id](#output\_efs\_access\_point\_id) | EFS access\_point id | +| [efs\_file\_system\_id](#output\_efs\_file\_system\_id) | EFS filesystem id | +| [efs\_volume\_handle](#output\_efs\_volume\_handle) | EFS volume handle :: | +| [monitoring\_s3\_bucket\_arn](#output\_monitoring\_s3\_bucket\_arn) | Monitoring bucket arn | +| [s3\_buckets](#output\_s3\_buckets) | S3 buckets name and arn | + diff --git a/submodules/storage/efs.tf b/submodules/storage/efs.tf new file mode 100644 index 00000000..11741d45 --- /dev/null +++ b/submodules/storage/efs.tf @@ -0,0 +1,59 @@ +resource "aws_efs_file_system" "eks" { + encrypted = true + performance_mode = "generalPurpose" + provisioned_throughput_in_mibps = "0" + throughput_mode = "bursting" + + tags = { + "Name" = var.deploy_id + } +} + +resource "aws_security_group" "efs" { + name = "${var.deploy_id}-efs" + description = "EFS security group" + vpc_id = var.vpc_id + + lifecycle { + create_before_destroy = true + } + tags = { + "Name" = "${var.deploy_id}-efs" + } +} + +resource "aws_security_group_rule" "efs" { + security_group_id = aws_security_group.efs.id + protocol = "tcp" + from_port = 2049 + to_port = 2049 + type = "ingress" + description = "EFS access" + cidr_blocks = [for sb in var.subnets : sb.cidr_block] +} + +resource "aws_efs_mount_target" "eks" { + for_each = { for sb in var.subnets : sb.name => sb } + file_system_id = aws_efs_file_system.eks.id + security_groups = [aws_security_group.efs.id] + subnet_id = each.value.id +} + +resource "aws_efs_access_point" "eks" { + file_system_id = aws_efs_file_system.eks.id + + posix_user { + gid = "0" + uid = "0" + } + + root_directory { + creation_info { + owner_gid = "0" + owner_uid = "0" + permissions = "777" + } + + path = var.efs_access_point_path + } +} diff --git a/submodules/storage/main.tf b/submodules/storage/main.tf new file mode 100644 index 00000000..b511e857 --- /dev/null +++ b/submodules/storage/main.tf @@ -0,0 +1,37 @@ +data "aws_canonical_user_id" "current" {} +data "aws_elb_service_account" "this" {} + +locals { + s3_buckets = { + backups = { + bucket_name = aws_s3_bucket.backups.bucket + id = aws_s3_bucket.backups.id + policy_json = data.aws_iam_policy_document.backups.json + arn = aws_s3_bucket.backups.arn + } + blobs = { + bucket_name = aws_s3_bucket.blobs.bucket + id = aws_s3_bucket.blobs.id + policy_json = data.aws_iam_policy_document.blobs.json + arn = aws_s3_bucket.blobs.arn + } + logs = { + bucket_name = aws_s3_bucket.logs.bucket + id = aws_s3_bucket.logs.id + policy_json = data.aws_iam_policy_document.logs.json + arn = aws_s3_bucket.logs.arn + } + monitoring = { + bucket_name = aws_s3_bucket.monitoring.bucket + id = aws_s3_bucket.monitoring.id + policy_json = data.aws_iam_policy_document.monitoring.json + arn = aws_s3_bucket.monitoring.arn + } + registry = { + bucket_name = aws_s3_bucket.registry.bucket + id = aws_s3_bucket.registry.id + policy_json = data.aws_iam_policy_document.registry.json + arn = aws_s3_bucket.registry.arn + } + } +} diff --git a/submodules/storage/outputs.tf b/submodules/storage/outputs.tf new file mode 100644 index 00000000..14c029a3 --- /dev/null +++ b/submodules/storage/outputs.tf @@ -0,0 +1,27 @@ +output "efs_volume_handle" { + description = "EFS volume handle ::" + value = "${aws_efs_access_point.eks.file_system_id}::${aws_efs_access_point.eks.id}" +} + +output "efs_access_point_id" { + description = "EFS access_point id" + value = aws_efs_access_point.eks.id +} + +output "efs_file_system_id" { + description = "EFS filesystem id" + value = aws_efs_file_system.eks.id +} + +output "monitoring_s3_bucket_arn" { + description = "Monitoring bucket arn" + value = aws_s3_bucket.backups.arn +} + +output "s3_buckets" { + description = "S3 buckets name and arn" + value = [for b in local.s3_buckets : { + "bucket_name" = b.bucket_name, + "arn" = b.arn + }] +} diff --git a/submodules/storage/s3.tf b/submodules/storage/s3.tf new file mode 100644 index 00000000..6671b3d2 --- /dev/null +++ b/submodules/storage/s3.tf @@ -0,0 +1,440 @@ + +locals { + s3_server_side_encryption = var.s3_encryption_use_sse_kms_key ? "aws:kms" : "AES256" +} +resource "aws_s3_bucket" "backups" { + bucket = "${var.deploy_id}-backups" + force_destroy = var.s3_force_destroy_on_deletion + object_lock_enabled = false + +} + +data "aws_iam_policy_document" "backups" { + statement { + effect = "Deny" + + resources = [ + "arn:aws:s3:::${aws_s3_bucket.backups.bucket}", + "arn:aws:s3:::${aws_s3_bucket.backups.bucket}/*", + ] + + actions = ["s3:*"] + + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = ["false"] + } + + principals { + type = "AWS" + identifiers = ["*"] + } + } + + statement { + sid = "DenyIncorrectEncryptionHeader" + effect = "Deny" + resources = ["arn:aws:s3:::${aws_s3_bucket.backups.bucket}/*"] + actions = ["s3:PutObject"] + + condition { + test = "StringNotEquals" + variable = "s3:x-amz-server-side-encryption" + values = [local.s3_server_side_encryption] + } + + principals { + type = "AWS" + identifiers = ["*"] + } + } + + statement { + sid = "DenyUnEncryptedObjectUploads" + effect = "Deny" + resources = ["arn:aws:s3:::${aws_s3_bucket.backups.bucket}/*"] + actions = ["s3:PutObject"] + + condition { + test = "Null" + variable = "s3:x-amz-server-side-encryption" + values = ["true"] + } + + principals { + type = "AWS" + identifiers = ["*"] + } + } +} + +resource "aws_s3_bucket" "blobs" { + bucket = "${var.deploy_id}-blobs" + force_destroy = var.s3_force_destroy_on_deletion + object_lock_enabled = false + +} + +data "aws_iam_policy_document" "blobs" { + statement { + + effect = "Deny" + + resources = [ + "arn:aws:s3:::${aws_s3_bucket.blobs.bucket}", + "arn:aws:s3:::${aws_s3_bucket.blobs.bucket}/*", + ] + + actions = ["s3:*"] + + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = ["false"] + } + + principals { + type = "AWS" + identifiers = ["*"] + } + } + + + statement { + sid = "DenyIncorrectEncryptionHeader" + effect = "Deny" + resources = ["arn:aws:s3:::${aws_s3_bucket.blobs.bucket}/*"] + actions = ["s3:PutObject"] + + condition { + test = "StringNotEquals" + variable = "s3:x-amz-server-side-encryption" + values = [local.s3_server_side_encryption] + } + + principals { + type = "AWS" + identifiers = ["*"] + } + } + + statement { + sid = "DenyUnEncryptedObjectUploads" + effect = "Deny" + resources = ["arn:aws:s3:::${aws_s3_bucket.blobs.bucket}/*"] + actions = ["s3:PutObject"] + + condition { + test = "Null" + variable = "s3:x-amz-server-side-encryption" + values = ["true"] + } + + principals { + type = "AWS" + identifiers = ["*"] + } + } +} + +resource "aws_s3_bucket" "logs" { + bucket = "${var.deploy_id}-logs" + force_destroy = var.s3_force_destroy_on_deletion + object_lock_enabled = false + +} + +data "aws_iam_policy_document" "logs" { + statement { + + effect = "Deny" + + resources = [ + "arn:aws:s3:::${aws_s3_bucket.logs.bucket}", + "arn:aws:s3:::${aws_s3_bucket.logs.bucket}/*", + ] + + actions = ["s3:*"] + + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = ["false"] + } + + principals { + type = "AWS" + identifiers = ["*"] + } + } + + statement { + sid = "DenyIncorrectEncryptionHeader" + effect = "Deny" + resources = ["arn:aws:s3:::${aws_s3_bucket.logs.bucket}/*"] + actions = ["s3:PutObject"] + + condition { + test = "StringNotEquals" + variable = "s3:x-amz-server-side-encryption" + values = [local.s3_server_side_encryption] + } + + principals { + type = "AWS" + identifiers = ["*"] + } + } + + statement { + sid = "DenyUnEncryptedObjectUploads" + effect = "Deny" + resources = ["arn:aws:s3:::${aws_s3_bucket.logs.bucket}/*"] + actions = ["s3:PutObject"] + + condition { + test = "Null" + variable = "s3:x-amz-server-side-encryption" + values = ["true"] + } + + principals { + type = "AWS" + identifiers = ["*"] + } + } +} + +resource "aws_s3_bucket" "monitoring" { + bucket = "${var.deploy_id}-monitoring" + force_destroy = var.s3_force_destroy_on_deletion + object_lock_enabled = false + +} + +data "aws_iam_policy_document" "monitoring" { + statement { + + effect = "Deny" + + resources = [ + "arn:aws:s3:::${aws_s3_bucket.monitoring.bucket}", + "arn:aws:s3:::${aws_s3_bucket.monitoring.bucket}/*", + ] + + actions = ["s3:*"] + + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = ["false"] + } + + principals { + type = "AWS" + identifiers = ["*"] + } + } + + statement { + sid = "" + effect = "Allow" + resources = ["arn:aws:s3:::${aws_s3_bucket.monitoring.bucket}/*"] + + actions = [ + "s3:PutObject*", + "s3:Abort*", + ] + + principals { + type = "AWS" + identifiers = [data.aws_elb_service_account.this.arn] + } + } + + statement { + sid = "AWSLogDeliveryWrite" + effect = "Allow" + resources = ["arn:aws:s3:::${aws_s3_bucket.monitoring.bucket}/*"] + actions = ["s3:PutObject"] + + condition { + test = "StringEquals" + variable = "s3:x-amz-acl" + values = ["bucket-owner-full-control"] + } + + principals { + type = "Service" + identifiers = ["delivery.logs.amazonaws.com"] + } + } + + statement { + sid = "AWSLogDeliveryCheck" + effect = "Allow" + resources = ["arn:aws:s3:::${aws_s3_bucket.monitoring.bucket}"] + + actions = [ + "s3:GetBucketAcl", + "s3:ListBucket", + ] + + principals { + type = "Service" + identifiers = ["delivery.logs.amazonaws.com"] + } + } +} + +resource "aws_s3_bucket_acl" "monitoring" { + bucket = aws_s3_bucket.monitoring.id + + access_control_policy { + + owner { + id = data.aws_canonical_user_id.current.id + } + + grant { + grantee { + type = "CanonicalUser" + id = data.aws_canonical_user_id.current.id + } + permission = "FULL_CONTROL" + } + + grant { + grantee { + type = "Group" + uri = "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + permission = "WRITE" + } + + grant { + grantee { + type = "Group" + uri = "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + permission = "READ_ACP" + } + } +} + +resource "aws_s3_bucket" "registry" { + bucket = "${var.deploy_id}-registry" + force_destroy = var.s3_force_destroy_on_deletion + object_lock_enabled = false + +} + +data "aws_iam_policy_document" "registry" { + statement { + effect = "Deny" + resources = [ + "arn:aws:s3:::${aws_s3_bucket.registry.bucket}", + "arn:aws:s3:::${aws_s3_bucket.registry.bucket}/*", + ] + + actions = ["s3:*"] + + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = ["false"] + } + + principals { + type = "AWS" + identifiers = ["*"] + } + } + + statement { + sid = "DenyIncorrectEncryptionHeader" + effect = "Deny" + resources = ["arn:aws:s3:::${aws_s3_bucket.registry.bucket}/*"] + actions = ["s3:PutObject"] + + condition { + test = "StringNotEquals" + variable = "s3:x-amz-server-side-encryption" + values = [local.s3_server_side_encryption] + } + + principals { + type = "AWS" + identifiers = ["*"] + } + } + + statement { + sid = "DenyUnEncryptedObjectUploads" + effect = "Deny" + resources = ["arn:aws:s3:::${aws_s3_bucket.registry.bucket}/*"] + actions = ["s3:PutObject"] + + condition { + test = "Null" + variable = "s3:x-amz-server-side-encryption" + values = ["true"] + } + + principals { + type = "AWS" + identifiers = ["*"] + } + } +} + +resource "aws_s3_bucket_policy" "buckets_policies" { + for_each = local.s3_buckets + bucket = each.value.id + policy = each.value.policy_json +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "buckets_encryption" { + for_each = local.s3_buckets + + bucket = each.value.bucket_name + rule { + apply_server_side_encryption_by_default { + sse_algorithm = local.s3_server_side_encryption + } + bucket_key_enabled = false + } +} + +resource "aws_s3_bucket_request_payment_configuration" "buckets_payer" { + for_each = local.s3_buckets + bucket = each.value.bucket_name + payer = "BucketOwner" +} + +resource "aws_s3_bucket_logging" "buckets_logging" { + for_each = { for k, v in local.s3_buckets : k => v if v.bucket_name != aws_s3_bucket.monitoring.bucket } + bucket = each.value.id + target_bucket = aws_s3_bucket.monitoring.bucket + target_prefix = "${each.value.bucket_name}/" +} + +resource "aws_s3_bucket_versioning" "buckets_versioning" { + for_each = local.s3_buckets + bucket = each.value.id + + versioning_configuration { + status = "Enabled" + mfa_delete = "Disabled" + } +} + +resource "aws_s3_bucket_public_access_block" "block_public_accss" { + for_each = local.s3_buckets + bucket = each.value.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} diff --git a/submodules/storage/variables.tf b/submodules/storage/variables.tf new file mode 100755 index 00000000..d35781e8 --- /dev/null +++ b/submodules/storage/variables.tf @@ -0,0 +1,44 @@ +variable "deploy_id" { + type = string + description = "Domino Deployment ID" + + validation { + condition = can(regex("^[a-z-0-9]{3,32}$", var.deploy_id)) + error_message = "Argument deploy_id must: start with a letter, contain lowercase alphanumeric characters(can contain hyphens[-]) with length between 3 and 32 characters." + } +} + + +variable "efs_access_point_path" { + type = string + description = "Filesystem path for efs." + default = "/domino" + +} + +variable "subnets" { + type = list(object({ + name = string + id = string + cidr_block = string + })) + description = "List of subnet ids to create EFS mount targets" +} + +variable "vpc_id" { + description = "VPC ID" + type = string + +} + +variable "s3_force_destroy_on_deletion" { + description = "Toogle to allow recursive deletion of all objects in the s3 buckets. if 'false' terraform will NOT be able to delete non-empty buckets" + type = bool + default = false +} + +variable "s3_encryption_use_sse_kms_key" { + description = "if true use 'aws:kms' else 'AES256' for the s3 server-side-encryption." + type = bool + default = false +} diff --git a/submodules/storage/versions.tf b/submodules/storage/versions.tf new file mode 100644 index 00000000..ca6fac6f --- /dev/null +++ b/submodules/storage/versions.tf @@ -0,0 +1,10 @@ +terraform { + + required_version = ">= 1.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } +} diff --git a/submodules/subnets-cidr/README.md b/submodules/subnets-cidr/README.md new file mode 100644 index 00000000..9c6a906d --- /dev/null +++ b/submodules/subnets-cidr/README.md @@ -0,0 +1,53 @@ +## Example +```hcl + module "subnets" { + source = "../submodules/cidr-subnets" + availability_zones = var.availability_zones + pod_base_cidr_block = var.pod_base_cidr_block + base_cidr_block = var.base_cidr_block + public_cidr_network_bits = var.public_cidr_mask + private_cidr_network_bits = var.private_cidr_mask + subnet_name_prefix = var.deploy_id + } + + output "subnets" { + value = module.subnets_cidr + } +``` + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | + +## Providers + +No providers. + +## Modules + +No modules. + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [availability\_zones](#input\_availability\_zones) | Map of availability zone: names - > ids where the subnets will be created | `map(string)` | 
{
  "us-west-2a": "usw2-az1",
  "us-west-2b": "usw2-az2",
  "us-west-2c": "usw2-az3"
}
| no | +| [base\_cidr\_block](#input\_base\_cidr\_block) | CIDR block to serve the main private and public subnets | `string` | `"10.0.0.0/16"` | no | +| [private\_cidr\_network\_bits](#input\_private\_cidr\_network\_bits) | Number of network bits to allocate to the public subnet. i.e /19 -> 8,190 IPs | `number` | `19` | no | +| [public\_cidr\_network\_bits](#input\_public\_cidr\_network\_bits) | Number of network bits to allocate to the public subnet. i.e /27 -> 30 IPs | `number` | `27` | no | +| [subnet\_name\_prefix](#input\_subnet\_name\_prefix) | String to serve as a prefix/identifier when naming the subnets | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [private\_subnets](#output\_private\_subnets) | Map containing the CIDR information for the private subnets | +| [public\_subnets](#output\_public\_subnets) | Map containing the CIDR information for the public subnets | + diff --git a/submodules/subnets-cidr/main.tf b/submodules/subnets-cidr/main.tf new file mode 100644 index 00000000..0b879869 --- /dev/null +++ b/submodules/subnets-cidr/main.tf @@ -0,0 +1,40 @@ +locals { + availability_zones = var.availability_zones + availability_zones_number = length(local.availability_zones) + + ## Calculating public and private subnets based on the base base cidr and desired network bits + base_cidr_network_bits = tonumber(regex("[^/]*$", var.base_cidr_block)) + ## We have one Cidr to carve the nw bits for both pvt and public subnets + ## `...local.availability_zones_number * 2)` --> we have 2 types private and public subnets + new_bits_list = [for n in range(0, local.availability_zones_number * 2) : (n % 2 == 0 ? var.private_cidr_network_bits - local.base_cidr_network_bits : var.public_cidr_network_bits - local.base_cidr_network_bits)] + subnets_cidr_blocks = cidrsubnets(var.base_cidr_block, local.new_bits_list...) + + ## Match the public subnet var to the list of cidr blocks + public_subnets_cidr_blocks = [for sn in local.subnets_cidr_blocks : sn if length(regexall(".*/${var.public_cidr_network_bits}.*", sn)) > 0] + ## Match the private subnet var to the list of cidr blocks + private_subnets_cidr_blocks = [for sn in local.subnets_cidr_blocks : sn if length(regexall(".*/${var.private_cidr_network_bits}.*", sn)) > 0] + + ## Get the public subnets by matching the mask and populating its params + public_subnets = [ + for i, sn in local.public_subnets_cidr_blocks : + { + "cidr_block" = sn, + "zone" = element(keys(local.availability_zones), i % floor(i / length(local.availability_zones))), + "zone_id" = element(values(local.availability_zones), i % floor(i / length(local.availability_zones))), + "name" = "${var.subnet_name_prefix}-PublicSubnet-${element(keys(local.availability_zones), i % floor(i / length(local.availability_zones)))}-${i + 1}", + "type" = "public" + } + ] + + ## Get the private subnets by matching the mask and populating its params + private_subnets = [ + for i, sn in local.private_subnets_cidr_blocks : + { + "cidr_block" = sn, + "zone" = element(keys(local.availability_zones), i % floor(i / length(local.availability_zones))), + "zone_id" = element(values(local.availability_zones), i % floor(i / length(local.availability_zones))), + "name" = "${var.subnet_name_prefix}-PrivateSubnet-${element(keys(local.availability_zones), i % floor(i / length(local.availability_zones)))}-${i + 1}", + "type" = "private" + } + ] +} diff --git a/submodules/subnets-cidr/outputs.tf b/submodules/subnets-cidr/outputs.tf new file mode 100644 index 00000000..ece2060f --- /dev/null +++ b/submodules/subnets-cidr/outputs.tf @@ -0,0 +1,25 @@ +output "public_subnets" { + description = "Map containing the CIDR information for the public subnets" + value = [for k, v in local.public_subnets : + { + name = v.name + cidr_block = v.cidr_block + zone = v.zone + zone_id = v.zone_id + type = v.type + } + ] +} + +output "private_subnets" { + description = "Map containing the CIDR information for the private subnets" + value = [for k, v in local.private_subnets : + { + name = v.name + cidr_block = v.cidr_block + zone = v.zone + zone_id = v.zone_id + type = v.type + } + ] +} diff --git a/submodules/subnets-cidr/variables.tf b/submodules/subnets-cidr/variables.tf new file mode 100644 index 00000000..88c59945 --- /dev/null +++ b/submodules/subnets-cidr/variables.tf @@ -0,0 +1,55 @@ +variable "availability_zones" { + type = map(string) + + default = { + "us-west-2a" = "usw2-az1", + "us-west-2b" = "usw2-az2", + "us-west-2c" = "usw2-az3" + } + + description = "Map of availability zone: names - > ids where the subnets will be created" + validation { + condition = ( + length(compact(keys(var.availability_zones))) == length(compact(keys(var.availability_zones))) && + length(compact(values(var.availability_zones))) == length(compact(values(var.availability_zones))) && + length(distinct(keys(var.availability_zones))) == length(keys(var.availability_zones)) && + length(distinct(values(var.availability_zones))) == length(values(var.availability_zones)) + ) + error_message = "Argument availability_zones must not contain any duplicate/empty key or value." + } +} + +variable "base_cidr_block" { + type = string + default = "10.0.0.0/16" + description = "CIDR block to serve the main private and public subnets" + validation { + condition = ( + try(cidrhost(var.base_cidr_block, 0), null) == regex("^(.*)/", var.base_cidr_block)[0] && + try(cidrnetmask(var.base_cidr_block), null) == "255.255.0.0" + ) + error_message = "Argument base_cidr_block must be a valid CIDR block." + } +} + +variable "public_cidr_network_bits" { + type = number + description = "Number of network bits to allocate to the public subnet. i.e /27 -> 30 IPs" + default = 27 +} + +variable "private_cidr_network_bits" { + type = number + description = "Number of network bits to allocate to the public subnet. i.e /19 -> 8,190 IPs" + default = 19 +} + +variable "subnet_name_prefix" { + type = string + description = "String to serve as a prefix/identifier when naming the subnets" + + validation { + condition = can(regex("^[a-z-0-9]{3,32}$", var.subnet_name_prefix)) + error_message = "Argument deploy_id must: start with a letter, contain lowercase alphanumeric characters(can contain hyphens[-]) with length between 3 and 32 characters." + } +} diff --git a/submodules/subnets-cidr/versions.tf b/submodules/subnets-cidr/versions.tf new file mode 100644 index 00000000..7117131f --- /dev/null +++ b/submodules/subnets-cidr/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 1.0" +} diff --git a/terraform_tflint.txt b/terraform_tflint.txt new file mode 100644 index 00000000..e69de29b diff --git a/terraform_tfsec.txt b/terraform_tfsec.txt new file mode 100644 index 00000000..5dbe38d8 --- /dev/null +++ b/terraform_tfsec.txt @@ -0,0 +1,4630 @@ +Terraform validate with tfsec............................................Failed +- hook id: terraform_tfsec +- exit code: 1 + +Results #1-2 HIGH IAM policy document uses sensitive action 'ec2:CreateTags' on wildcarded resource 'arn:aws:ec2:*:*:volume/*' (2 similar results) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/eks/iam.tf Lines 149-152 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 149 โ”‚  resources = [ + 150 โ”‚  "arn:aws:ec2:*:*:volume/*", + 151 โ”‚  "arn:aws:ec2:*:*:snapshot/*", + 152 โ”‚  ] +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + Individual Causes + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/main.tf:74-89 (module.eks) + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/main.tf:74-89 (module.eks) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Results #3-4 HIGH IAM policy document uses sensitive action 'ec2:DeleteTags' on wildcarded resource 'arn:aws:ec2:*:*:volume/*' (2 similar results) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/eks/iam.tf Lines 171-174 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 171 โ”‚  resources = [ + 172 โ”‚  "arn:aws:ec2:*:*:volume/*", + 173 โ”‚  "arn:aws:ec2:*:*:snapshot/*", + 174 โ”‚  ] +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + Individual Causes + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/main.tf:74-89 (module.eks) + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/main.tf:74-89 (module.eks) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #5 HIGH IAM policy document uses sensitive action 'ec2:DeleteVolume' on wildcarded resource '*'  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/eks/iam.tf Line 195 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 192 โ”‚  statement { + 193 โ”‚  + 194 โ”‚  effect = "Allow" + 195 โ”‚  resources = ["*"] + 196 โ”‚  + 197 โ”‚  actions = [ + 198 โ”‚  "ec2:DeleteVolume", + 199 โ”‚  "ec2:DeleteSnapshot", + 200 โ”‚  ] + 201 โ”‚  + 202 โ”‚  condition { + 203 โ”‚  test = "StringLike" + 204 โ”‚  variable = "aws:ResourceTag/KubernetesCluster" + 205 โ”‚  values = [var.deploy_id] + 206 โ”‚  } + 207 โ”‚  } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #6 HIGH IAM policy document uses sensitive action 'ec2:CreateSnapshot' on wildcarded resource '*'  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/eks/iam.tf Line 247 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 244 โ”‚  statement { + 245 โ”‚  + 246 โ”‚  effect = "Allow" + 247 โ”‚  resources = ["*"] + 248 โ”‚  + 249 โ”‚  actions = [ + 250 โ”‚  "ec2:CreateSnapshot", + 251 โ”‚  "ec2:CreateTags", + 252 โ”‚  "ec2:DeleteSnapshot", + 253 โ”‚  "ec2:DeleteTags", + 254 โ”‚  "ec2:DescribeAvailabilityZones", + 255 โ”‚  "ec2:DescribeSnapshots", + 256 โ”‚  "ec2:DescribeTags", + 257 โ”‚  ] + 258 โ”‚  } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #7 HIGH IAM policy document uses sensitive action 's3:ListBucket' on wildcarded resource '*'  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/eks/iam.tf Line 34 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 31 โ”‚  statement { + 32 โ”‚  + 33 โ”‚  effect = "Allow" + 34 โ”‚  resources = ["*"] + 35 โ”‚  + 36 โ”‚  actions = [ + 37 โ”‚  "s3:ListBucket", + 38 โ”‚  "s3:GetBucketLocation", + 39 โ”‚  "s3:ListBucketMultipartUploads", + 40 โ”‚  ] + 41 โ”‚  } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Results #8-11 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource 'arn:aws:s3:::' (4 similar results) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/eks/iam.tf Lines 47-52 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 47 โ”‚  resources = [ + 48 โ”‚  "arn:aws:s3:::${var.deploy_id}-blobs*", + 49 โ”‚  "arn:aws:s3:::${var.deploy_id}-logs*", + 50 โ”‚  "arn:aws:s3:::${var.deploy_id}-backups*", + 51 โ”‚  "arn:aws:s3:::${var.deploy_id}-registry*", + 52 โ”‚  ] +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + Individual Causes + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/main.tf:74-89 (module.eks) + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/main.tf:74-89 (module.eks) + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/main.tf:74-89 (module.eks) + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/main.tf:74-89 (module.eks) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #12 HIGH IAM policy document uses sensitive action 'autoscaling:SetDesiredCapacity' on wildcarded resource '*'  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/eks/iam.tf Line 87 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 84 โ”‚  statement { + 85 โ”‚  + 86 โ”‚  effect = "Allow" + 87 โ”‚  resources = ["*"] + 88 โ”‚  + 89 โ”‚  actions = [ + 90 โ”‚  "autoscaling:DescribeAutoScalingInstances", + 91 โ”‚  "autoscaling:SetDesiredCapacity", + 92 โ”‚  "autoscaling:TerminateInstanceInAutoScalingGroup", + 93 โ”‚  ] + 94 โ”‚  + 95 โ”‚  condition { + 96 โ”‚  test = "StringEquals" + 97 โ”‚  variable = "autoscaling:ResourceTag/eks:cluster-name" + 98 โ”‚  values = [var.deploy_id] + 99 โ”‚  } + 100 โ”‚  } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #13 HIGH No public access block so not blocking public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #14 HIGH No public access block so not blocking public policies  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-policy +  Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #15 HIGH Bucket does not have encryption enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-encryption +  Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #16 HIGH No public access block so not ignoring public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-ignore-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #17 HIGH No public access block so not restricting public buckets  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-no-public-buckets +  Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_bucketsยก +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #18 HIGH Bucket does not encrypt data with a customer managed key.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-encryption-customer-key +  Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #19 HIGH No public access block so not blocking public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #20 HIGH No public access block so not blocking public policies  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-policy +  Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #21 HIGH Bucket does not have encryption enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-encryption +  Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #22 HIGH No public access block so not ignoring public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-ignore-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #23 HIGH No public access block so not restricting public buckets  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-no-public-buckets +  Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_bucketsยก +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #24 HIGH Bucket does not encrypt data with a customer managed key.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-encryption-customer-key +  Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #25 HIGH No public access block so not blocking public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #26 HIGH No public access block so not blocking public policies  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-policy +  Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #27 HIGH Bucket does not have encryption enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-encryption +  Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #28 HIGH No public access block so not ignoring public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-ignore-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #29 HIGH No public access block so not restricting public buckets  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-no-public-buckets +  Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_bucketsยก +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #30 HIGH Bucket does not encrypt data with a customer managed key.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-encryption-customer-key +  Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #31 HIGH No public access block so not blocking public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #32 HIGH No public access block so not blocking public policies  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-policy +  Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #33 HIGH Bucket does not have encryption enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-encryption +  Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #34 HIGH No public access block so not ignoring public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-ignore-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #35 HIGH No public access block so not restricting public buckets  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-no-public-buckets +  Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_bucketsยก +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #36 HIGH Bucket does not encrypt data with a customer managed key.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-encryption-customer-key +  Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #37 HIGH No public access block so not blocking public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #38 HIGH No public access block so not blocking public policies  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-policy +  Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #39 HIGH Bucket does not have encryption enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-encryption +  Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #40 HIGH No public access block so not ignoring public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-ignore-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #41 HIGH No public access block so not restricting public buckets  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-no-public-buckets +  Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_bucketsยก +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #42 HIGH Bucket does not encrypt data with a customer managed key.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-encryption-customer-key +  Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #43 MEDIUM Bucket does not have logging enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-logging +  Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #44 MEDIUM Bucket does not have versioning enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-versioning +  Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #45 MEDIUM Bucket does not have logging enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-logging +  Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #46 MEDIUM Bucket does not have versioning enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-versioning +  Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #47 MEDIUM Bucket does not have logging enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-logging +  Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #48 MEDIUM Bucket does not have versioning enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-versioning +  Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #49 MEDIUM Bucket does not have logging enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-logging +  Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #50 MEDIUM Bucket does not have versioning enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-versioning +  Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #51 MEDIUM Bucket does not have logging enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-logging +  Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #52 MEDIUM Bucket does not have versioning enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-versioning +  Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #53 LOW Bucket does not have a corresponding public access block.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-specify-public-access-block +  Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #54 LOW Bucket does not have a corresponding public access block.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-specify-public-access-block +  Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #55 LOW Bucket does not have a corresponding public access block.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-specify-public-access-block +  Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #56 LOW Bucket does not have a corresponding public access block.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-specify-public-access-block +  Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #57 LOW Bucket does not have a corresponding public access block.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-specify-public-access-block +  Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + + timings + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + disk i/o  2.427674ms + parsing  67.362509ms + adaptation  3.439651ms + checks  17.628036ms + total  90.85787ms + + counts + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + modules downloaded  0 + modules processed  6 + blocks processed  188 + files read  33 + + results + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + passed  78 + ignored  0 + critical  0 + high  42 + medium  10 + low  5 + + 78 passed, 57 potential problem(s) detected. + + +Results #1-2 HIGH IAM policy document uses sensitive action 'ec2:CreateTags' on wildcarded resource 'arn:aws:ec2:*:*:volume/*' (2 similar results) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/eks/iam.tf Lines 149-152 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 149 โ”‚  resources = [ + 150 โ”‚  "arn:aws:ec2:*:*:volume/*", + 151 โ”‚  "arn:aws:ec2:*:*:snapshot/*", + 152 โ”‚  ] +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + Individual Causes + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/example/main.tf:1-16 (module.domino_eks) + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/example/main.tf:1-16 (module.domino_eks) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Results #3-4 HIGH IAM policy document uses sensitive action 'ec2:DeleteTags' on wildcarded resource 'arn:aws:ec2:*:*:volume/*' (2 similar results) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/eks/iam.tf Lines 171-174 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 171 โ”‚  resources = [ + 172 โ”‚  "arn:aws:ec2:*:*:volume/*", + 173 โ”‚  "arn:aws:ec2:*:*:snapshot/*", + 174 โ”‚  ] +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + Individual Causes + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/example/main.tf:1-16 (module.domino_eks) + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/example/main.tf:1-16 (module.domino_eks) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #5 HIGH IAM policy document uses sensitive action 'ec2:DeleteVolume' on wildcarded resource '*'  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/eks/iam.tf Line 195 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 192 โ”‚  statement { + 193 โ”‚  + 194 โ”‚  effect = "Allow" + 195 โ”‚  resources = ["*"] + 196 โ”‚  + 197 โ”‚  actions = [ + 198 โ”‚  "ec2:DeleteVolume", + 199 โ”‚  "ec2:DeleteSnapshot", + 200 โ”‚  ] + 201 โ”‚  + 202 โ”‚  condition { + 203 โ”‚  test = "StringLike" + 204 โ”‚  variable = "aws:ResourceTag/KubernetesCluster" + 205 โ”‚  values = [var.deploy_id] + 206 โ”‚  } + 207 โ”‚  } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #6 HIGH IAM policy document uses sensitive action 'ec2:CreateSnapshot' on wildcarded resource '*'  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/eks/iam.tf Line 247 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 244 โ”‚  statement { + 245 โ”‚  + 246 โ”‚  effect = "Allow" + 247 โ”‚  resources = ["*"] + 248 โ”‚  + 249 โ”‚  actions = [ + 250 โ”‚  "ec2:CreateSnapshot", + 251 โ”‚  "ec2:CreateTags", + 252 โ”‚  "ec2:DeleteSnapshot", + 253 โ”‚  "ec2:DeleteTags", + 254 โ”‚  "ec2:DescribeAvailabilityZones", + 255 โ”‚  "ec2:DescribeSnapshots", + 256 โ”‚  "ec2:DescribeTags", + 257 โ”‚  ] + 258 โ”‚  } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #7 HIGH IAM policy document uses sensitive action 's3:ListBucket' on wildcarded resource '*'  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/eks/iam.tf Line 34 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 31 โ”‚  statement { + 32 โ”‚  + 33 โ”‚  effect = "Allow" + 34 โ”‚  resources = ["*"] + 35 โ”‚  + 36 โ”‚  actions = [ + 37 โ”‚  "s3:ListBucket", + 38 โ”‚  "s3:GetBucketLocation", + 39 โ”‚  "s3:ListBucketMultipartUploads", + 40 โ”‚  ] + 41 โ”‚  } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Results #8-11 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource 'arn:aws:s3:::' (4 similar results) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/eks/iam.tf Lines 47-52 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 47 โ”‚  resources = [ + 48 โ”‚  "arn:aws:s3:::${var.deploy_id}-blobs*", + 49 โ”‚  "arn:aws:s3:::${var.deploy_id}-logs*", + 50 โ”‚  "arn:aws:s3:::${var.deploy_id}-backups*", + 51 โ”‚  "arn:aws:s3:::${var.deploy_id}-registry*", + 52 โ”‚  ] +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + Individual Causes + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/example/main.tf:1-16 (module.domino_eks) + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/example/main.tf:1-16 (module.domino_eks) + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/example/main.tf:1-16 (module.domino_eks) + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/example/main.tf:1-16 (module.domino_eks) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #12 HIGH IAM policy document uses sensitive action 'autoscaling:SetDesiredCapacity' on wildcarded resource '*'  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/eks/iam.tf Line 87 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 84 โ”‚  statement { + 85 โ”‚  + 86 โ”‚  effect = "Allow" + 87 โ”‚  resources = ["*"] + 88 โ”‚  + 89 โ”‚  actions = [ + 90 โ”‚  "autoscaling:DescribeAutoScalingInstances", + 91 โ”‚  "autoscaling:SetDesiredCapacity", + 92 โ”‚  "autoscaling:TerminateInstanceInAutoScalingGroup", + 93 โ”‚  ] + 94 โ”‚  + 95 โ”‚  condition { + 96 โ”‚  test = "StringEquals" + 97 โ”‚  variable = "autoscaling:ResourceTag/eks:cluster-name" + 98 โ”‚  values = [var.deploy_id] + 99 โ”‚  } + 100 โ”‚  } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #13 HIGH No public access block so not blocking public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #14 HIGH No public access block so not blocking public policies  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-policy +  Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #15 HIGH Bucket does not have encryption enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-encryption +  Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #16 HIGH No public access block so not ignoring public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-ignore-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #17 HIGH No public access block so not restricting public buckets  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-no-public-buckets +  Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_bucketsยก +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #18 HIGH Bucket does not encrypt data with a customer managed key.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-encryption-customer-key +  Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #19 HIGH No public access block so not blocking public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #20 HIGH No public access block so not blocking public policies  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-policy +  Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #21 HIGH Bucket does not have encryption enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-encryption +  Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #22 HIGH No public access block so not ignoring public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-ignore-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #23 HIGH No public access block so not restricting public buckets  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-no-public-buckets +  Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_bucketsยก +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #24 HIGH Bucket does not encrypt data with a customer managed key.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-encryption-customer-key +  Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #25 HIGH No public access block so not blocking public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #26 HIGH No public access block so not blocking public policies  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-policy +  Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #27 HIGH Bucket does not have encryption enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-encryption +  Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #28 HIGH No public access block so not ignoring public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-ignore-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #29 HIGH No public access block so not restricting public buckets  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-no-public-buckets +  Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_bucketsยก +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #30 HIGH Bucket does not encrypt data with a customer managed key.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-encryption-customer-key +  Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #31 HIGH No public access block so not blocking public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #32 HIGH No public access block so not blocking public policies  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-policy +  Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #33 HIGH Bucket does not have encryption enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-encryption +  Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #34 HIGH No public access block so not ignoring public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-ignore-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #35 HIGH No public access block so not restricting public buckets  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-no-public-buckets +  Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_bucketsยก +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #36 HIGH Bucket does not encrypt data with a customer managed key.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-encryption-customer-key +  Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #37 HIGH No public access block so not blocking public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #38 HIGH No public access block so not blocking public policies  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-policy +  Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #39 HIGH Bucket does not have encryption enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-encryption +  Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #40 HIGH No public access block so not ignoring public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-ignore-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #41 HIGH No public access block so not restricting public buckets  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-no-public-buckets +  Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_bucketsยก +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #42 HIGH Bucket does not encrypt data with a customer managed key.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-encryption-customer-key +  Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #43 MEDIUM Bucket does not have logging enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-logging +  Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #44 MEDIUM Bucket does not have versioning enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-versioning +  Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #45 MEDIUM Bucket does not have logging enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-logging +  Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #46 MEDIUM Bucket does not have versioning enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-versioning +  Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #47 MEDIUM Bucket does not have logging enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-logging +  Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #48 MEDIUM Bucket does not have versioning enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-versioning +  Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #49 MEDIUM Bucket does not have logging enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-logging +  Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #50 MEDIUM Bucket does not have versioning enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-versioning +  Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #51 MEDIUM Bucket does not have logging enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-logging +  Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #52 MEDIUM Bucket does not have versioning enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-versioning +  Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #53 LOW Bucket does not have a corresponding public access block.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-specify-public-access-block +  Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #54 LOW Bucket does not have a corresponding public access block.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-specify-public-access-block +  Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #55 LOW Bucket does not have a corresponding public access block.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-specify-public-access-block +  Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #56 LOW Bucket does not have a corresponding public access block.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-specify-public-access-block +  Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #57 LOW Bucket does not have a corresponding public access block.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + ../submodules/storage/main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-specify-public-access-block +  Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + + timings + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + disk i/o  3.539778ms + parsing  142.938486ms + adaptation  3.508176ms + checks  15.017841ms + total  165.004281ms + + counts + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + modules downloaded  0 + modules processed  8 + blocks processed  215 + files read  41 + + results + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + passed  98 + ignored  0 + critical  0 + high  42 + medium  10 + low  5 + + 98 passed, 57 potential problem(s) detected. + + timings + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + disk i/o  257.752ยตs + parsing  1.954257ms + adaptation  250.256ยตs + checks  12.378276ms + total  14.840541ms + + counts + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + modules downloaded  0 + modules processed  1 + blocks processed  25 + files read  4 + + results + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + passed  9 + ignored  0 + critical  0 + high  0 + medium  0 + low  0 + + +No problems detected! + + +Results #1-2 HIGH IAM policy document uses sensitive action 'ec2:CreateTags' on wildcarded resource 'arn:aws:ec2:*:*:volume/*' (2 similar results) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + iam.tf Lines 149-152 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 149 โ”‚  resources = [ + 150 โ”‚  "arn:aws:ec2:*:*:volume/*", + 151 โ”‚  "arn:aws:ec2:*:*:snapshot/*", + 152 โ”‚  ] +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + Individual Causes + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/submodules/eks/iam.tf:109-208 (data.aws_iam_policy_document.ebs_csi) + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/submodules/eks/iam.tf:109-208 (data.aws_iam_policy_document.ebs_csi) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Results #3-4 HIGH IAM policy document uses sensitive action 'ec2:DeleteTags' on wildcarded resource 'arn:aws:ec2:*:*:volume/*' (2 similar results) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + iam.tf Lines 171-174 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 171 โ”‚  resources = [ + 172 โ”‚  "arn:aws:ec2:*:*:volume/*", + 173 โ”‚  "arn:aws:ec2:*:*:snapshot/*", + 174 โ”‚  ] +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + Individual Causes + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/submodules/eks/iam.tf:109-208 (data.aws_iam_policy_document.ebs_csi) + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/submodules/eks/iam.tf:109-208 (data.aws_iam_policy_document.ebs_csi) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #5 HIGH IAM policy document uses sensitive action 'ec2:DeleteVolume' on wildcarded resource '*'  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + iam.tf Line 195 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 192 โ”‚  statement { + 193 โ”‚  + 194 โ”‚  effect = "Allow" + 195 โ”‚  resources = ["*"] + 196 โ”‚  + 197 โ”‚  actions = [ + 198 โ”‚  "ec2:DeleteVolume", + 199 โ”‚  "ec2:DeleteSnapshot", + 200 โ”‚  ] + 201 โ”‚  + 202 โ”‚  condition { + 203 โ”‚  test = "StringLike" + 204 โ”‚  variable = "aws:ResourceTag/KubernetesCluster" + 205 โ”‚  values = [var.deploy_id] + 206 โ”‚  } + 207 โ”‚  } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #6 HIGH IAM policy document uses sensitive action 'ec2:CreateSnapshot' on wildcarded resource '*'  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + iam.tf Line 247 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 244 โ”‚  statement { + 245 โ”‚  + 246 โ”‚  effect = "Allow" + 247 โ”‚  resources = ["*"] + 248 โ”‚  + 249 โ”‚  actions = [ + 250 โ”‚  "ec2:CreateSnapshot", + 251 โ”‚  "ec2:CreateTags", + 252 โ”‚  "ec2:DeleteSnapshot", + 253 โ”‚  "ec2:DeleteTags", + 254 โ”‚  "ec2:DescribeAvailabilityZones", + 255 โ”‚  "ec2:DescribeSnapshots", + 256 โ”‚  "ec2:DescribeTags", + 257 โ”‚  ] + 258 โ”‚  } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #7 HIGH IAM policy document uses sensitive action 's3:ListBucket' on wildcarded resource '*'  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + iam.tf Line 34 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 31 โ”‚  statement { + 32 โ”‚  + 33 โ”‚  effect = "Allow" + 34 โ”‚  resources = ["*"] + 35 โ”‚  + 36 โ”‚  actions = [ + 37 โ”‚  "s3:ListBucket", + 38 โ”‚  "s3:GetBucketLocation", + 39 โ”‚  "s3:ListBucketMultipartUploads", + 40 โ”‚  ] + 41 โ”‚  } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Results #8-11 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource 'arn:aws:s3:::' (4 similar results) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + iam.tf Lines 47-52 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 47 โ”‚  resources = [ + 48 โ”‚  "arn:aws:s3:::${var.deploy_id}-blobs*", + 49 โ”‚  "arn:aws:s3:::${var.deploy_id}-logs*", + 50 โ”‚  "arn:aws:s3:::${var.deploy_id}-backups*", + 51 โ”‚  "arn:aws:s3:::${var.deploy_id}-registry*", + 52 โ”‚  ] +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + Individual Causes + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/submodules/eks/iam.tf:30-62 (data.aws_iam_policy_document.s3) + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/submodules/eks/iam.tf:30-62 (data.aws_iam_policy_document.s3) + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/submodules/eks/iam.tf:30-62 (data.aws_iam_policy_document.s3) + - /Users/miguel.harmant/src/dominodatalab/terraform-aws-eks/submodules/eks/iam.tf:30-62 (data.aws_iam_policy_document.s3) +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #12 HIGH IAM policy document uses sensitive action 'autoscaling:SetDesiredCapacity' on wildcarded resource '*'  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + iam.tf Line 87 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 84 โ”‚  statement { + 85 โ”‚  + 86 โ”‚  effect = "Allow" + 87 โ”‚  resources = ["*"] + 88 โ”‚  + 89 โ”‚  actions = [ + 90 โ”‚  "autoscaling:DescribeAutoScalingInstances", + 91 โ”‚  "autoscaling:SetDesiredCapacity", + 92 โ”‚  "autoscaling:TerminateInstanceInAutoScalingGroup", + 93 โ”‚  ] + 94 โ”‚  + 95 โ”‚  condition { + 96 โ”‚  test = "StringEquals" + 97 โ”‚  variable = "autoscaling:ResourceTag/eks:cluster-name" + 98 โ”‚  values = [var.deploy_id] + 99 โ”‚  } + 100 โ”‚  } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-iam-no-policy-wildcards +  Impact Overly permissive policies may grant access to sensitive resources + Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/iam/no-policy-wildcards/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + + timings + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + disk i/o  613.791ยตs + parsing  19.144145ms + adaptation  816.404ยตs + checks  15.066847ms + total  35.641187ms + + counts + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + modules downloaded  0 + modules processed  1 + blocks processed  66 + files read  8 + + results + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + passed  68 + ignored  0 + critical  0 + high  12 + medium  0 + low  0 + + 68 passed, 12 potential problem(s) detected. + + timings + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + disk i/o  253.601ยตs + parsing  4.323863ms + adaptation  162.778ยตs + checks  12.516196ms + total  17.256438ms + + counts + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + modules downloaded  0 + modules processed  1 + blocks processed  27 + files read  4 + + results + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + passed  0 + ignored  0 + critical  0 + high  0 + medium  0 + low  0 + + +No problems detected! + + timings + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + disk i/o  0s + parsing  0s + adaptation  0s + checks  0s + total  0s + + counts + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + modules downloaded  0 + modules processed  0 + blocks processed  0 + files read  0 + + results + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + passed  0 + ignored  0 + critical  0 + high  0 + medium  0 + low  0 + + +No problems detected! + + timings + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + disk i/o  465.765ยตs + parsing  1.754874ms + adaptation  200.557ยตs + checks  13.614491ms + total  16.035687ms + + counts + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + modules downloaded  0 + modules processed  1 + blocks processed  26 + files read  9 + + results + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + passed  0 + ignored  0 + critical  0 + high  0 + medium  0 + low  0 + + +No problems detected! + + +Result #1 HIGH No public access block so not blocking public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #2 HIGH No public access block so not blocking public policies  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-policy +  Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #3 HIGH Bucket does not have encryption enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-encryption +  Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #4 HIGH No public access block so not ignoring public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-ignore-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #5 HIGH No public access block so not restricting public buckets  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-no-public-buckets +  Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_bucketsยก +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #6 HIGH Bucket does not encrypt data with a customer managed key.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-encryption-customer-key +  Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #7 HIGH No public access block so not blocking public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #8 HIGH No public access block so not blocking public policies  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-policy +  Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #9 HIGH Bucket does not have encryption enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-encryption +  Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #10 HIGH No public access block so not ignoring public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-ignore-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #11 HIGH No public access block so not restricting public buckets  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-no-public-buckets +  Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_bucketsยก +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #12 HIGH Bucket does not encrypt data with a customer managed key.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-encryption-customer-key +  Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #13 HIGH No public access block so not blocking public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #14 HIGH No public access block so not blocking public policies  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-policy +  Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #15 HIGH Bucket does not have encryption enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-encryption +  Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #16 HIGH No public access block so not ignoring public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-ignore-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #17 HIGH No public access block so not restricting public buckets  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-no-public-buckets +  Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_bucketsยก +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #18 HIGH Bucket does not encrypt data with a customer managed key.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-encryption-customer-key +  Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #19 HIGH No public access block so not blocking public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #20 HIGH No public access block so not blocking public policies  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-policy +  Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #21 HIGH Bucket does not have encryption enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-encryption +  Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #22 HIGH No public access block so not ignoring public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-ignore-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #23 HIGH No public access block so not restricting public buckets  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-no-public-buckets +  Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_bucketsยก +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #24 HIGH Bucket does not encrypt data with a customer managed key.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-encryption-customer-key +  Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #25 HIGH No public access block so not blocking public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable blocking any PUT calls with a public ACL specified + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #26 HIGH No public access block so not blocking public policies  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-block-public-policy +  Impact Users could put a policy that allows public access + Resolution Prevent policies that allow public access being PUT + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/block-public-policy/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #27 HIGH Bucket does not have encryption enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-encryption +  Impact The bucket objects could be read if compromised + Resolution Configure bucket encryption + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-encryption/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #28 HIGH No public access block so not ignoring public acls  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-ignore-public-acls +  Impact PUT calls with public ACLs specified can make objects public + Resolution Enable ignoring the application of public ACLs in PUT calls + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/ignore-public-acls/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #29 HIGH No public access block so not restricting public buckets  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-no-public-buckets +  Impact Public buckets can be accessed by anyone + Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/no-public-buckets/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_bucketsยก +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #30 HIGH Bucket does not encrypt data with a customer managed key.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-encryption-customer-key +  Impact Using AWS managed keys does not allow for fine grained control + Resolution Enable encryption using customer managed keys + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/encryption-customer-key/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #31 MEDIUM Bucket does not have logging enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-logging +  Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #32 MEDIUM Bucket does not have versioning enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-versioning +  Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #33 MEDIUM Bucket does not have logging enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-logging +  Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #34 MEDIUM Bucket does not have versioning enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-versioning +  Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #35 MEDIUM Bucket does not have logging enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-logging +  Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #36 MEDIUM Bucket does not have versioning enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-versioning +  Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #37 MEDIUM Bucket does not have logging enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-logging +  Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #38 MEDIUM Bucket does not have versioning enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-versioning +  Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #39 MEDIUM Bucket does not have logging enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-bucket-logging +  Impact There is no way to determine the access to this bucket + Resolution Add a logging block to the resource to enable access logging + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-bucket-logging/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #40 MEDIUM Bucket does not have versioning enabled  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-enable-versioning +  Impact Deleted or modified data would not be recoverable + Resolution Enable versioning to protect against accidental/malicious removal or modification + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/enable-versioning/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #41 LOW Bucket does not have a corresponding public access block.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 148-160 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 148 โ”‚ resource "aws_s3_bucket" "blobs" { + 149 โ”‚  bucket = "${var.deploy_id}-blobs" + 150 โ”‚  force_destroy = "false" + 151 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 152 โ”‚  object_lock_enabled = "false" + 153 โ”‚  tags = var.tags + 154 โ”‚  + 155 โ”‚  lifecycle { + 156 โ”‚  ignore_changes = [ + 157 โ”‚  hosted_zone_id, + 158 โ”‚  ] + 159 โ”‚  } + 160 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-specify-public-access-block +  Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #42 LOW Bucket does not have a corresponding public access block.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 223-235 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 223 โ”‚ resource "aws_s3_bucket" "logs" { + 224 โ”‚  bucket = "${var.deploy_id}-logs" + 225 โ”‚  force_destroy = "false" + 226 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 227 โ”‚  object_lock_enabled = "false" + 228 โ”‚  tags = var.tags + 229 โ”‚  + 230 โ”‚  lifecycle { + 231 โ”‚  ignore_changes = [ + 232 โ”‚  hosted_zone_id, + 233 โ”‚  ] + 234 โ”‚  } + 235 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-specify-public-access-block +  Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #43 LOW Bucket does not have a corresponding public access block.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 313-325 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 313 โ”‚ resource "aws_s3_bucket" "monitoring" { + 314 โ”‚  bucket = "${var.deploy_id}-monitoring" + 315 โ”‚  force_destroy = "true" + 316 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 317 โ”‚  object_lock_enabled = "false" + 318 โ”‚  tags = var.tags + 319 โ”‚  + 320 โ”‚  lifecycle { + 321 โ”‚  ignore_changes = [ + 322 โ”‚  hosted_zone_id, + 323 โ”‚  ] + 324 โ”‚  } + 325 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-specify-public-access-block +  Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #44 LOW Bucket does not have a corresponding public access block.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 421-434 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 421 โ”‚ resource "aws_s3_bucket" "registry" { + 422 โ”‚  arn = "arn:aws:s3:::${var.deploy_id}-registry" + 423 โ”‚  bucket = "${var.deploy_id}-registry" + 424 โ”‚  force_destroy = "false" + 425 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 426 โ”‚  object_lock_enabled = "false" + 427 โ”‚  tags = var.tags + 428 โ”‚  + 429 โ”‚  lifecycle { + 430 โ”‚  ignore_changes = [ + 431 โ”‚  hosted_zone_id, + 432 โ”‚  ] + 433 โ”‚  } + 434 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-specify-public-access-block +  Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + +Result #45 LOW Bucket does not have a corresponding public access block.  +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + main.tf Lines 72-84 +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + 72 โ”‚ resource "aws_s3_bucket" "backups" { + 73 โ”‚  bucket = "${var.deploy_id}-backups" + 74 โ”‚  force_destroy = "false" + 75 โ”‚  hosted_zone_id = data.aws_route53_zone.this.zone_id + 76 โ”‚  object_lock_enabled = "false" + 77 โ”‚  tags = var.tags + 78 โ”‚  + 79 โ”‚  lifecycle { + 80 โ”‚  ignore_changes = [ + 81 โ”‚  hosted_zone_id, + 82 โ”‚  ] + 83 โ”‚  } + 84 โ”‚ } +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ +  ID aws-s3-specify-public-access-block +  Impact Public access policies may be applied to sensitive data buckets + Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + + More Information + - https://aquasecurity.github.io/tfsec/v1.15.4/checks/aws/s3/specify-public-access-block/ + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket +โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + + + timings + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + disk i/o  329.114ยตs + parsing  5.215424ms + adaptation  492.987ยตs + checks  14.744622ms + total  20.782147ms + + counts + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + modules downloaded  0 + modules processed  1 + blocks processed  28 + files read  4 + + results + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + passed  6 + ignored  0 + critical  0 + high  30 + medium  10 + low  5 + + 6 passed, 45 potential problem(s) detected. + + timings + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + disk i/o  218.636ยตs + parsing  13.747053ms + adaptation  192.667ยตs + checks  13.256097ms + total  27.414453ms + + counts + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + modules downloaded  0 + modules processed  1 + blocks processed  9 + files read  4 + + results + โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ + passed  0 + ignored  0 + critical  0 + high  0 + medium  0 + low  0 + + +No problems detected! + + diff --git a/tests/README.md b/tests/README.md new file mode 100644 index 00000000..2abbd843 --- /dev/null +++ b/tests/README.md @@ -0,0 +1,38 @@ +# example + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.2.0 | + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [domino\_eks](#module\_domino\_eks) | ../../terraform-aws-eks | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [deploy\_id](#input\_deploy\_id) | Domino Deployment ID. | `string` | `"domino-eks-test"` | no | +| [k8s\_version](#input\_k8s\_version) | EKS cluster k8s version. | `string` | `"1.23"` | no | +| [region](#input\_region) | AWS region for the deployment | `string` | `"us-west-2"` | no | +| [tags](#input\_tags) | Deployment tags. | `map(string)` | 
{
  "deploy_id": "domino-eks-test",
  "deploy_tag": "domino-eks-test",
  "deploy_type": "terraform-aws-eks",
  "domino-deploy-id": "domino-eks-test"
}
| no | + +## Outputs + +| Name | Description | +|------|-------------| +| [domino\_eks](#output\_domino\_eks) | EKS module outputs | + diff --git a/tests/main.tf b/tests/main.tf new file mode 100755 index 00000000..2382d77b --- /dev/null +++ b/tests/main.tf @@ -0,0 +1,14 @@ +module "domino_eks" { + source = "../../terraform-aws-eks" + deploy_id = var.deploy_id + region = var.region + number_of_azs = 2 + k8s_version = var.k8s_version + route53_hosted_zone_name = "infra-team-sandbox.domino.tech" + eks_master_role_names = ["okta-poweruser", "okta-fulladmin"] + s3_force_destroy_on_deletion = true + create_bastion = true + ssh_pvt_key_path = "domino.pem" + enable_vpc_endpoints_s3 = false + tags = var.tags +} diff --git a/tests/outputs.tf b/tests/outputs.tf new file mode 100644 index 00000000..b14d2084 --- /dev/null +++ b/tests/outputs.tf @@ -0,0 +1,4 @@ +output "domino_eks" { + description = "EKS module outputs" + value = module.domino_eks +} diff --git a/tests/variables.tf b/tests/variables.tf new file mode 100644 index 00000000..2914ea93 --- /dev/null +++ b/tests/variables.tf @@ -0,0 +1,30 @@ +variable "deploy_id" { + type = string + description = "Domino Deployment ID." + default = "domino-eks-test" +} + + +variable "region" { + type = string + description = "AWS region for the deployment" + default = "us-west-2" +} + + +variable "tags" { + type = map(string) + description = "Deployment tags." + default = { + deploy_id = "domino-eks-test" + deploy_tag = "domino-eks-test" + deploy_type = "terraform-aws-eks" + domino-deploy-id = "domino-eks-test" + } +} + +variable "k8s_version" { + type = string + description = "EKS cluster k8s version." + default = "1.23" +} diff --git a/tests/versions.tf b/tests/versions.tf new file mode 100644 index 00000000..3e6ba018 --- /dev/null +++ b/tests/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 1.2.0" +} diff --git a/variables.tf b/variables.tf new file mode 100755 index 00000000..70aae17b --- /dev/null +++ b/variables.tf @@ -0,0 +1,236 @@ +variable "deploy_id" { + type = string + description = "Domino Deployment ID." + default = "domino-eks" + nullable = false + + validation { + condition = length(var.deploy_id) >= 3 && length(var.deploy_id) <= 32 && can(regex("^[a-z]([-a-z0-9]*[a-z0-9])$", var.deploy_id)) + error_message = <= 2 + error_message = "EKS deployment needs at least 2 zones." + } +} + +variable "availability_zones" { + type = list(string) + description = <= 2 + error_message = "EKS deployment needs at least 2 zones." + } + default = [] +} + +variable "route53_hosted_zone_name" { + type = string + description = "AWS Route53 Hosted zone." +} + +variable "tags" { + type = map(string) + description = "Deployment tags." + default = {} +} + +variable "k8s_version" { + type = string + description = "EKS cluster k8s version." + default = "1.23" +} + +variable "public_cidr_network_bits" { + type = number + description = "Number of network bits to allocate to the public subnet. i.e /27 -> 32 IPs." + default = 27 +} + +variable "private_cidr_network_bits" { + type = number + description = "Number of network bits to allocate to the private subnet. i.e /19 -> 8,192 IPs." + default = 19 +} + +variable "default_node_groups" { + type = object({ + compute = object({ + name = string + ami = optional(string) + instance_type = string + min_per_az = number + max_per_az = number + desired_per_az = number + volume = object({ + size = string + type = string + }) + }), + platform = object({ + name = string + ami = optional(string) + instance_type = string + min_per_az = number + max_per_az = number + desired_per_az = number + volume = object({ + size = string + type = string + }) + }), + gpu = object({ + name = string + ami = optional(string) + instance_type = string + min_per_az = number + max_per_az = number + desired_per_az = number + volume = object({ + size = string + type = string + }) + }) + }) + description = "EKS managed node groups definition." + default = { + "compute" = { + name = "compute" + instance_type = "m5.2xlarge" + min_per_az = 0 + max_per_az = 10 + desired_per_az = 1 + volume = { + size = "100" + type = "gp3" + } + }, + "platform" = { + name = "platform" + instance_type = "m5.4xlarge" + min_per_az = 0 + max_per_az = 10 + desired_per_az = 1 + volume = { + size = "100" + type = "gp3" + } + }, + "gpu" = { + name = "gpu" + instance_type = "g4dn.xlarge" + min_per_az = 0 + max_per_az = 10 + desired_per_az = 0 + volume = { + size = "100" + type = "gp3" + } + } + } +} + +variable "additional_node_groups" { + description = "Additional EKS managed node groups definition." + type = map(object({ + ami = optional(string) + name = string + instance_type = string + min_per_az = number + max_per_az = number + desired_per_az = number + label = string + volume = object({ + size = string + type = string + }) + })) + default = {} +} + +variable "base_cidr_block" { + type = string + default = "10.0.0.0/16" + description = "CIDR block to serve the main private and public subnets." + validation { + condition = ( + try(cidrhost(var.base_cidr_block, 0), null) == regex("^(.*)/", var.base_cidr_block)[0] && + try(cidrnetmask(var.base_cidr_block), null) == "255.255.0.0" + ) + error_message = "Argument base_cidr_block must be a valid CIDR block." + } +} + +variable "eks_master_role_names" { + type = list(string) + description = "IAM role names to be added as masters in eks." + default = [] +} + +variable "vpc_id" { + type = string + description = "VPC ID for bringing your own vpc, will bypass creation of such." + default = "" +} + +variable "create_bastion" { + type = bool + description = "Create bastion toggle." + default = false +} + +variable "bastion_ami_id" { + description = "AMI ID for the bastion EC2 instance, otherwise we will use the latest 'amazon_linux_2' ami" + type = string + default = "" +} + +variable "efs_access_point_path" { + type = string + description = "Filesystem path for efs." + default = "/domino" + +} + +variable "ssh_pvt_key_path" { + type = string + description = "SSH private key filepath." + validation { + condition = fileexists(var.ssh_pvt_key_path) + error_message = "Private key does not exist. Please provide the right path or generate a key with the following command: ssh-keygen -q -P '' -t rsa -b 4096 -m PEM -f domino.pem" + } +} + +variable "s3_force_destroy_on_deletion" { + description = "Toogle to allow recursive deletion of all objects in the s3 buckets. if 'false' terraform will NOT be able to delete non-empty buckets" + type = bool + default = false +} + +variable "enable_vpc_endpoints_s3" { + description = "Enable VPC endpoints for S3 service. This is intented for mission critical, highly available deployments" + type = bool + default = false +} diff --git a/versions.tf b/versions.tf new file mode 100644 index 00000000..afbcdd4e --- /dev/null +++ b/versions.tf @@ -0,0 +1,30 @@ +terraform { + experiments = [module_variable_optional_attrs] + required_version = ">= 1.2.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + local = { + source = "hashicorp/local" + version = ">= 2.2.0" + } + tls = { + source = "hashicorp/tls" + version = ">= 3.4.0" + } + + null = { + source = "hashicorp/null" + version = ">= 3.1.1" + } + } +} + +provider "aws" { + region = var.region + default_tags { + tags = var.tags + } +}