Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update main.tf #6

Open
wants to merge 13 commits into
base: tfsec-test
Choose a base branch
from
Open

Update main.tf #6

wants to merge 13 commits into from

Conversation

Tanveer143s
Copy link
Owner

what

  • Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?)
  • Use bullet points to be concise and to the point.

why

  • Provide the justifications for the changes (e.g. business case).
  • Describe why these changes were made (e.g. why do these commits fix the problem?)
  • Use bullet points to be concise and to the point.

references

  • Link to any supporting jira issues or helpful documentation to add some context (e.g. stackoverflow).
  • Use closes #123, if this PR closes a Jira issue #123

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 13, 2023
View reviewed changes
main.tf Fixed Show fixed Hide fixed
main.tf Fixed Show fixed Hide fixed
main.tf
Comment on lines +17 to +26
resource "aws_s3_bucket" "s3_default" {
count = var.enabled == true ? 1 : 0

bucket = var.s3_name != null ? var.s3_name : module.labels.id
bucket_prefix = var.bucket_prefix
force_destroy = var.force_destroy
object_lock_enabled = var.object_lock_enabled
tags = module.labels.tags

}

Check failure

Code scanning / defsec

Unencrypted S3 bucket.

Bucket does not have encryption enabled
main.tf
Comment on lines +17 to +26
resource "aws_s3_bucket" "s3_default" {
count = var.enabled == true ? 1 : 0

bucket = var.s3_name != null ? var.s3_name : module.labels.id
bucket_prefix = var.bucket_prefix
force_destroy = var.force_destroy
object_lock_enabled = var.object_lock_enabled
tags = module.labels.tags

}

Check warning

Code scanning / defsec

S3 Bucket does not have logging enabled.

Bucket does not have logging enabled
main.tf
Comment on lines +17 to +26
resource "aws_s3_bucket" "s3_default" {
count = var.enabled == true ? 1 : 0

bucket = var.s3_name != null ? var.s3_name : module.labels.id
bucket_prefix = var.bucket_prefix
force_destroy = var.force_destroy
object_lock_enabled = var.object_lock_enabled
tags = module.labels.tags

}

Check warning

Code scanning / defsec

S3 Data should be versioned

Bucket does not have versioning enabled
main.tf
Comment on lines +17 to +26
resource "aws_s3_bucket" "s3_default" {
count = var.enabled == true ? 1 : 0

bucket = var.s3_name != null ? var.s3_name : module.labels.id
bucket_prefix = var.bucket_prefix
force_destroy = var.force_destroy
object_lock_enabled = var.object_lock_enabled
tags = module.labels.tags

}

Check failure

Code scanning / defsec

S3 encryption should use Customer Managed Keys

Bucket does not encrypt data with a customer managed key.
main.tf Fixed Show fixed Hide fixed
main.tf Fixed Show fixed Hide fixed
@Tanveer143s
Copy link
Owner Author

Terraform Security Scan Failed

Show Output 
Result #1 HIGH Bucket does not have encryption enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-encryption
      Impact The bucket objects could be read if compromised
  Resolution Configure bucket encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Bucket does not encrypt data with a customer managed key. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-encryption-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Public access block does not block public ACLs 
────────────────────────────────────────────────────────────────────────────────
  main.tf:569
────────────────────────────────────────────────────────────────────────────────
  564    resource "aws_s3_bucket_public_access_block" "this" {
  565      count = var.enabled && var.attach_public_policy ? 1 : 0
  566    
  567      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  568    
  569  [   block_public_acls       = var.block_public_acls (false)
  570      block_public_policy     = var.block_public_policy
  571      ignore_public_acls      = var.ignore_public_acls
  572      restrict_public_buckets = var.restrict_public_buckets
  573    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-block-public-acls
      Impact PUT calls with public ACLs specified can make objects public
  Resolution Enable blocking any PUT calls with a public ACL specified

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
────────────────────────────────────────────────────────────────────────────────


Result #4 HIGH Public access block does not block public policies 
────────────────────────────────────────────────────────────────────────────────
  main.tf:570
────────────────────────────────────────────────────────────────────────────────
  564    resource "aws_s3_bucket_public_access_block" "this" {
  565      count = var.enabled && var.attach_public_policy ? 1 : 0
  566    
  567      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  568    
  569      block_public_acls       = var.block_public_acls
  570  [   block_public_policy     = var.block_public_policy (false)
  571      ignore_public_acls      = var.ignore_public_acls
  572      restrict_public_buckets = var.restrict_public_buckets
  573    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-block-public-policy
      Impact Users could put a policy that allows public access
  Resolution Prevent policies that allow public access being PUT

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
────────────────────────────────────────────────────────────────────────────────


Result #5 HIGH Public access block does not ignore public ACLs 
────────────────────────────────────────────────────────────────────────────────
  main.tf:571
────────────────────────────────────────────────────────────────────────────────
  564    resource "aws_s3_bucket_public_access_block" "this" {
  565      count = var.enabled && var.attach_public_policy ? 1 : 0
  566    
  567      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  568    
  569      block_public_acls       = var.block_public_acls
  570      block_public_policy     = var.block_public_policy
  571  [   ignore_public_acls      = var.ignore_public_acls (false)
  572      restrict_public_buckets = var.restrict_public_buckets
  573    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-ignore-public-acls
      Impact PUT calls with public ACLs specified can make objects public
  Resolution Enable ignoring the application of public ACLs in PUT calls

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────


Result #6 HIGH Public access block does not restrict public buckets 
────────────────────────────────────────────────────────────────────────────────
  main.tf:572
────────────────────────────────────────────────────────────────────────────────
  564    resource "aws_s3_bucket_public_access_block" "this" {
  565      count = var.enabled && var.attach_public_policy ? 1 : 0
  566    
  567      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  568    
  569      block_public_acls       = var.block_public_acls
  570      block_public_policy     = var.block_public_policy
  571      ignore_public_acls      = var.ignore_public_acls
  572  [   restrict_public_buckets = var.restrict_public_buckets (false)
  573    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-no-public-buckets
      Impact Public buckets can be accessed by anyone
  Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────


Result #7 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #8 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             204.601µs
  parsing              95.053511ms
  adaptation           718.202µs
  checks               9.640532ms
  total                105.616846ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     94
  files read           7

  results
  ──────────────────────────────────────────
  passed               2
  ignored              0
  critical             0
  high                 6
  medium               2
  low                  0

  2 passed, 8 potential problem(s) detected.

@Tanveer143s
Copy link
Owner Author

Terraform Security Scan Failed

Show Output 
Result #1 HIGH Bucket does not have encryption enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-encryption
      Impact The bucket objects could be read if compromised
  Resolution Configure bucket encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Bucket does not encrypt data with a customer managed key. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-encryption-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Public access block does not block public policies 
────────────────────────────────────────────────────────────────────────────────
  main.tf:570
────────────────────────────────────────────────────────────────────────────────
  564    resource "aws_s3_bucket_public_access_block" "this" {
  565      count = var.enabled && var.attach_public_policy ? 1 : 0
  566    
  567      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  568    
  569      block_public_acls       = var.block_public_acls
  570  [   block_public_policy     = var.block_public_policy (false)
  571      ignore_public_acls      = var.ignore_public_acls
  572      restrict_public_buckets = var.restrict_public_buckets
  573    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-block-public-policy
      Impact Users could put a policy that allows public access
  Resolution Prevent policies that allow public access being PUT

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
────────────────────────────────────────────────────────────────────────────────


Result #4 HIGH Public access block does not ignore public ACLs 
────────────────────────────────────────────────────────────────────────────────
  main.tf:571
────────────────────────────────────────────────────────────────────────────────
  564    resource "aws_s3_bucket_public_access_block" "this" {
  565      count = var.enabled && var.attach_public_policy ? 1 : 0
  566    
  567      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  568    
  569      block_public_acls       = var.block_public_acls
  570      block_public_policy     = var.block_public_policy
  571  [   ignore_public_acls      = var.ignore_public_acls (false)
  572      restrict_public_buckets = var.restrict_public_buckets
  573    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-ignore-public-acls
      Impact PUT calls with public ACLs specified can make objects public
  Resolution Enable ignoring the application of public ACLs in PUT calls

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────


Result #5 HIGH Public access block does not restrict public buckets 
────────────────────────────────────────────────────────────────────────────────
  main.tf:572
────────────────────────────────────────────────────────────────────────────────
  564    resource "aws_s3_bucket_public_access_block" "this" {
  565      count = var.enabled && var.attach_public_policy ? 1 : 0
  566    
  567      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  568    
  569      block_public_acls       = var.block_public_acls
  570      block_public_policy     = var.block_public_policy
  571      ignore_public_acls      = var.ignore_public_acls
  572  [   restrict_public_buckets = var.restrict_public_buckets (false)
  573    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-no-public-buckets
      Impact Public buckets can be accessed by anyone
  Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────


Result #6 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #7 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             230.704µs
  parsing              90.860802ms
  adaptation           1.070016ms
  checks               14.389304ms
  total                106.550826ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     103
  files read           7

  results
  ──────────────────────────────────────────
  passed               3
  ignored              0
  critical             0
  high                 5
  medium               2
  low                  0

  3 passed, 7 potential problem(s) detected.

@Tanveer143s
Copy link
Owner Author

Terraform Security Scan Failed

Show Output 
Result #1 HIGH Bucket does not have encryption enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-encryption
      Impact The bucket objects could be read if compromised
  Resolution Configure bucket encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Bucket does not encrypt data with a customer managed key. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-encryption-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH Public access block does not restrict public buckets 
────────────────────────────────────────────────────────────────────────────────
  main.tf:572
────────────────────────────────────────────────────────────────────────────────
  564    resource "aws_s3_bucket_public_access_block" "this" {
  565      count = var.enabled && var.attach_public_policy ? 1 : 0
  566    
  567      bucket = local.attach_policy ? aws_s3_bucket_policy.s3_default[0].id : aws_s3_bucket.s3_default[0].id
  568    
  569      block_public_acls       = var.block_public_acls
  570      block_public_policy     = var.block_public_policy
  571      ignore_public_acls      = var.ignore_public_acls
  572  [   restrict_public_buckets = var.restrict_public_buckets (false)
  573    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-no-public-buckets
      Impact Public buckets can be accessed by anyone
  Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #5 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             258.913µs
  parsing              71.61324ms
  adaptation           803.346µs
  checks               18.62085ms
  total                91.296349ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     103
  files read           7

  results
  ──────────────────────────────────────────
  passed               5
  ignored              0
  critical             0
  high                 3
  medium               2
  low                  0

  5 passed, 5 potential problem(s) detected.

@Tanveer143s
Copy link
Owner Author

Terraform Security Scan Failed

Show Output 
Result #1 HIGH Bucket does not have encryption enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-encryption
      Impact The bucket objects could be read if compromised
  Resolution Configure bucket encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Bucket does not encrypt data with a customer managed key. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-encryption-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #3 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             205.602µs
  parsing              88.694499ms
  adaptation           768.61µs
  checks               8.860909ms
  total                98.52962ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     103
  files read           7

  results
  ──────────────────────────────────────────
  passed               6
  ignored              0
  critical             0
  high                 2
  medium               2
  low                  0

  6 passed, 4 potential problem(s) detected.

@Tanveer143s
Copy link
Owner Author

Terraform Security Scan Failed

Show Output 
Result #1 HIGH Bucket does not have encryption enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-encryption
      Impact The bucket objects could be read if compromised
  Resolution Configure bucket encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Bucket does not encrypt data with a customer managed key. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-encryption-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #3 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             203.496µs
  parsing              104.425979ms
  adaptation           735.588µs
  checks               7.30048ms
  total                112.665543ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     103
  files read           7

  results
  ──────────────────────────────────────────
  passed               6
  ignored              0
  critical             0
  high                 2
  medium               2
  low                  0

  6 passed, 4 potential problem(s) detected.

@Tanveer143s
Copy link
Owner Author

Terraform Security Scan Failed

Show Output 
Result #1 HIGH Bucket does not have encryption enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-encryption
      Impact The bucket objects could be read if compromised
  Resolution Configure bucket encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Bucket does not encrypt data with a customer managed key. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-encryption-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #3 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             188.002µs
  parsing              96.393874ms
  adaptation           654.604µs
  checks               7.319236ms
  total                104.555716ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     103
  files read           7

  results
  ──────────────────────────────────────────
  passed               6
  ignored              0
  critical             0
  high                 2
  medium               2
  low                  0

  6 passed, 4 potential problem(s) detected.

@Tanveer143s
Copy link
Owner Author

Terraform Security Scan Failed

Show Output 
Result #1 HIGH Bucket does not have encryption enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-encryption
      Impact The bucket objects could be read if compromised
  Resolution Configure bucket encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Bucket does not encrypt data with a customer managed key. 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-encryption-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────


Result #3 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #4 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  main.tf:17-26
────────────────────────────────────────────────────────────────────────────────
   17    resource "aws_s3_bucket" "s3_default" {
   18      count = var.enabled == true ? 1 : 0
   19    
   20      bucket              = var.s3_name != null ? var.s3_name : module.labels.id
   21      bucket_prefix       = var.bucket_prefix
   22      force_destroy       = var.force_destroy
   23      object_lock_enabled = var.object_lock_enabled
   24      tags                = module.labels.tags
   25    
   26    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             287.6µs
  parsing              146.918764ms
  adaptation           990.3µs
  checks               18.936408ms
  total                167.133072ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     103
  files read           7

  results
  ──────────────────────────────────────────
  passed               6
  ignored              0
  critical             0
  high                 2
  medium               2
  low                  0

  6 passed, 4 potential problem(s) detected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Tanveer143s