aquasecurity · nikpivkin · Sep 20, 2024 · Sep 20, 2024 · Sep 20, 2024 · Jul 26, 2024
@@ -2,10 +2,19 @@
 Use Customer managed key
 
 ```hcl
+resource "aws_kms_key" "trail" {
+  enable_key_rotation = true
+}
+
+resource "aws_kms_alias" "trail" {
+  name          = "alias/trail"
+  target_key_id = aws_kms_key.trail.key_id
+}
+
  resource "aws_cloudtrail" "good_example" {
    is_multi_region_trail = true
    enable_log_file_validation = true
-   kms_key_id = var.kms_id
+   kms_key_id = aws_kms_alias.trail.arn
 
    event_selector {
      read_write_type           = "All"

@@ -2,10 +2,19 @@
 Enable CMK encryption of CloudWatch Log Groups
 
 ```hcl
+resource "aws_kms_key" "cloudwatch" {
+  enable_key_rotation = true
+}
+
+resource "aws_kms_alias" "cloudwatch" {
+  name          = "alias/cloudwatch"
+  target_key_id = aws_kms_key.cloudwatch.key_id
+}
+
  resource "aws_cloudwatch_log_group" "good_example" {
  	name = "good_example"
 
- 	kms_key_id = aws_kms_key.log_key.arn
+ 	kms_key_id = aws_kms_alias.cloudwatch.arn
  }
 
 ```

@@ -14,12 +14,18 @@ Resources:
 ```
 ```yaml---
 Resources:
+  MyKey:
+    Type: 'AWS::KMS::Key'
+    Properties:
+      KeyPolicy:
+        Version: 2012-10-17
+        Id: key-default-1
   GoodExample:
     Type: AWS::EC2::Volume
     Properties: 
       Size: 100
       Encrypted: true
-      KmsKeyId: !ImportValue "MyStack:Key"
+      KmsKeyId: !Ref MyKey 
     DeletionPolicy: Snapshot
 
 ```

@@ -3,6 +3,9 @@ Create a non-default vpc for resources to be created in
 
 ```hcl
  # no aws default vpc present
+resource "aws_vpc" "main" {
+  cidr_block = "10.0.0.0/16"
+}
 
 ```
 

@@ -9,7 +9,7 @@ Resources:
     Type: AWS::EC2::NetworkAcl
     Properties:
       VpcId: "something"
-	  RuleAction: "allow"
+    RuleAction: "allow"
   Rule:
     Type: AWS::EC2::NetworkAclEntry
     Properties:

@@ -9,9 +9,9 @@ Set a more restrictive cidr range
 
 ```
 ```hcl
-resource "aws_security_group_rule" "allow_partner_rsync" {
+resource "aws_security_group_rule" "example" {
   type              = "ingress"
-  security_group_id = aws_security_group.….id
+  security_group_id = "sg-123456"
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"

@@ -11,10 +11,10 @@ Resources:
       RoleArn: >-
         arn:aws:iam::012345678910:role/eks-service-role-good-example
       EncryptionConfig:
-        Provider:
-          KeyArn: alias/eks-kms
-        Resources:
-        - secrets
+        - Provider:
+            KeyArn: alias/eks-kms
+          Resources:
+            - secrets
       ResourcesVpcConfig:
         SecurityGroupIds:
           - sg-6979fe18

@@ -2,11 +2,15 @@
 Enable encryption of EKS secrets
 
 ```hcl
+resource "aws_kms_key" "eks" {
+	enable_key_rotation = true
+}
+
  resource "aws_eks_cluster" "good_example" {
      encryption_config {
          resources = [ "secrets" ]
          provider {
-             key_arn = var.kms_arn
+             key_arn = aws_kms_key.eks.arn
          }
      }
 

@@ -5,7 +5,10 @@ Switch to VPC resources
 AWSTemplateFormatVersion: 2010-09-09
 Description: Good example of redshift sgr
 Resources:
-
+  myCluster:
+    Type: "AWS::Redshift::Cluster"
+    Properties:
+      DBName: "mydb"
 
 ```
 

@@ -3,29 +3,17 @@ Add a logging block to the resource to enable access logging
 
 ```yaml---
 Resources:
-  GoodExample:
+  TestBucket:
     Type: AWS::S3::Bucket
     Properties:
       LoggingConfiguration:
-        DestinationBucketName: logging-bucket
+        DestinationBucketName: !Ref TestLoggingBucket
         LogFilePrefix: accesslogs/
 
-```
-```yaml---
-Resources:
-  GoodExample:
+  TestLoggingBucket:
     Type: AWS::S3::Bucket
     Properties:
-      BucketName: !Sub my-s3-bucket-${BucketSuffix}
-      LoggingConfiguration:
-        DestinationBucketName: !FindInMap [EnvironmentMapping, s3, logging]
-        LogFilePrefix: !Sub s3-logs/AWSLogs/${AWS::AccountId}/my-s3-bucket-${BucketSuffix}
-      AccessControl: Private
-      PublicAccessBlockConfiguration:
-        BlockPublicAcls: true
-        BlockPublicPolicy: true
-        IgnorePublicAcls: true
-        RestrictPublicBuckets: true
+      AccessControl: LogDeliveryWrite
 
 ```
 

@@ -2,26 +2,44 @@
 Add a logging block to the resource to enable access logging
 
 ```hcl
-resource "aws_s3_bucket" "good_example" {
+resource "aws_s3_bucket" "this" {
+	bucket = "test-bucket"
 	logging {
-		target_bucket = "target-bucket"
+		target_bucket = aws_s3_bucket.log_bucket.id
+		target_prefix = "log/"
 	}
 }
 
+resource "aws_s3_bucket" "log_bucket" {
+	bucket = "test-log-bucket"
+}
+
+resource "aws_s3_bucket_acl" "log_bucket" {
+  acl    = "log-delivery-write"
+  bucket = aws_s3_bucket.log_bucket.id
+}
+
 ```
 ```hcl
-resource "aws_s3_bucket" "example" {
-  bucket = "yournamehere"
-
-  # ... other configuration ...
+resource "aws_s3_bucket" "this" {
+  bucket = "test-bucket"
 }
 
-resource "aws_s3_bucket_logging" "example" {
-  bucket        = aws_s3_bucket.example.id
+resource "aws_s3_bucket_logging" "this" {
+  bucket        = aws_s3_bucket.this.id
   target_bucket = aws_s3_bucket.log_bucket.id
   target_prefix = "log/"
 }
 
+resource "aws_s3_bucket" "log_bucket" {
+	bucket = "test-log-bucket"
+}
+
+resource "aws_s3_bucket_acl" "log_bucket" {
+  acl    = "log-delivery-write"
+  bucket = aws_s3_bucket.log_bucket.id
+}
+
 ```
 
 #### Remediation Links

@@ -4,7 +4,7 @@ Turn on SNS Topic encryption
 ```yaml---
 Resources:
   GoodTopic:
-    Type: AWS::SQS::Topic
+    Type: AWS::SNS::Topic
     Properties:
       TopicName: blah
       KmsMasterKeyId: some-key

@@ -9,9 +9,14 @@ Set a more restrictive cidr range
 
 ```
 ```hcl
-resource "nifcloud_security_group_rule" "allow_partner_rsync" {
+resource "nifcloud_security_group" "example" {
+  group_name        = "allowtcp"
+  availability_zone = "east-11"
+}
+
+resource "nifcloud_security_group_rule" "example" {
   type                 = "IN"
-  security_group_names = [nifcloud_security_group.….group_name]
+  security_group_names = [nifcloud_security_group.example.group_name]
   from_port            = 22
   to_port              = 22
   protocol             = "TCP"

@@ -26,7 +26,7 @@
 #       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_stage#access_log_settings
 #     good_examples: checks/cloud/aws/apigateway/enable_access_logging.tf.go
 #     bad_examples: checks/cloud/aws/apigateway/enable_access_logging.tf.go
-#   cloudformation:
+#   cloud_formation:
 #     good_examples: checks/cloud/aws/apigateway/enable_access_logging.cf.go
 #     bad_examples: checks/cloud/aws/apigateway/enable_access_logging.cf.go
 package builtin.aws.apigateway.aws0001

@@ -35,11 +35,11 @@ deny contains res if {
 	isManaged(api)
 	some method in api.resources[_].methods
 	not method_is_option(method)
-	not is_apikey_required(api)
+	not is_apikey_required(method)
 	method.authorizationtype.value == authorization_none
 	res := result.new("Authorization is not enabled for this method.", method.authorizationtype)
 }
 
 method_is_option(method) := method.httpmethod.value == "OPTION"
 
-is_apikey_required(api) := api.apikeyrequired.value
+is_apikey_required(method) := method.apikeyrequired.value
@@ -19,7 +19,7 @@ test_allow_get_method_with_auth if {
 }
 
 test_allow_if_api_required if {
-	test.assert_empty(check.deny) with input as input_with_method({"httpmethod": {"value": "GET"}, "authorizationtype": {"value": "AWS_IAM"}})
+	test.assert_empty(check.deny) with input as input_with_method({"httpmethod": {"value": "GET"}, "authorizationtype": {"value": "AWS_IAM"}, "apikeyrequired": {"value": true}})
 }
 
 input_with_method(method) = {"aws": {"apigateway": {"v1": {"apis": [{"resources": [{"methods": [method]}]}]}}}}
@@ -27,7 +27,7 @@
 #       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_database#encryption_configuration
 #     good_examples: checks/cloud/aws/athena/enable_at_rest_encryption.tf.go
 #     bad_examples: checks/cloud/aws/athena/enable_at_rest_encryption.tf.go
-#   cloudformation:
+#   cloud_formation:
 #     good_examples: checks/cloud/aws/athena/enable_at_rest_encryption.cf.go
 #     bad_examples: checks/cloud/aws/athena/enable_at_rest_encryption.cf.go
 package builtin.aws.athena.aws0006

@@ -26,7 +26,7 @@
 #       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_workgroup#configuration
 #     good_examples: checks/cloud/aws/athena/no_encryption_override.tf.go
 #     bad_examples: checks/cloud/aws/athena/no_encryption_override.tf.go
-#   cloudformation:
+#   cloud_formation:
 #     good_examples: checks/cloud/aws/athena/no_encryption_override.cf.go
 #     bad_examples: checks/cloud/aws/athena/no_encryption_override.cf.go
 package builtin.aws.athena.aws0007

@@ -26,7 +26,7 @@
 #       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#logging_config
 #     good_examples: checks/cloud/aws/cloudfront/enable_logging.tf.go
 #     bad_examples: checks/cloud/aws/cloudfront/enable_logging.tf.go
-#   cloudformation:
+#   cloud_formation:
 #     good_examples: checks/cloud/aws/cloudfront/enable_logging.cf.go
 #     bad_examples: checks/cloud/aws/cloudfront/enable_logging.cf.go
 package builtin.aws.cloudfront.aws0010

@@ -26,7 +26,7 @@
 #       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#web_acl_id
 #     good_examples: checks/cloud/aws/cloudfront/enable_waf.tf.go
 #     bad_examples: checks/cloud/aws/cloudfront/enable_waf.tf.go
-#   cloudformation:
+#   cloud_formation:
 #     good_examples: checks/cloud/aws/cloudfront/enable_waf.cf.go
 #     bad_examples: checks/cloud/aws/cloudfront/enable_waf.cf.go
 package builtin.aws.cloudfront.aws0011

@@ -27,7 +27,7 @@
 #       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#viewer_protocol_policy
 #     good_examples: checks/cloud/aws/cloudfront/enforce_https.tf.go
 #     bad_examples: checks/cloud/aws/cloudfront/enforce_https.tf.go
-#   cloudformation:
+#   cloud_formation:
 #     good_examples: checks/cloud/aws/cloudfront/enforce_https.cf.go
 #     bad_examples: checks/cloud/aws/cloudfront/enforce_https.cf.go
 package builtin.aws.cloudfront.aws0012

@@ -30,7 +30,7 @@
 #       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#minimum_protocol_version
 #     good_examples: checks/cloud/aws/cloudfront/use_secure_tls_policy.tf.go
 #     bad_examples: checks/cloud/aws/cloudfront/use_secure_tls_policy.tf.go
-#   cloudformation:
+#   cloud_formation:
 #     good_examples: checks/cloud/aws/cloudfront/use_secure_tls_policy.cf.go
 #     bad_examples: checks/cloud/aws/cloudfront/use_secure_tls_policy.cf.go
 package builtin.aws.cloudfront.aws0013

@@ -31,7 +31,7 @@
 #       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#is_multi_region_trail
 #     good_examples: checks/cloud/aws/cloudtrail/enable_all_regions.tf.go
 #     bad_examples: checks/cloud/aws/cloudtrail/enable_all_regions.tf.go
-#   cloudformation:
+#   cloud_formation:
 #     good_examples: checks/cloud/aws/cloudtrail/enable_all_regions.cf.go
 #     bad_examples: checks/cloud/aws/cloudtrail/enable_all_regions.cf.go
 package builtin.aws.cloudtrail.aws0014

@@ -26,7 +26,7 @@
 #       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#enable_log_file_validation
 #     good_examples: checks/cloud/aws/cloudtrail/enable_log_validation.tf.go
 #     bad_examples: checks/cloud/aws/cloudtrail/enable_log_validation.tf.go
-#   cloudformation:
+#   cloud_formation:
 #     good_examples: checks/cloud/aws/cloudtrail/enable_log_validation.cf.go
 #     bad_examples: checks/cloud/aws/cloudtrail/enable_log_validation.cf.go
 package builtin.aws.cloudtrail.aws0016

@@ -27,7 +27,7 @@
 #       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#kms_key_id
 #     good_examples: checks/cloud/aws/cloudtrail/encryption_customer_key.tf.go
 #     bad_examples: checks/cloud/aws/cloudtrail/encryption_customer_key.tf.go
-#   cloudformation:
+#   cloud_formation:
 #     links:
 #       - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-kmskeyid
 #     good_examples: checks/cloud/aws/cloudtrail/encryption_customer_key.cf.go

@@ -2,10 +2,19 @@ package cloudtrail
 
 var terraformEncryptionCustomerManagedKeyGoodExamples = []string{
 	`
+resource "aws_kms_key" "trail" {
+  enable_key_rotation = true
+}
+
+resource "aws_kms_alias" "trail" {
+  name          = "alias/trail"
+  target_key_id = aws_kms_key.trail.key_id
+}
+
  resource "aws_cloudtrail" "good_example" {
    is_multi_region_trail = true
    enable_log_file_validation = true
-   kms_key_id = var.kms_id
+   kms_key_id = aws_kms_alias.trail.arn
 
    event_selector {
      read_write_type           = "All"

@@ -39,7 +39,7 @@
 #       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail
 #     good_examples: checks/cloud/aws/cloudtrail/ensure_cloudwatch_integration.tf.go
 #     bad_examples: checks/cloud/aws/cloudtrail/ensure_cloudwatch_integration.tf.go
-#   cloudformation:
+#   cloud_formation:
 #     good_examples: checks/cloud/aws/cloudtrail/ensure_cloudwatch_integration.cf.go
 #     bad_examples: checks/cloud/aws/cloudtrail/ensure_cloudwatch_integration.cf.go
 package builtin.aws.cloudtrail.aws0162
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,6 +3,9 @@ Create a non-default vpc for resources to be created in @@
     ```hcl
      # no aws default vpc present
+    resource "aws_vpc" "main" {
+      cidr_block = "10.0.0.0/16"
+    }
     ```
@@ Expand Down @@