aquasecurity · simar7 · Dec 4, 2024 · Dec 2, 2024 · Dec 3, 2024
@@ -20,3 +20,17 @@ jobs:
     - name: Run tests
       run: make test
       shell: bash
+
+  integration:
+    name: Integration Test
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v5
+      with:
+        go-version: ${{ env.GO_VERSION }}
+
+    - name: Run integration tests
+      run: make test-integration
+
@@ -6,6 +6,10 @@ REGISTRY_PORT=5111
 test:
 	go test -v ./...
 
+.PHONY: integration-test
+test-integration:
+	go test -v -timeout 5m -tags=integration ./integration/...
+
 .PHONY: rego
 rego: fmt-rego test-rego
 
@@ -33,7 +37,7 @@ outdated-api-updated:
 	sed -i.bak "s|recommendedVersions :=.*|recommendedVersions := $(OUTDATE_API_DATA)|" $(DYNAMIC_REGO_FOLDER)/outdated_api.rego && rm $(DYNAMIC_REGO_FOLDER)/outdated_api.rego.bak
 
 .PHONY: docs
-docs:
+docs: fmt-examples
 	go run ./cmd/avd_generator
 
 .PHONY: docs-test

@@ -2,10 +2,18 @@
 Use Customer managed key
 
 ```hcl
+resource "aws_kms_key" "trail" {
+  enable_key_rotation = true
+}
+resource "aws_kms_alias" "trail" {
+  name          = "alias/trail"
+  target_key_id = aws_kms_key.trail.key_id
+}
+
 resource "aws_cloudtrail" "good_example" {
   is_multi_region_trail      = true
   enable_log_file_validation = true
-  kms_key_id                 = var.kms_id
+  kms_key_id                 = aws_kms_alias.trail.arn
 
   event_selector {
     read_write_type           = "All"

@@ -2,10 +2,18 @@
 Enable CMK encryption of CloudWatch Log Groups
 
 ```hcl
+resource "aws_kms_key" "cloudwatch" {
+  enable_key_rotation = true
+}
+
+resource "aws_kms_alias" "cloudwatch" {
+  name          = "alias/cloudwatch"
+  target_key_id = aws_kms_key.cloudwatch.key_id
+}
 resource "aws_cloudwatch_log_group" "good_example" {
   name = "good_example"
 
-  kms_key_id = aws_kms_key.log_key.arn
+  kms_key_id = aws_kms_alias.cloudwatch.arn
 }
 ```
 

@@ -13,12 +13,19 @@ Resources:
 ```
 ```yaml
 Resources:
+  MyKey:
+    Type: AWS::KMS::Key
+    Properties:
+      KeyPolicy:
+        Version: "2012-10-17"
+        Id: key-default-1
+
   GoodExample:
     DeletionPolicy: Snapshot
     Type: AWS::EC2::Volume
     Properties:
       Encrypted: true
-      KmsKeyId: MyStack:Key
+      KmsKeyId: !Ref MyKey
       Size: 100
 ```
 

@@ -3,6 +3,9 @@ Create a non-default vpc for resources to be created in
 
 ```hcl
 # no aws default vpc present
+resource "aws_vpc" "main" {
+  cidr_block = "10.0.0.0/16"
+}
 ```
 
 #### Remediation Links

@@ -16,7 +16,7 @@ Resources:
   Rule:
     Type: AWS::EC2::NetworkAclEntry
     Properties:
-      NetworkAclId: null
+      NetworkAclId: !Ref NetworkACL
       Protocol: 6
       Ref: NetworkACL
       RuleAction: allow

@@ -19,6 +19,9 @@ Resources:
       NetworkAclId: !Ref NetworkACL
       Protocol: 6
       RuleAction: allow
+      PortRange:
+        From: 22
+        To: 22
 ```
 
 
@@ -10,6 +10,8 @@ Resources:
       SecurityGroupIngress:
         - CidrIp: 127.0.0.1/32
           IpProtocol: "6"
+          FromPort: 22
+          ToPort: 22
 ```
 
 
@@ -8,9 +8,9 @@ resource "aws_security_group_rule" "good_example" {
 }
 ```
 ```hcl
-resource "aws_security_group_rule" "allow_partner_rsync" {
+resource "aws_security_group_rule" "example" {
   type              = "ingress"
-  security_group_id = aws_security_group.….id
+  security_group_id = "sg-123456"
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"

@@ -8,7 +8,7 @@ resource "aws_ecs_task_definition" "good_example" {
    {
      "name": "my_service",
      "essential": true,
-     "memory": 256,
+     "memory": "256",
      "environment": [
        { "name": "ENVIRONMENT", "value": "development" }
      ]

@@ -7,10 +7,10 @@ Resources:
     Type: AWS::EKS::Cluster
     Properties:
       EncryptionConfig:
-        Provider:
-          KeyArn: alias/eks-kms
-        Resources:
-          - secrets
+        - Provider:
+            KeyArn: alias/eks-kms
+          Resources:
+            - secrets
       Name: goodExample
       ResourcesVpcConfig:
         SecurityGroupIds:

@@ -2,11 +2,15 @@
 Enable encryption of EKS secrets
 
 ```hcl
+resource "aws_kms_key" "eks" {
+  enable_key_rotation = true
+}
+
 resource "aws_eks_cluster" "good_example" {
   encryption_config {
     resources = ["secrets"]
     provider {
-      key_arn = var.kms_arn
+      key_arn = aws_kms_key.eks.arn
     }
   }
 

@@ -2,8 +2,12 @@
 Use lower privileged accounts instead, so only required privileges are available.
 
 ```hcl
-resource "aws_iam_access_key" "good_example" {
-  user = "lowprivuser"
+resource "aws_iam_user" "test" {
+  name = "lowprivuser"
+}
+
+resource "aws_iam_access_key" "test" {
+  user = aws_iam_user.test.name
 }
 ```
 

@@ -10,17 +10,9 @@ Resources:
         S3Bucket: my-bucket
         S3Key: function.zip
       Handler: index.handler
-      Role: arn:aws:iam::123456789012:role/lambda-role
       Runtime: nodejs12.x
-      Timeout: 5
       TracingConfig:
         Mode: Active
-      VpcConfig:
-        SecurityGroupIds:
-          - sg-085912345678492fb
-        SubnetIds:
-          - subnet-071f712345678e7c8
-          - subnet-07fd123456788a036
 ```
 
 
@@ -6,7 +6,11 @@ AWSTemplateFormatVersion: "2010-09-09"
 
 Description: Good example of redshift sgr
 
-Resources: null
+myCluster:
+  Type: AWS::Redshift::Cluster
+
+  Properties:
+    DBName: mydb
 ```
 
 
@@ -7,27 +7,13 @@ Resources:
     Type: AWS::S3::Bucket
     Properties:
       LoggingConfiguration:
-        DestinationBucketName: logging-bucket
+        DestinationBucketName: !Ref TestLoggingBucket
         LogFilePrefix: accesslogs/
-```
-```yaml
-Resources:
-  GoodExample:
+
+  TestLoggingBucket:
     Type: AWS::S3::Bucket
     Properties:
-      AccessControl: Private
-      BucketName: my-s3-bucket-${BucketSuffix}
-      LoggingConfiguration:
-        DestinationBucketName:
-          - EnvironmentMapping
-          - s3
-          - logging
-        LogFilePrefix: s3-logs/AWSLogs/${AWS::AccountId}/my-s3-bucket-${BucketSuffix}
-      PublicAccessBlockConfiguration:
-        BlockPublicAcls: true
-        BlockPublicPolicy: true
-        IgnorePublicAcls: true
-        RestrictPublicBuckets: true
+      AccessControl: LogDeliveryWrite
 ```
 
 
@@ -2,24 +2,42 @@
 Add a logging block to the resource to enable access logging
 
 ```hcl
-resource "aws_s3_bucket" "good_example" {
+resource "aws_s3_bucket" "this" {
+  bucket = "test-bucket"
   logging {
-    target_bucket = "target-bucket"
+    target_bucket = aws_s3_bucket.log_bucket.id
+    target_prefix = "log/"
   }
 }
+
+resource "aws_s3_bucket" "log_bucket" {
+  bucket = "test-log-bucket"
+}
+
+resource "aws_s3_bucket_acl" "log_bucket" {
+  acl    = "log-delivery-write"
+  bucket = aws_s3_bucket.log_bucket.id
+}
 ```
 ```hcl
-resource "aws_s3_bucket" "example" {
-  bucket = "yournamehere"
-
-  # ... other configuration ...
+resource "aws_s3_bucket" "this" {
+  bucket = "test-bucket"
 }
 
-resource "aws_s3_bucket_logging" "example" {
-  bucket        = aws_s3_bucket.example.id
+resource "aws_s3_bucket_logging" "this" {
+  bucket        = aws_s3_bucket.this.id
   target_bucket = aws_s3_bucket.log_bucket.id
   target_prefix = "log/"
 }
+
+resource "aws_s3_bucket" "log_bucket" {
+  bucket = "test-log-bucket"
+}
+
+resource "aws_s3_bucket_acl" "log_bucket" {
+  acl    = "log-delivery-write"
+  bucket = aws_s3_bucket.log_bucket.id
+}
 ```
 
 #### Remediation Links

@@ -4,7 +4,7 @@ Turn on SNS Topic encryption
 ```yaml
 Resources:
   GoodTopic:
-    Type: AWS::SQS::Topic
+    Type: AWS::SNS::Topic
     Properties:
       KmsMasterKeyId: some-key
       TopicName: blah

@@ -20,6 +20,7 @@ resource "azuread_application" "myapp" {
 
 resource "azuread_application_password" "myapp" {
   application_object_id = azuread_application.myapp.object_id
+  end_date              = "2024-12-18T00:00:00Z"
 }
 
 resource "azurerm_key_vault_secret" "myapp_pass" {

@@ -2,8 +2,13 @@
 Restrict public access to the bucket.
 
 ```hcl
+resource "google_storage_bucket" "test" {
+  name     = "test"
+  location = "US"
+}
+
 resource "google_storage_bucket_iam_binding" "binding" {
-  bucket = google_storage_bucket.default.name
+  bucket = google_storage_bucket.test.name
   role   = "roles/storage.admin"
   members = [
     "user:[email protected]",

@@ -2,15 +2,15 @@
 Set a more restrictive cidr range
 
 ```hcl
-resource "nifcloud_security_group_rule" "good_example" {
-  type    = "IN"
-  cidr_ip = "10.0.0.0/16"
+resource "nifcloud_security_group_rule" "example" {
+  group_name        = "allowtcp"
+  availability_zone = "east-11"
 }
 ```
 ```hcl
-resource "nifcloud_security_group_rule" "allow_partner_rsync" {
+resource "nifcloud_security_group_rule" "example" {
   type                 = "IN"
-  security_group_names = [nifcloud_security_group.….group_name]
+  security_group_names = [nifcloud_security_group.example.group_name]
   from_port            = 22
   to_port              = 22
   protocol             = "TCP"

@@ -37,7 +37,7 @@ deny contains res if {
 	isManaged(api)
 	some method in api.resources[_].methods
 	method_is_not_option(method)
-	apikey_is_not_required(api)
+	apikey_is_not_required(method)
 	method.authorizationtype.value == authorization_none
 	res := result.new("Authorization is not enabled for this method.", method.authorizationtype)
 }